Are we sending DDOS?

We got an email from our ISP saying we are sending out a Ddos attack.
How would one go about tracing this?
All our outbound connections are going through an ISA 2000 server.

Any suggestions for a newb?

Monitor external interface of ISA Server for a while to find out what's
outgoing. Use a NIDS (like Snort, which you can run on ISA) to alert on
potential probes from within your network.

Implement restrictive firewall rules and analyse Web requests originating
from your clients. pay special attention to those issued when the user
wasn't there

Ask the ISP for additional information - that is, how they detected the
DDoS, and suggestions as for rectification of the situation. Offer full
cooperation in exchange for them doing some of the above tasks for you.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"James" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> We got an email from our ISP saying we are sending out a Ddos attack.
> How would one go about tracing this?
> All our outbound connections are going through an ISA 2000 server.
>
> Any suggestions for a newb?
>
>