PC virus affects router?


#1

One of our locations uses a Balance 210 running 7.01. We have two separate WAN sources. This morning none of the client devices could access the internet. No matter what web site they tried to access, the user received a page with an error notification. This affected windows devices, and also smartphones both Apple and Android.

I remotely logged into the router. I did ping tests from within the Balance, to various web sites using each of the WAN sources. No matter what web site I sent a ping, through either WAN, I got the same error message.

At that point we rebooted the router. Everything came back to normal except for one Windows 10 PC. We had to reboot that device three times but it ultimately began to work normally.

A few hours later the problem returned. I had a suspicion a virus was involved but did not know how that could affect the router. Another reboot of the router brought the network back online. At that time the same single PC still would not work. We ran virus scans on that PC and found 160 offending files. We are in the process of wiping that device clean.

The network has been fine for 9 hours since then. I can’t figure out how a virus on a windows PC could affect the Balance, or even if thats actually what happened. In both cases when the problem happened, the Balance itself could not get a good ping on any web site, all ping tests came back showing the same site address, and that address does not even exist.

Note that during the entire event, the network still passed traffic that did not involve a web site. For example during the entire event our PepVPN continued to function, and we could access servers on both sides of the VPN. The problem appeared to me to be some kind of DNS redirection, not an actual block of communication. How could the DNS be redirected in such a way that rebooting the router correct the problem?


#2

If I had to guess, the infected machine flooded the network with bad ARP packets and began intercepting DNS queries from everywhere. It basically spoofed your routers IP and all devices started sending IP traffic to the wrong NIC address on the network. Rebooting the router forced an ARP reset which worked for a while, but then the infected machine blasted again. Viruses do all kinds of bad shit. Imagine if someone that writes viruses put that effort toward something productive.


#3

JM, that does make sense. The logs show the PC in question downloaded 1.6EB of data yesterday. I didn’t know our internet provider or the router could do that much in 24 hours. That unit has been wiped clean. I am having a similar but not as severe problem this morning. Good chance the virus spread. I don’t see a huge data amount to any individual device today, so is there some other way I can identify which devices on the LAN are causing the problem?


#4

you can do a packet capture on the LAN side and see if there is a device spraying local broadcast traffic.


#5

I don’t know how to do a packet capture. Please tell me more.

Still struggling with this, thought it was fixed. I now understand the problem only affects secure (https) web sites. It does not affect IP traffic outside of https. It affects all devices behind the router, both mobile and windows, and using various browsers. When it happens we can get going again only by rebooting the router, obviously something we do not want to do because it interrupts the other traffic that is not disturbed (such as VoIP).

We did find a virus on one computer and did a Windows Restore on it. Another we weren’t sure so did the same. I’m not seeing unusual amounts of data transfer any longer - but the problem still reappears.


#6

Closing this thread with a resolution. Although we did find significant viruses on the client PCs, the problem turned out to be a flaky DSL modem. Replaced that and immediately all better.