Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

// // //
01:31 PM
Teri Radichel
Teri Radichel
News Analysis-Security Now

10 Clues That Network Traffic Is Bad

Threats often come in the form of bad network traffic. These 10 tips tell you whether bad traffic is worth worrying about.

The number of recent data breaches and the amount of stolen data is staggering. At times, finding ways to stop the latest cyber attacks may seem overwhelming. Even though the malware that infiltrates an organization can be very complicated and stealthy, many breaches share common characteristics that appear in traffic logs of carefully designed networks. Although advanced security products can help stop advanced criminals, network administrators can stop some of the recent high-visibility attacks with well-designed firewall configurations and traffic monitoring.

Here are ten tips to keep in mind that can help to identify malicious traffic on your network:

  1. Continuously inspect the top hosts generating the highest traffic volume. In most cases, after malware infects a host, it will try to make an outbound connection back to a server. An attacker uses this connection to send commands to the infected host. The infected host may download more malware, scan the network for other hosts to infect, or exfiltrate data. These behaviors sometimes lead to ongoing traffic patterns that indicate a breach. As the SANS Institute explains in their security bootcamp, administrators can regularly monitor top IP addresses that match one or more of the following patterns to make sure the traffic is legitimate:
  • The longest connections
  • The largest amount of data transfer
  • The most connections


  • Look for anomalies. In addition to checking hosts with these characteristics, network administrators should be aware of the usual traffic that flows through the network. If a host starts sending an abnormal amount of data, that could mean malware has infected the host and is performing unwanted actions. Monitor the connections, data transfer and total connections for individual hosts and inspect variations.



  • Block ports to generate logs that show unauthorized access attempts. You may have heard someone claim that firewalls are useless because an attacker can easily bypass firewall rules to get into a network. It is true that attackers can often trick standard firewalls to allow malicious data through an open port, but no traffic can pass through a blocked port under normal circumstances. Therefore, limit open ports. To maximize the number of blocked ports around critical hosts, break networks down into smaller networks (network segmentation). Make hosts accessing private networks and critical systems pass through a network with broader rules to networks with more restricted access. When malware scans for open ports, correctly configured traffic logs will include the invalid access attempts.



  • Watch for "deny" entries in network firewall logs. Configure network firewalls on the perimeter of networks to block unnecessary ports between internal and external networks, and between network segments. An external host trying to connect to a blocked port multiple times could be the result of misconfiguration or an attacker. In many cases, network administrators can create firewall rules to prevent these hosts from any further network connections on any port.



  • Check for traffic from desktops and laptops trying to connect to each other. Desktops and laptops on the network typically have no reason to connect to one another. Block access between individual hosts on the network by installing a host-based firewall. Create rules that only allow the specific access needed by each host. Malware on infected hosts will often try to scan the network to find other hosts nearby that it can infect. This activity will generate entries in host-based firewall logs that are configured to display denied access attempts. Investigating these entries may uncover configuration or security problems.



  • Watch for printers, network, or IoT devices making outbound traffic connections. Laptops and desktops need to initiate network requests to printers. Printers do not typically need to connect to the machines that print documents. The printer may make an outbound connection to receive a software update, but traffic from the Internet should not request to access a printer hosted on a private network. Block invalid traffic patterns and investigate denied and unusual access attempts generated by or to network devices.



  • Monitor traffic sent to or from unexpected locations. If a business operates exclusively in one country, traffic to other parts of the world could be a sign of malicious activity. Investigate traffic to foreign networks to ensure it is legitimate. Administrators can block traffic to unwanted locations using a geolocation database or tool that identifies the location of the source or destination IP address in the network request.



  • Watch for abnormal network packet sizes. Ping packets are small and have a normal size range. In the Target Breach, ICMP or ping packets moved data through the network. A network administrator watching the network closely would have noticed that these packets were unusually large for a simple ping request. Monitor for network packets and requests that deviate from standard sizes.



  • Disallow traffic to known bad IP addresses and networks. Many products and services offer ways to block traffic to known-bad locations. Use these lists to find malicious IP addresses or network ranges. Create networking rules that block any traffic to nefarious destinations and monitor logs for access to or from those networks.



  • Watch for improperly formed network requests. Network devices communicate via a standard network protocol. Each protocol has a defined format including traffic at different network layers such as TCP/IP and HTTP or SMTP. Valid network traffic will conform to these standards. Administrators can watch for malformed network packets and protocol usage using network security tools. An administrator may want to investigate a host or block it if it is generating improperly formed requests and packets.


Before moving to advanced security techniques, companies trying to improve the effectiveness of their cyber security programs should start with the basics. Create effective firewall rules and monitor network traffic logs for suspect behavior. These steps will block many attackers using well-known vulnerabilities and attack patterns to compromise organizations.

Although these ten suggestions don’t involve next-generation security appliances, machine learning, or artificial intelligence, they would have prevented or at least minimized the impact of some of the more recent cyberattacks such as WannaCry, NotPetya, and the Target breach. These tactics can also mitigate DDoS attacks for some companies and weaken the effectiveness of botnets. Before moving to advanced security techniques, consider improving the effectiveness of your cyber security program by tackling these basic, but powerful best practices.

Related posts:

— Teri Radichel is the Directory of Security Strategy and Research at WatchGuard Technologies.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
8/9/2020 | 9:37:35 AM
its better always use of network traffic monitor

For control of network abuse we can easily monitor our network with NetsMonitor in https://NetsMonitor.com

Its very Light, Fast, Simple, Free & ...
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-01-31
A vulnerability, which was classified as problematic, was found in SiteFusion Application Server up to 6.6.6. This affects an unknown part of the file getextension.php of the component Extension Handler. The manipulation leads to path traversal. Upgrading to version 6.6.7 is able to address this iss...
PUBLISHED: 2023-01-31
An issue was discovered in LIVEBOX Collaboration vDesk before v018. Broken Access Control can occur under the /api/v1/registration/validateEmail endpoint, the /api/v1/vdeskintegration/user/adduser endpoint, and the /api/v1/registration/changePasswordUser endpoint. The web application is affected by ...
PUBLISHED: 2023-01-31
COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 and before is vulnerable to Account takeover. Anyone can reset the password of the admin accounts.
PUBLISHED: 2023-01-31
COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 is vulnerable to Cross Site Scripting (XSS) via the URL filtering feature in the router.
PUBLISHED: 2023-01-31
COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 is vulnerable to Incorrect Access Control.