# Getting excessive traffic from microsoft server, causing entire home network to slow down.



## EthanJM

Hey, as always when I run into something I have trouble fixing I come back here for help.

So our entire home network started running very slowly a few days ago, extremely unresponsive and unusable to the point you could just say it doesn't work at all most of the time. Found out it only happened when my fiancees laptop was running, I put wireshark on it and found there is a lot of large packets outbound and inbound from ip address 204.79.197.213, turns out that is a microsoft server, possibly tied to edge or bing (she uses neither). Everything is up to date on her system. If I use the prompt ipconfig/release followed by ipconfig/renew and watch wireshark, usually for a few minutes there is no communication with this ip address, but as soon as it starts showing up the entire home network will slow back down to a halt. In order to even be on this forum I have to deactivate her computer from networking by using the ipconfig/release command, you could also just disable her wi fi but that is less convenient. I have researched this and found one other person who had exactly the same problem, here is the link. Look at the fifth post by OP user "MsRadell"
http://www.tenforums.com/performanc...ive-sessions-open-immediately-after-boot.html

I created firewall rules blocking that ip inbound and outbound, but the rules alone did not work, and the only way I was able to block it was by also checking "Outbound connections that do not match a rule are blocked" under the "private profile" settings in the firewall, this also makes it so she is unable to visit websites though, so that is useless. Her laptop is pretty useless until this gets fixed. Hope someone can help me out with this, thanks in advance.


----------



## beers

EthanJM said:


> "Outbound connections that do not match a rule are blocked"





EthanJM said:


> she is unable to visit websites though, so that is useless.


You could put a 'allow TCP dst port 80 or 443' rule directly under that other one..

Or simply allow anything out beneath the rule to block 204.79.197.213.


----------



## EthanJM

Okay, allowing port 80 allowed 204.79.197.213 to still come through with no ability to browse the internet, allowing 443 allows me to browse but also allows 204.79.197.213 to still come through. I put the new port rules under the older rule that blocked 204.79.197.213. 
I do not understand what you meant by "Or simply allow anything out beneath the rule to block 204.79.197.213".


----------



## johnb35

Can you track this down to what is actually happening?  When it happens open task manager to see what is going on.  Just for the heck of it, have you scanned for malware with malwarebytes and adwcleaner?  I've never seen anything like this.


----------



## EthanJM

Virus scans were the first thing I did. That said, I think I might have figured it out, literally one minute ago, restarting her laptop now. That onedrive cloud icon on the bottom right said it was uploading, 0% of over 5 gb of data, it was transferring at 0 kb/s, just stuck at 0%. She doesn't use onedrive, I told it to not start on windows start up and unsynced it to her laptop. Normally that ip address would start showing up in wireshark four to five minutes after booting the laptop up, I turned all my firewall rules off and now I am going to wait to see if 204.79.197.213 shows back up.


----------



## johnb35

I bet that is it then.  I figured it would be easier to track down what was using it compared trying to stop access from/to that IP.


----------



## EthanJM

Hopefully I am not speaking too soon, but it appears to have worked, 204.79.197.213 has not shown itself yet. I bet I know when it happened, my ISP had an outage a few days ago, probably no coincidence that this is around the time this problem started up, I wonder if something got scrambled when onedrive was trying to do its thing and has just been stuck like that.


----------



## EthanJM

Still doing good, I think it's solved. Thanks guys, sorry for the false alarm and taking your time, turned out it was very simple. I'll report back if the problem shows back up, but I don't think it will.


----------



## johnb35

EthanJM said:


> Thanks guys, sorry for the false alarm and taking your time


Your welcome.  Thats why we are here, it may take a few heads to actually figure out what is going on.  I think you are good to go now.


----------



## Agent Smith

Reading the first post I thought perhaps something nefarious like Azure. I see Azure IP addresses try to do nefarious things at my websites all the time. Word to the wise. If you want to fortify a network check out an ITX computer with 2 NICs and 2GB of RAM and run Sophos firewall. Here are all the Azure IPs. https://www.microsoft.com/en-us/download/details.aspx?id=41653


----------

