Port 80 virus - will it use my proxy server?

I'm trying to deal with Qwest in working out some speed issues with our T1 internet line. They seem to think we have a virus that is saturating the line with port 80 requests.

Here's a little background:
Of the past two times we've had issues with our internet line, it's been because of Qwest's edge router going down.
We have about 200 workstations all set up to use an http proxy server for their web traffic. The setting was added to each using the "Internet Options" dialog.

Qwest says that they see a whole bunch of traffic on port 80 coming from one machine. No Sh*&! That's my proxy server. Of course they'll see a bunch of traffic from there. The 200 workstations will send ALL of their legitimate port 80 browser traffic there.

Here's my question:

Will a virus that sends port 80 requests use my proxy server? Does setting the proxy settings in Internet Options affect ALL port 80 traffic from that machine? Or does it only affect traffic sent through a browser? Will a virus that sends out port 80 requests know to use that proxy setting, or will it bypass it?

Personally, I think we're just stressing out our T1 and we need to add a second. I look at every log available to me and only see legitimate traffic. Usually, a virus that sends out requests on port 80, 135, etc. will stick out like a sore thumb. I just don't see it!

[ QUOTE ]
Will a virus that sends port 80 requests use my proxy server? Does setting the proxy settings in Internet Options affect ALL port 80 traffic from that machine? Or does it only affect traffic sent through a browser? Will a virus that sends out port 80 requests know to use that proxy setting, or will it bypass it?

[/ QUOTE ]

It depends.

Some viri blindly use the internet options/settings on the machine; however, setting the options doesn't restrict the machine from 'direct access' as it were.

To say more requires more information on your network configuration. Is your proxy machine also a firewall, and the only point of contact w/the outside world? Are you networked machines getting an IP address from Quest, or via the proxy? (natting router) Public IP addresses or private, non-routeable?

[ QUOTE ]
kfasold said:
Is your proxy machine also a firewall, and the only point of contact w/the outside world?

[/ QUOTE ]

The machine does not act as a firewall. We run all of our traffice through a Pix 520.

[ QUOTE ]
kfasold said:
Are you networked machines getting an IP address from Quest, or via the proxy? (natting router) Public IP addresses or private, non-routeable?

[/ QUOTE ]

Our workstations are all pulling IP's from our internal DHCP server. NAT is provided by our Pix to our external IP block.

Logs from our Pix show that about 98% of the traffic is coming from the proxy server.

[ QUOTE ]
flashlightlens.com said:
Logs from our Pix show that about 98% of the traffic is coming from the proxy server.

[/ QUOTE ]

But wouldn't that be the case? Most hosts on the local network should be utilizing the proxy server rather than accessing the PIX directly.

The 2% that is not coming from the Proxy, can this be accounted for?

A better indicator of virus activity is to first compare historical bandwidth usage against current usage. As soon as you can confirm that you have a spike in port 80 usage, you will have to sift through Proxy logs to find out who (client stations) are your biggest users of web services.

It still takes a lot to compromise the proxy server since it must first execute the malicious code to become infected. A proxy server will not spontaneously execute programmes, since its services do not rely on spawning process on the fly. I'd verify the clients on your LAN and not just focus on the proxy server.

HTH

Have you done a netstat?

Should show which of your users is using your machine abnormally.

If your using a *nix, try ifstat or trafshow to show users graphically.

[ QUOTE ]
wasabe64 said:
But wouldn't that be the case? Most hosts on the local network should be utilizing the proxy server rather than accessing the PIX directly.


[/ QUOTE ]

That's exactly what I tried to tell Qwest. They apparently can't understand the concept of a proxy server. They think the address of the proxy server is the address of the machine that has the virus.

Netstat shows nothing beyond the normal internet traffic that the proxy it routing.

I'm guesing here since I don't know your network setup and I'm MS ignorant.

Can you monitor ALL trafic incoming and outgoing for your network? At work I placed an OpenBSD box with a transparent bridge firewall between my network and each of the routers. I can monitor any and all trafic to narrow down such wierdness in realtime.

If not, Maybe Quest can give you the offending IP? 200 users shouldn't saturate a T1 with normal bussiness trafic. Let quest do the work for you. If quest comes back with your proxy ip, then at least you've narrowed down the options. If not, you have the offenders IP.

Your proxy servers log tools, can it tell you your largest user? If the traffic is all legit than maybe you could use a caching server (I'm assuming that it isn't)? We've installed Squid, but I want it to be transparent so its not widely deployed yet.

One other thing does come to mind. Do you have a bunch of users that use Internet Radio? That can kill bandwidth pretty fast. But only bandwidth. It would look like a bunch of persistant connections. It sounds like Quest is complaining that there are TOO Many requests. But if your tech support doesn't know what a proxy server is, maybe they only 'think' it's slow for that reason.

In any case, I feel your pain.

Setting up one machine to be a transparent bridge would help you answer all these questions. pop trafshow on it, and you have a portable ethernet monitor that you plug between any two network devices, live, and with out any configuration changes.