Discussion:
Where is incoming traffic coming from?
(too old to reply)
Amedee @ Ubuntu
2009-07-30 22:53:28 UTC
Permalink
Hello,

I noticed that I got a lot of incoming traffic on my server. Look at vnstat:

# vnstat -d

eth0 / daily

day rx | tx | total
------------------------+-------------+----------------------------------------
02.07. 5.54 GB | 258.12 MB | 5.79 GB %%%
03.07. 4.99 GB | 136.65 MB | 5.12 GB %%%
04.07. 5.40 GB | 126.95 MB | 5.52 GB %%%
05.07. 2.07 GB | 59.51 MB | 2.13 GB %
06.07. 8.47 GB | 326.36 MB | 8.79 GB %%%%%%
07.07. 9.80 GB | 391.30 MB | 10.18 GB %%%%%%
08.07. 8.04 GB | 348.55 MB | 8.38 GB %%%%%
09.07. 10.58 GB | 389.05 MB | 10.96 GB %%%%%%%
10.07. 19.15 GB | 17.26 GB | 36.41 GB
%%%%%%%%%%%%%::::::::::::
11.07. 14.92 GB | 3.34 GB | 18.26 GB %%%%%%%%%%::
12.07. 13.91 GB | 2.23 GB | 16.14 GB %%%%%%%%%::
13.07. 14.42 GB | 2.08 GB | 16.50 GB %%%%%%%%%%:
14.07. 20.49 GB | 1.50 GB | 21.99 GB %%%%%%%%%%%%%%:
15.07. 16.14 GB | 1.61 GB | 17.76 GB %%%%%%%%%%%:
16.07. 14.86 GB | 1.10 GB | 15.96 GB %%%%%%%%%:
17.07. 17.26 GB | 1.20 GB | 18.46 GB %%%%%%%%%%%:
18.07. 13.49 GB | 1.26 GB | 14.74 GB %%%%%%%%%:
19.07. 12.97 GB | 980.82 MB | 13.93 GB %%%%%%%%:
20.07. 13.81 GB | 1.01 GB | 14.82 GB %%%%%%%%%:
21.07. 8.44 GB | 704.84 MB | 9.13 GB %%%%%%
22.07. 10.88 GB | 0.99 GB | 11.86 GB %%%%%%%:
23.07. 9.01 GB | 980.68 MB | 9.97 GB %%%%%:
24.07. 7.39 GB | 583.17 MB | 7.96 GB %%%%%
25.07. 6.23 GB | 484.04 MB | 6.70 GB %%%%
26.07. 8.19 GB | 395.95 MB | 8.58 GB %%%%%
27.07. 12.87 GB | 883.55 MB | 13.73 GB %%%%%%%%:
28.07. 8.83 GB | 762.62 MB | 9.57 GB %%%%%%
29.07. 8.65 GB | 631.73 MB | 9.27 GB %%%%%%
30.07. 8.76 GB | 587.09 MB | 9.34 GB %%%%%%
31.07. 0 kB | 0 kB | 0 kB
------------------------+-------------+----------------------------------------
estimated -- | -- | --


The tx values seem about right to me, but the rx values are totally
absurd! It should only be a few hunderd megabytes per day, maximum!

I have installed shorewall and I'm only accepting ping, ssh, http, https,
smtp, imap2 and imaps. Everything else is dropped.

I have also configured accounting in shorewall, but I'm not seeing
anything out of the ordinary:

# shorewall show accounting
Shorewall 4.2.10 Chain accounting at intrepid - Fri Jul 31 00:52:58 CEST 2009

Counters reset Fri Jul 31 00:47:19 CEST 2009

Chain accounting (3 references)
pkts bytes target prot opt in out source
destination
1257 437K Total all -- eth0 * 0.0.0.0/0 0.0.0.0/0
1285 501K Total all -- * eth0 0.0.0.0/0 0.0.0.0/0
411 26732 ssh tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
311 269K ssh tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp spt:22
37 5756 smtp tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
33 3374 smtp tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp spt:25
44 3132 imap2 tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:143
35 65563 imap2 tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp spt:143
0 0 imaps tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:993
0 0 imaps tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp spt:993
104 16439 www tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
71 94136 www tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp spt:80
0 0 https tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443
0 0 https tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp spt:443
4 336 ping icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0
4 336 ping icmp -- * eth0 0.0.0.0/0 0.0.0.0/0


