Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

// // //
01:31 PM
Teri Radichel
Teri Radichel
News Analysis-Security Now

10 Clues That Network Traffic Is Bad

Threats often come in the form of bad network traffic. These 10 tips tell you whether bad traffic is worth worrying about.

The number of recent data breaches and the amount of stolen data is staggering. At times, finding ways to stop the latest cyber attacks may seem overwhelming. Even though the malware that infiltrates an organization can be very complicated and stealthy, many breaches share common characteristics that appear in traffic logs of carefully designed networks. Although advanced security products can help stop advanced criminals, network administrators can stop some of the recent high-visibility attacks with well-designed firewall configurations and traffic monitoring.

Here are ten tips to keep in mind that can help to identify malicious traffic on your network:

  1. Continuously inspect the top hosts generating the highest traffic volume. In most cases, after malware infects a host, it will try to make an outbound connection back to a server. An attacker uses this connection to send commands to the infected host. The infected host may download more malware, scan the network for other hosts to infect, or exfiltrate data. These behaviors sometimes lead to ongoing traffic patterns that indicate a breach. As the SANS Institute explains in their security bootcamp, administrators can regularly monitor top IP addresses that match one or more of the following patterns to make sure the traffic is legitimate:
  • The longest connections
  • The largest amount of data transfer
  • The most connections


  • Look for anomalies. In addition to checking hosts with these characteristics, network administrators should be aware of the usual traffic that flows through the network. If a host starts sending an abnormal amount of data, that could mean malware has infected the host and is performing unwanted actions. Monitor the connections, data transfer and total connections for individual hosts and inspect variations.



  • Block ports to generate logs that show unauthorized access attempts. You may have heard someone claim that firewalls are useless because an attacker can easily bypass firewall rules to get into a network. It is true that attackers can often trick standard firewalls to allow malicious data through an open port, but no traffic can pass through a blocked port under normal circumstances. Therefore, limit open ports. To maximize the number of blocked ports around critical hosts, break networks down into smaller networks (network segmentation). Make hosts accessing private networks and critical systems pass through a network with broader rules to networks with more restricted access. When malware scans for open ports, correctly configured traffic logs will include the invalid access attempts.



  • Watch for "deny" entries in network firewall logs. Configure network firewalls on the perimeter of networks to block unnecessary ports between internal and external networks, and between network segments. An external host trying to connect to a blocked port multiple times could be the result of misconfiguration or an attacker. In many cases, network administrators can create firewall rules to prevent these hosts from any further network connections on any port.



  • Check for traffic from desktops and laptops trying to connect to each other. Desktops and laptops on the network typically have no reason to connect to one another. Block access between individual hosts on the network by installing a host-based firewall. Create rules that only allow the specific access needed by each host. Malware on infected hosts will often try to scan the network to find other hosts nearby that it can infect. This activity will generate entries in host-based firewall logs that are configured to display denied access attempts. Investigating these entries may uncover configuration or security problems.



  • Watch for printers, network, or IoT devices making outbound traffic connections. Laptops and desktops need to initiate network requests to printers. Printers do not typically need to connect to the machines that print documents. The printer may make an outbound connection to receive a software update, but traffic from the Internet should not request to access a printer hosted on a private network. Block invalid traffic patterns and investigate denied and unusual access attempts generated by or to network devices.



  • Monitor traffic sent to or from unexpected locations. If a business operates exclusively in one country, traffic to other parts of the world could be a sign of malicious activity. Investigate traffic to foreign networks to ensure it is legitimate. Administrators can block traffic to unwanted locations using a geolocation database or tool that identifies the location of the source or destination IP address in the network request.



  • Watch for abnormal network packet sizes. Ping packets are small and have a normal size range. In the Target Breach, ICMP or ping packets moved data through the network. A network administrator watching the network closely would have noticed that these packets were unusually large for a simple ping request. Monitor for network packets and requests that deviate from standard sizes.



  • Disallow traffic to known bad IP addresses and networks. Many products and services offer ways to block traffic to known-bad locations. Use these lists to find malicious IP addresses or network ranges. Create networking rules that block any traffic to nefarious destinations and monitor logs for access to or from those networks.



  • Watch for improperly formed network requests. Network devices communicate via a standard network protocol. Each protocol has a defined format including traffic at different network layers such as TCP/IP and HTTP or SMTP. Valid network traffic will conform to these standards. Administrators can watch for malformed network packets and protocol usage using network security tools. An administrator may want to investigate a host or block it if it is generating improperly formed requests and packets.


Before moving to advanced security techniques, companies trying to improve the effectiveness of their cyber security programs should start with the basics. Create effective firewall rules and monitor network traffic logs for suspect behavior. These steps will block many attackers using well-known vulnerabilities and attack patterns to compromise organizations.

Although these ten suggestions don’t involve next-generation security appliances, machine learning, or artificial intelligence, they would have prevented or at least minimized the impact of some of the more recent cyberattacks such as WannaCry, NotPetya, and the Target breach. These tactics can also mitigate DDoS attacks for some companies and weaken the effectiveness of botnets. Before moving to advanced security techniques, consider improving the effectiveness of your cyber security program by tackling these basic, but powerful best practices.

Related posts:

— Teri Radichel is the Directory of Security Strategy and Research at WatchGuard Technologies.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
8/9/2020 | 9:37:35 AM
its better always use of network traffic monitor

For control of network abuse we can easily monitor our network with NetsMonitor in https://NetsMonitor.com

Its very Light, Fast, Simple, Free & ...
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file