Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

End of Bibblio RCM includes -->
01:31 PM
Teri Radichel
Teri Radichel
News Analysis-Security Now

10 Clues That Network Traffic Is Bad

Threats often come in the form of bad network traffic. These 10 tips tell you whether bad traffic is worth worrying about.

The number of recent data breaches and the amount of stolen data is staggering. At times, finding ways to stop the latest cyber attacks may seem overwhelming. Even though the malware that infiltrates an organization can be very complicated and stealthy, many breaches share common characteristics that appear in traffic logs of carefully designed networks. Although advanced security products can help stop advanced criminals, network administrators can stop some of the recent high-visibility attacks with well-designed firewall configurations and traffic monitoring.

Here are ten tips to keep in mind that can help to identify malicious traffic on your network:

  1. Continuously inspect the top hosts generating the highest traffic volume. In most cases, after malware infects a host, it will try to make an outbound connection back to a server. An attacker uses this connection to send commands to the infected host. The infected host may download more malware, scan the network for other hosts to infect, or exfiltrate data. These behaviors sometimes lead to ongoing traffic patterns that indicate a breach. As the SANS Institute explains in their security bootcamp, administrators can regularly monitor top IP addresses that match one or more of the following patterns to make sure the traffic is legitimate:
  • The longest connections
  • The largest amount of data transfer
  • The most connections


  • Look for anomalies. In addition to checking hosts with these characteristics, network administrators should be aware of the usual traffic that flows through the network. If a host starts sending an abnormal amount of data, that could mean malware has infected the host and is performing unwanted actions. Monitor the connections, data transfer and total connections for individual hosts and inspect variations.



  • Block ports to generate logs that show unauthorized access attempts. You may have heard someone claim that firewalls are useless because an attacker can easily bypass firewall rules to get into a network. It is true that attackers can often trick standard firewalls to allow malicious data through an open port, but no traffic can pass through a blocked port under normal circumstances. Therefore, limit open ports. To maximize the number of blocked ports around critical hosts, break networks down into smaller networks (network segmentation). Make hosts accessing private networks and critical systems pass through a network with broader rules to networks with more restricted access. When malware scans for open ports, correctly configured traffic logs will include the invalid access attempts.



  • Watch for "deny" entries in network firewall logs. Configure network firewalls on the perimeter of networks to block unnecessary ports between internal and external networks, and between network segments. An external host trying to connect to a blocked port multiple times could be the result of misconfiguration or an attacker. In many cases, network administrators can create firewall rules to prevent these hosts from any further network connections on any port.



  • Check for traffic from desktops and laptops trying to connect to each other. Desktops and laptops on the network typically have no reason to connect to one another. Block access between individual hosts on the network by installing a host-based firewall. Create rules that only allow the specific access needed by each host. Malware on infected hosts will often try to scan the network to find other hosts nearby that it can infect. This activity will generate entries in host-based firewall logs that are configured to display denied access attempts. Investigating these entries may uncover configuration or security problems.



  • Watch for printers, network, or IoT devices making outbound traffic connections. Laptops and desktops need to initiate network requests to printers. Printers do not typically need to connect to the machines that print documents. The printer may make an outbound connection to receive a software update, but traffic from the Internet should not request to access a printer hosted on a private network. Block invalid traffic patterns and investigate denied and unusual access attempts generated by or to network devices.



  • Monitor traffic sent to or from unexpected locations. If a business operates exclusively in one country, traffic to other parts of the world could be a sign of malicious activity. Investigate traffic to foreign networks to ensure it is legitimate. Administrators can block traffic to unwanted locations using a geolocation database or tool that identifies the location of the source or destination IP address in the network request.



  • Watch for abnormal network packet sizes. Ping packets are small and have a normal size range. In the Target Breach, ICMP or ping packets moved data through the network. A network administrator watching the network closely would have noticed that these packets were unusually large for a simple ping request. Monitor for network packets and requests that deviate from standard sizes.



  • Disallow traffic to known bad IP addresses and networks. Many products and services offer ways to block traffic to known-bad locations. Use these lists to find malicious IP addresses or network ranges. Create networking rules that block any traffic to nefarious destinations and monitor logs for access to or from those networks.



  • Watch for improperly formed network requests. Network devices communicate via a standard network protocol. Each protocol has a defined format including traffic at different network layers such as TCP/IP and HTTP or SMTP. Valid network traffic will conform to these standards. Administrators can watch for malformed network packets and protocol usage using network security tools. An administrator may want to investigate a host or block it if it is generating improperly formed requests and packets.


Before moving to advanced security techniques, companies trying to improve the effectiveness of their cyber security programs should start with the basics. Create effective firewall rules and monitor network traffic logs for suspect behavior. These steps will block many attackers using well-known vulnerabilities and attack patterns to compromise organizations.

Although these ten suggestions don’t involve next-generation security appliances, machine learning, or artificial intelligence, they would have prevented or at least minimized the impact of some of the more recent cyberattacks such as WannaCry, NotPetya, and the Target breach. These tactics can also mitigate DDoS attacks for some companies and weaken the effectiveness of botnets. Before moving to advanced security techniques, consider improving the effectiveness of your cyber security program by tackling these basic, but powerful best practices.

Related posts:

— Teri Radichel is the Directory of Security Strategy and Research at WatchGuard Technologies.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
8/9/2020 | 9:37:35 AM
its better always use of network traffic monitor

For control of network abuse we can easily monitor our network with NetsMonitor in https://NetsMonitor.com

Its very Light, Fast, Simple, Free & ...
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-06-25
RG-EG series gateway EG350 EG_RGOS 11.1(6) was discovered to contain a SQL injection vulnerability via the function get_alarmAction at /alarm_pi/alarmService.php.
PUBLISHED: 2022-06-24
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in underscore-99xp v1.7.2 when the deepValueSearch function is called.
PUBLISHED: 2022-06-24
The RootInteractive package in PyPI v0.0.5 to v0.0.19b0 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.
PUBLISHED: 2022-06-24
The cryptoasset-data-downloader package in PyPI v1.0.0 to v1.0.1 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.
PUBLISHED: 2022-06-24
The cloudlabeling package in PyPI v0.0.1 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.