How can I find out where the incoming traffic is coming from?
--
Amedee
a_puzzeled_newbie(^_^);
2009-07-30 23:00:51 UTC
Permalink
there are log evaluators you can get online to sort through logs... As far
as i know you would have to go through your traffic logs to see where a
majority of this is coming from and send it through an analizer of some
sort. Sorry i cant help out more then that. I myself have ran a few ubuntu
servers but have never ran into something like this unless your shorwall is
having constant comunication between it and the server you have running.
Other then that i dont think i can help much.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20090730/97512b7b/attachment.html>
Amedee @ Ubuntu
2009-07-31 08:10:58 UTC
Permalink
Post by a_puzzeled_newbie(^_^);
there are log evaluators you can get online to sort through logs... As far
as i know you would have to go through your traffic logs to see where a
majority of this is coming from and send it through an analizer of some
sort. Sorry i cant help out more then that. I myself have ran a few ubuntu
servers but have never ran into something like this unless your shorwall is
having constant comunication between it and the server you have running.
Other then that i dont think i can help much.
Sorry, perhaps I didn't explain well.
Shorewall is running on the same server.
I only allow ping, ssh, smtp, http(s) and imap(s). I have enabled
shorewall accounting for all those services, and for the total.
The sum of allowed traffic just doesn't add up to the total amount of
traffic.

# shorewall show accounting
Shorewall 4.2.10 Chain accounting at intrepid - Fri Jul 31 10:07:25 CEST 2009

Counters reset Fri Jul 31 00:47:19 CEST 2009

Chain accounting (3 references)
pkts bytes target prot opt in out source
destination
4607K 6832M Total all -- eth0 * 0.0.0.0/0 0.0.0.0/0
2388K 142M Total all -- * eth0 0.0.0.0/0 0.0.0.0/0
6455 511K ssh tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
12927 3633K ssh tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp spt:22
1549 272K smtp tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
1593 150K smtp tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp spt:25
307 19398 imap2 tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:143
203 686K imap2 tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp spt:143
3 140 imaps tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:993
1 60 imaps tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp spt:993
24731 2436K www tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
18247 42M www tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp spt:80
37 2352 https tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443
36 2163 https tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp spt:443
16 1364 ping icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0
14 1228 ping icmp -- * eth0 0.0.0.0/0 0.0.0.0/0

You see? The largest individual traffic is www with 42M, and that's
*outgoing* traffic - that's normal for a server that is mainly used as a
webserver!
But it just doesn't add up to that 6832M Total. It must be traffic that's
being dropped but I can't find it...
--
Amedee
Florian Diesch
2009-07-31 22:13:08 UTC
Permalink
Post by Amedee @ Ubuntu
Post by a_puzzeled_newbie(^_^);
there are log evaluators you can get online to sort through logs... As far
as i know you would have to go through your traffic logs to see where a
majority of this is coming from and send it through an analizer of some
sort. Sorry i cant help out more then that. I myself have ran a few ubuntu
servers but have never ran into something like this unless your shorwall is
having constant comunication between it and the server you have running.
Other then that i dont think i can help much.
Sorry, perhaps I didn't explain well.
Shorewall is running on the same server.
I only allow ping, ssh, smtp, http(s) and imap(s). I have enabled
shorewall accounting for all those services, and for the total.
The sum of allowed traffic just doesn't add up to the total amount of
traffic.
The incoming traffic is still there, even if you drop the packages.


Florian
--
<http://www.florian-diesch.de/>
Amedee @ Ubuntu
2009-08-01 14:37:34 UTC
Permalink
Post by Florian Diesch
Post by Amedee @ Ubuntu
Post by a_puzzeled_newbie(^_^);
there are log evaluators you can get online to sort through logs... As far
as i know you would have to go through your traffic logs to see where a
majority of this is coming from and send it through an analizer of some
sort. Sorry i cant help out more then that. I myself have ran a few ubuntu
servers but have never ran into something like this unless your
shorwall
is
having constant comunication between it and the server you have running.
Other then that i dont think i can help much.
Sorry, perhaps I didn't explain well.
Shorewall is running on the same server.
I only allow ping, ssh, smtp, http(s) and imap(s). I have enabled
shorewall accounting for all those services, and for the total.
The sum of allowed traffic just doesn't add up to the total amount of
traffic.
The incoming traffic is still there, even if you drop the packages.
I know.
Does ntop see the traffic before or after it is dropped?
--
Amedee
Florian Diesch
2009-08-01 17:29:26 UTC
Permalink
Post by Amedee @ Ubuntu
Post by Florian Diesch
Post by Amedee @ Ubuntu
Post by a_puzzeled_newbie(^_^);
there are log evaluators you can get online to sort through logs... As far
as i know you would have to go through your traffic logs to see where a
majority of this is coming from and send it through an analizer of some
sort. Sorry i cant help out more then that. I myself have ran a few ubuntu
servers but have never ran into something like this unless your
shorwall
is
having constant comunication between it and the server you have running.
Other then that i dont think i can help much.
Sorry, perhaps I didn't explain well.
Shorewall is running on the same server.
I only allow ping, ssh, smtp, http(s) and imap(s). I have enabled
shorewall accounting for all those services, and for the total.
The sum of allowed traffic just doesn't add up to the total amount of
traffic.
The incoming traffic is still there, even if you drop the packages.
I know.
Does ntop see the traffic before or after it is dropped?
Applications only see the filtered traffic. I'd temporary add a logging
rule to the tables that drop the packages to see what gets dropped.



