10 Clues That Network Traffic Is Bad

Threats often come in the form of bad network traffic. These 10 tips tell you whether bad traffic is worth worrying about.

Teri Radichel, Director of Security Strategy & Research, WatchGuard Technologies

November 16, 2017

6 Min Read

The number of recent data breaches and the amount of stolen data is staggering. At times, finding ways to stop the latest cyber attacks may seem overwhelming. Even though the malware that infiltrates an organization can be very complicated and stealthy, many breaches share common characteristics that appear in traffic logs of carefully designed networks. Although advanced security products can help stop advanced criminals, network administrators can stop some of the recent high-visibility attacks with well-designed firewall configurations and traffic monitoring.

Here are ten tips to keep in mind that can help to identify malicious traffic on your network:

  1. Continuously inspect the top hosts generating the highest traffic volume. In most cases, after malware infects a host, it will try to make an outbound connection back to a server. An attacker uses this connection to send commands to the infected host. The infected host may download more malware, scan the network for other hosts to infect, or exfiltrate data. These behaviors sometimes lead to ongoing traffic patterns that indicate a breach. As the SANS Institute explains in their security bootcamp, administrators can regularly monitor top IP addresses that match one or more of the following patterns to make sure the traffic is legitimate:

  • The longest connections

  • The largest amount of data transfer

  • The most connections


  • Look for anomalies. In addition to checking hosts with these characteristics, network administrators should be aware of the usual traffic that flows through the network. If a host starts sending an abnormal amount of data, that could mean malware has infected the host and is performing unwanted actions. Monitor the connections, data transfer and total connections for individual hosts and inspect variations.



  • Block ports to generate logs that show unauthorized access attempts. You may have heard someone claim that firewalls are useless because an attacker can easily bypass firewall rules to get into a network. It is true that attackers can often trick standard firewalls to allow malicious data through an open port, but no traffic can pass through a blocked port under normal circumstances. Therefore, limit open ports. To maximize the number of blocked ports around critical hosts, break networks down into smaller networks (network segmentation). Make hosts accessing private networks and critical systems pass through a network with broader rules to networks with more restricted access. When malware scans for open ports, correctly configured traffic logs will include the invalid access attempts.



  • Watch for "deny" entries in network firewall logs. Configure network firewalls on the perimeter of networks to block unnecessary ports between internal and external networks, and between network segments. An external host trying to connect to a blocked port multiple times could be the result of misconfiguration or an attacker. In many cases, network administrators can create firewall rules to prevent these hosts from any further network connections on any port.



  • Check for traffic from desktops and laptops trying to connect to each other. Desktops and laptops on the network typically have no reason to connect to one another. Block access between individual hosts on the network by installing a host-based firewall. Create rules that only allow the specific access needed by each host. Malware on infected hosts will often try to scan the network to find other hosts nearby that it can infect. This activity will generate entries in host-based firewall logs that are configured to display denied access attempts. Investigating these entries may uncover configuration or security problems.



  • Watch for printers, network, or IoT devices making outbound traffic connections. Laptops and desktops need to initiate network requests to printers. Printers do not typically need to connect to the machines that print documents. The printer may make an outbound connection to receive a software update, but traffic from the Internet should not request to access a printer hosted on a private network. Block invalid traffic patterns and investigate denied and unusual access attempts generated by or to network devices.



  • Monitor traffic sent to or from unexpected locations. If a business operates exclusively in one country, traffic to other parts of the world could be a sign of malicious activity. Investigate traffic to foreign networks to ensure it is legitimate. Administrators can block traffic to unwanted locations using a geolocation database or tool that identifies the location of the source or destination IP address in the network request.



  • Watch for abnormal network packet sizes. Ping packets are small and have a normal size range. In the Target Breach, ICMP or ping packets moved data through the network. A network administrator watching the network closely would have noticed that these packets were unusually large for a simple ping request. Monitor for network packets and requests that deviate from standard sizes.



  • Disallow traffic to known bad IP addresses and networks. Many products and services offer ways to block traffic to known-bad locations. Use these lists to find malicious IP addresses or network ranges. Create networking rules that block any traffic to nefarious destinations and monitor logs for access to or from those networks.



  • Watch for improperly formed network requests. Network devices communicate via a standard network protocol. Each protocol has a defined format including traffic at different network layers such as TCP/IP and HTTP or SMTP. Valid network traffic will conform to these standards. Administrators can watch for malformed network packets and protocol usage using network security tools. An administrator may want to investigate a host or block it if it is generating improperly formed requests and packets.


Before moving to advanced security techniques, companies trying to improve the effectiveness of their cyber security programs should start with the basics. Create effective firewall rules and monitor network traffic logs for suspect behavior. These steps will block many attackers using well-known vulnerabilities and attack patterns to compromise organizations.

Although these ten suggestions don’t involve next-generation security appliances, machine learning, or artificial intelligence, they would have prevented or at least minimized the impact of some of the more recent cyberattacks such as WannaCry, NotPetya, and the Target breach. These tactics can also mitigate DDoS attacks for some companies and weaken the effectiveness of botnets. Before moving to advanced security techniques, consider improving the effectiveness of your cyber security program by tackling these basic, but powerful best practices.

Related posts:

— Teri Radichel is the Directory of Security Strategy and Research at WatchGuard Technologies.

Read more about:

Security Now

About the Author(s)

Teri Radichel

Director of Security Strategy & Research, WatchGuard Technologies

Teri Radichel is CEO of 2nd Sight Lab, providing pen testing, security assessments, and research. Her career started in telecommunications and networking in 1994. She gravitated to software programming, having learned BASIC from a book in grade school. After obtaining a Master of Software Engineering in 2000, she started a software consulting and web hosting business and served customers ranging from startups to Fortune 150. In 2011, she joined Capital One Investing and led a team working on large-scale back office systems. In 2013, she started the Seattle AWS Architects & Engineers Meetup and became an AWS Hero. She moved to the cloud engineering team to help Capital One migrate production workloads to AWS and then the security operations team to help with security automation. At WatchGuard Technologies, she architected a secure CICD deployment pipeline based on her SANS white paper, Balancing Security and Innovation With Event Driven Automation. She has a number of SANS certifications and received the SANS 2017 Difference Makers award. You can follower her on twitter at @teriradichel.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights