Went through the list of the top 25 IP’s sorted by number of connections in packeteer. Discovered that the top 6 people had over 1000 new flows created per minute. A tcpdump of their internet bound traffic showed that all their connections were either ICMP pings to random hosts, or port 445 connections to random hosts. Sounds like a virus to me, so I blocked all of them.
I also put a special 20kbit/sec limit on someone in fairhaven that was having trouble controlling their massive uploads.