I came in to work this morning to find that our entire network was down. After resetting our sonicwall everything would come back up for about 10 minutes then it would exceed it's maximum connections of around 16,000. We only have around 50 machines on the LAN. Using netstat I finally found a group of machines that were establishing hundreds of connections to each other (apparently netbios). I was able to bring the network back up by enabling connection limiting by IP in the sonicwall, but I still can't find a reason for the problem. We've run scans on the machines with the latest updates of MalwareBytes, AVG, and Eset, but all of them came out clean. I also have Network Antivirus and IDS in the sonicwall which are not reporting any problems either (other than the massive connection counts). We've re-imaged a good portion of the systems and that seems to clear up the problem on those machines, but it also appears that the problem is able to slowly spread throughout the network.

Has anyone ever seen anything like this or have any ideas where else to look for the problem?

TIA

I would strongly suggest against AVG.

I run a computer repair business & most (about 9 of 10) of the machines (PC & Laptop) that come in for Virus cleanings are running updated versions of this Anti Virus.

If you are going to use an antivirus in the office, then you really should have a corporate level (& paid) antivirus implementation. Also, are the users logging onto these machines with admin privileges? Are the logging onto the machines or to a domain?

I've got network level anti-virus on our sonicwall. I only used AVG and Eset (and a few others) to try to find the virus. Right now the machines are not on a domain and they do have administrative privileges. I'm still trying to get approval for a domain server (I was told to wait until after the first of the year, then Microsoft jacked the prices WAY up so I'm still having trouble). Most of the machines that were affected only have access to an internal website. I setup static DHCP addresses for each of their MAC's and then blocked access to the WAN for their IP range, but I think someone figured out they could bypass it by manually changing their IP. I also had an incident a few weeks ago from someone bringing in a CD with new themes they had downloaded for XP and installed them on a good portion of the department's PC's. Hopefully between these two incidents I can get them to go ahead and approve the new server. I've just never seen anything like this and found it odd that nothing is finding a problem.