We'r using a Windows 2012 server for hosting (LeaseWeb) our Windows-application.
This server has now a lot of extra outgoing traffic (> 500 Gb / day).
We like to solve this, maybe by blocking internet-access, except :
- Customers accessing the server via a client-program (started in the browser) from GoGlobal.
- Some SOAP/REST - requests in the indows-application to fixed IP-addresses.
"Microsoft Network Monitor 3.4" is already installed.
It shows LDAP is causing a lot of traffic. Port 389.
Another quick Netflow shows the IP's that are mainly responsible for the generated traffic.
Other ports are also included in the Netflow, since it was not filtered exclusively on port 389.
Unfortunately blocking the port on the server does not prevent high bandwidth consumption. Since the traffic still passes the TOR switch before it is dropped at the server, it will still count as "legit" traffic to the metrics system, which unfortunately still results in high bandwidth consumption for the server.
Regarding the IP's who are responsible :
[login to view URL]:
OrgAbuseName: SHAW ABUSE
OrgAbuseEmail: [login to view URL]@[login to view URL]
OrgAbuseRef: [login to view URL]
Abuse contact for '18.104.22.168 - 22.214.171.124' is 'abuse@[login to view URL]'
To gain information on the Abuse contacts for the owners of these IP addresses, query the whois database.