Just logged in to a Windows host, I noticed an unexpected CPU usage. I quickly found out the processor was being hogged by the Windows firewall services. I enabled logging, and I started to see sheets after sheets of dropped TCP packets, with source and destination addresses as the IPv6 loopback address, but the source and destination ports slightly changing at every dropped packet.
Here is a snippet:
#Version: 1.5 #Software: Microsoft Windows Firewall #Time Format: Local #Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path ... 2016-10-21 19:54:57 DROP TCP ::1 ::1 51330 51328 0 - 0 0 0 - - - SEND 2016-10-21 19:54:57 DROP TCP ::1 ::1 51334 51332 0 - 0 0 0 - - - SEND 2016-10-21 19:54:57 DROP TCP ::1 ::1 51338 51336 0 - 0 0 0 - - - SEND 2016-10-21 19:54:57 DROP TCP ::1 ::1 51342 51340 0 - 0 0 0 - - - SEND 2016-10-21 19:54:57 DROP TCP ::1 ::1 51346 51344 0 - 0 0 0 - - - SEND ...
Even executing netstat -a -b, I was not able to identify the process who was sending those TCP packets. In this specific instance I luckily had the opportunity to be able to bounce the host, I bounced it, and the issue seems to have disappeared. Any idea of what may have caused the issue?
0 Answers