Florian
--
<http://www.florian-diesch.de/>
Amedee @ Ubuntu
2009-08-02 23:24:42 UTC
Permalink
Post by Florian Diesch
Post by Amedee @ Ubuntu
Post by Florian Diesch
Post by Amedee @ Ubuntu
Post by a_puzzeled_newbie(^_^);
there are log evaluators you can get online to sort through logs...
As
far
as i know you would have to go through your traffic logs to see where a
majority of this is coming from and send it through an analizer of some
sort. Sorry i cant help out more then that. I myself have ran a few ubuntu
servers but have never ran into something like this unless your
shorwall
is
having constant comunication between it and the server you have running.
Other then that i dont think i can help much.
Sorry, perhaps I didn't explain well.
Shorewall is running on the same server.
I only allow ping, ssh, smtp, http(s) and imap(s). I have enabled
shorewall accounting for all those services, and for the total.
The sum of allowed traffic just doesn't add up to the total amount of
traffic.
The incoming traffic is still there, even if you drop the packages.
I know.
Does ntop see the traffic before or after it is dropped?
Applications only see the filtered traffic.
Apparently when an application has access to the network interface in
promiscuous mode (libpcap), then it sees the traffic before any filtering
is done.
Post by Florian Diesch
I'd temporary add a logging
rule to the tables that drop the packages to see what gets dropped.
FYI: after I added 193.190.67.15 to /etc/shorewall/blacklist and restarted
shorewall, the traffic stopped. To save you a whois: that's Belnet, a very
reputable Belgian research network that interconnects all Belgian
universities and that also has a large Linux mirror. They are supposed to
be "good guys".

Weird... but I have no time to investigate at the moment.
--
Amedee
NoOp
2009-08-03 01:18:34 UTC
Permalink
On 08/02/2009 04:24 PM, Amedee @ Ubuntu wrote:
...
Post by Amedee @ Ubuntu
FYI: after I added 193.190.67.15 to /etc/shorewall/blacklist and restarted
shorewall, the traffic stopped. To save you a whois: that's Belnet, a very
reputable Belgian research network that interconnects all Belgian
universities and that also has a large Linux mirror. They are supposed to
be "good guys".
Weird... but I have no time to investigate at the moment.
It's a mirror:
http://193.190.67.15/mirror/
ftp://193.190.67.15/
Florian Diesch
2009-08-03 03:03:48 UTC
Permalink
Post by NoOp
...
Post by Amedee @ Ubuntu
FYI: after I added 193.190.67.15 to /etc/shorewall/blacklist and restarted
shorewall, the traffic stopped. To save you a whois: that's Belnet, a very
reputable Belgian research network that interconnects all Belgian
universities and that also has a large Linux mirror. They are supposed to
be "good guys".
Weird... but I have no time to investigate at the moment.
http://193.190.67.15/mirror/
ftp://193.190.67.15/
It's ftp.belnet.be


Florian
--
<http://www.florian-diesch.de/>
NoOp
2009-08-03 03:29:17 UTC
Permalink
Post by Florian Diesch
Post by NoOp
...
Post by Amedee @ Ubuntu
FYI: after I added 193.190.67.15 to /etc/shorewall/blacklist and restarted
shorewall, the traffic stopped. To save you a whois: that's Belnet, a very
reputable Belgian research network that interconnects all Belgian
universities and that also has a large Linux mirror. They are supposed to
be "good guys".
Weird... but I have no time to investigate at the moment.
http://193.190.67.15/mirror/
ftp://193.190.67.15/
It's ftp.belnet.be
Well yes, that's already been established & easy enough to figure out.
$ host 193.190.67.15
15.67.190.193.in-addr.arpa domain name pointer ftp.belnet.be

However if you pop http://193.190.67.15 a browser you get redirected to
http://193.190.67.15/mirror/

What to you suppose the following implies?
====
Welcome to the BELNET public FTP cluster ftp.belnet.be !

This archive is provided through a cluster of 12 dual processor, dual
core Intel Xeon 3 GHz machines, each having 4 GB of RAM. The 16 TB FTP
archive is taken from an iSCSI SATA SAN.

This cluster is located in Brussels, Belgium and operated by BELNET, the
Belgian Education and Research Network. If you have any problem,
question or mirror request, please send them to ftpmaint at belnet.be.
This archive is also available through the following means:
====
Amedee @ Ubuntu
2009-08-03 06:21:46 UTC
Permalink
Post by Florian Diesch
Post by NoOp
...
Post by Amedee @ Ubuntu
FYI: after I added 193.190.67.15 to /etc/shorewall/blacklist and restarted
shorewall, the traffic stopped. To save you a whois: that's Belnet, a very
reputable Belgian research network that interconnects all Belgian
universities and that also has a large Linux mirror. They are supposed to
be "good guys".
Weird... but I have no time to investigate at the moment.
http://193.190.67.15/mirror/
ftp://193.190.67.15/
It's ftp.belnet.be
Yes, that's what I wrote.
--
Amedee
Amedee @ Ubuntu
2009-08-03 06:20:00 UTC
Permalink
Post by NoOp
...
Post by Amedee @ Ubuntu
FYI: after I added 193.190.67.15 to /etc/shorewall/blacklist and restarted
shorewall, the traffic stopped. To save you a whois: that's Belnet, a very
reputable Belgian research network that interconnects all Belgian
universities and that also has a large Linux mirror. They are supposed to
be "good guys".
Weird... but I have no time to investigate at the moment.
http://193.190.67.15/mirror/
ftp://193.190.67.15/
Yes, that's what I wrote: "and that also has a large Linux mirror"
--
Amedee
drew einhorn
2009-08-03 02:18:07 UTC
Permalink
Post by Amedee @ Ubuntu
FYI: after I added 193.190.67.15 to /etc/shorewall/blacklist and restarted
shorewall, the traffic stopped. To save you a whois: that's Belnet, a very
reputable Belgian research network that interconnects all Belgian
universities and that also has a large Linux mirror. They are supposed to
be "good guys".
It could be anything from a completely benign typo in one of their
config files, on up to something much more serious. I've gotten
network management traffic from a site that had a couple digits
transposed from my network number, the admin of the network
it was coming from was probably banging his head against the
wall trying to figure out why things were not working. I tried
sending an email, but don't think it got to the right person.

Wireshark is an amazing tool. I've barely scratched the surface of
its capabilities. You can select just the traffic from 193.190.67.15
and generate statistics on protocols, port numbers, ...
This may tell you whether its is benign or malicious.

While the owner is reputable, they could have a compromised machine
on their network.
Post by Amedee @ Ubuntu
--
Amedee
--
ubuntu-users mailing list
ubuntu-users at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
--
Drew Einhorn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20090802/36f021c2/attachment.html>
Siggy Brentrup
2009-07-31 03:14:38 UTC
Permalink
Post by Amedee @ Ubuntu
Hello,
# vnstat -d
eth0 / daily
day rx | tx | total
------------------------+-------------+----------------------------------------
02.07. 5.54 GB | 258.12 MB | 5.79 GB %%%
03.07. 4.99 GB | 136.65 MB | 5.12 GB %%%
04.07. 5.40 GB | 126.95 MB | 5.52 GB %%%
05.07. 2.07 GB | 59.51 MB | 2.13 GB %
06.07. 8.47 GB | 326.36 MB | 8.79 GB %%%%%%
07.07. 9.80 GB | 391.30 MB | 10.18 GB %%%%%%
08.07. 8.04 GB | 348.55 MB | 8.38 GB %%%%%
09.07. 10.58 GB | 389.05 MB | 10.96 GB %%%%%%%
10.07. 19.15 GB | 17.26 GB | 36.41 GB
21.07. 8.44 GB | 704.84 MB | 9.13 GB %%%%%%
24.07. 7.39 GB | 583.17 MB | 7.96 GB %%%%%
25.07. 6.23 GB | 484.04 MB | 6.70 GB %%%%
26.07. 8.19 GB | 395.95 MB | 8.58 GB %%%%%
28.07. 8.83 GB | 762.62 MB | 9.57 GB %%%%%%
29.07. 8.65 GB | 631.73 MB | 9.27 GB %%%%%%
30.07. 8.76 GB | 587.09 MB | 9.34 GB %%%%%%
31.07. 0 kB | 0 kB | 0 kB
------------------------+-------------+----------------------------------------
estimated -- | -- | --
The tx values seem about right to me, but the rx values are totally
absurd! It should only be a few hunderd megabytes per day, maximum!
I have installed shorewall and I'm only accepting ping, ssh, http, https,
smtp, imap2 and imaps. Everything else is dropped.
Anything particular on 10.07.? It's the only day where rx/tx ratio
approaches 1.

