1 | initial version |
You need a topology of your network and more detail description from COX about suspicious traffic. You need access to your edge router, dhcp server and firewall. COX should only public IP addresses through the PAT except for DMZ. The DHCP server should have bindings and the MAC addresses. If it is specific device, then chase the MAC address. Because you are educational institute, see if there is an ethical hacking course. I would ask the teacher to see what tools they have.
You can try firewall the port and have COX verify the trouble stopped. - If it stops. Configure Wireshark to capture packets (use topology to determine best location). Open the port only to school administration network a. If it returns, then create an action plan to identify if it is a virus, corrupted software, or configuration issue. Stop capture, save the data, and then analyze the packet capture. b. If it clear, leave it up, but make sure that the school administration network is firewall. - If it is not the school administration network, divide the remaining network (IP address, VLAN, etc.) to sectionalize it. Configure Wireshark to capture packets (use topology to determine best location). Enable each network to see if the trouble returns. if it returns, stop capture, save the data, and then analyze the packet capture.
The last option, but last fun is to contact the city/county IT department and ask them to sniff the network with their intrusion firewall software.