Need to find the origin of this traffic BAD-TRAFFIC Conficker.



  • Hi all,

    I must all for helping me out so far. To be honest this is the best community I have come across.

    I have snort listening on the WAN side. I can see some external ip's getting blocked and have plenty of alerts. What confused me was the alert below:

    06/09-20:50:39.667417 [ ** ] [ 3:15450:2 ] BAD-TRAFFIC Conficker C/D DNS traffic detected [ ** ] [ Classification: A Network Trojan was detected ] [ Priority: 1 ] {UDP} Firewall IP/my gateway:51806 -> 208.67.222.222:53

    I can see that some pc in my network generated Conficker traffic. and it is going to an external ip. How do I figure out which PC in my network caused it?

    I tried using snort on LAN and WAN and my firewall went crazy, I had to reboot it and disable lan.

    Thanks all.


  • Rebel Alliance Developer Netgate

    You will need snort to listen on the LAN to track this down.

    Listening on WAN and LAN should be ok, but will be resource-intensive. At least it used to work, I haven't tried it lately.



  • @jimp:

    You will need snort to listen on the LAN to track this down.

    Listening on WAN and LAN should be ok, but will be resource-intensive. At least it used to work, I haven't tried it lately.

    That probably explains why my firewall freezed on me when I turned the LAN/WAN on.



  • A kludge might be, if you catch it in the log fast enough, to check the state table and see which machine(s) is/are getting nat'd out to port 51806, though since this is DNS traffic it might be going through the DNS forwarder.

    You could also just scan your network for Conficker-infected hosts, apparently nmap's script for this is fairly reliable. See the post on the nmap page about scanning for Conficker.


Log in to reply