We are facing a rather funny problem. We see packets on our routers wherein both the source and destination IPs are not on our network! After tracking down the culprit machine we find a file "syshost.exe" to be the reason behind this. Once this particular file is disabled the activity on our routers stop.

This is perplexing for the traffic generated even over a PPPoE i/f limited at 40000/40000 is an astonishing 12Mbps plus uploads. Consequently the router CPU usage shoots to 100% and performance drops miserably.

How is the above happening??

No IPs are defined on the PPPoE interface. No other interface is connected to the LAN side. Only one other Ether card is used on the WAN side for the Internet connection.

We have also impelemented firewall rules whereby only traffic for authorised IPs are accepted on the router and all else is dropped/rejected.

Still the above happens. Is it because of the stupid bridging function built on WinXP? For we find this only on WinXP machines, so far. :evil:

Possible virus attack? :P
check it with nod32 (http://www.nod32.com)

You mean you didnt do ingress filtering before???!!
Any network admin with just a little respect for himself does this.
Sounds like your average DoS/DDoS Zombie, BTW.

_// Sten Daniel Sørsdal

You mean you didnt do ingress filtering before???!!
Any network admin with just a little respect for himself does this.
Sounds like your average DoS/DDoS Zombie, BTW.

_// Sten Daniel Sørsdal

INGRESS Filtering ?? Please elaborate ... Mebbe we are talking same functions but different terminlogy or we are missing something here.

Ingress traffic is the traffic that enters the router (e.g., from the clients)

Yeps we do that. But still are unable to figure out how the heck does this mysterious traffic pass through our routers

What are the IP's? have you tried finding out who's they are, where they are? that may help track the problem...