I don't know what exactly vnstat counts. In an argument with my ISP I
once was told that they count all traffic, even the one dropped
resp. rejected by my firewall, but even then numbers seem to be
extrodinary high. Counters below don't tell much since they don't
cover a full day. You might save counter values every hour and
look what after a possible pattern.
Post by Amedee @ Ubuntu
I have also configured accounting in shorewall, but I'm not seeing
# shorewall show accounting
Shorewall 4.2.10 Chain accounting at intrepid - Fri Jul 31 00:52:58 CEST 2009
Counters reset Fri Jul 31 00:47:19 CEST 2009
Chain accounting (3 references)
pkts bytes target prot opt in out source
destination
1257 437K Total all -- eth0 * 0.0.0.0/0 0.0.0.0/0
1285 501K Total all -- * eth0 0.0.0.0/0 0.0.0.0/0
411 26732 ssh tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
311 269K ssh tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp spt:22
37 5756 smtp tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
33 3374 smtp tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp spt:25
44 3132 imap2 tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:143
35 65563 imap2 tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp spt:143
0 0 imaps tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:993
0 0 imaps tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp spt:993
104 16439 www tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
71 94136 www tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp spt:80
0 0 https tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443
0 0 https tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp spt:443
4 336 ping icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0
4 336 ping icmp -- * eth0 0.0.0.0/0 0.0.0.0/0
How can I find out where the incoming traffic is coming from?
Even with windoze broadcasts you're dropping the numbers seem
exceedingly high, you have to provide more data. Next time
please come with a URL, these tables make mails way too big.

Just my 2?
Siggy
--
Please don't Cc: me when replying, I might not see either copy.
bsb-at-psycho-dot-informationsanarchistik-dot-de
or: bsb-at-psycho-dot-i21k-dot-de
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20090731/7c408663/attachment.pgp>
Siggy Brentrup
2009-07-31 03:47:43 UTC
Permalink
Hi Amadee,

some additional idea that hit me under the shower:

Some services on your server that may cause exorbitant incoming
traffic when working wrongly.

- mirror
- http-proxy
- DNS cache

come to mind now, there may be more. You know your setup.

Regs
Siggy
--
Please don't Cc: me when replying, I might not see either copy.
bsb-at-psycho-dot-informationsanarchistik-dot-de
or: bsb-at-psycho-dot-i21k-dot-de
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20090731/ce8f54cd/attachment.pgp>
Amedee @ Ubuntu
2009-07-31 21:04:40 UTC
Permalink
Post by Siggy Brentrup
Hi Amadee,
Hi Syggi,
Post by Siggy Brentrup
- mirror
That's an ambiguous name for a service. What do you mean by "mirror"?
Post by Siggy Brentrup
- http-proxy
Not much traffic on the proxy, I can see that very well. And it's been
going on since before I installed squid.
Post by Siggy Brentrup
- DNS cache
I'll look into it.


Thanks already,
--
Amedee
Siggy Brentrup
2009-08-02 11:14:41 UTC
Permalink
Hi Amadee,

sorry for the late reply; yesterday we have been at the seaside
celebrating my wife's birthday till late in the evening.
Post by Amedee @ Ubuntu
Post by Siggy Brentrup
Hi Amadee,
Hi Syggi,
^ ^ oops :)
Post by Amedee @ Ubuntu
Post by Siggy Brentrup
- mirror
That's an ambiguous name for a service. What do you mean by "mirror"?
I know, I mean any kind of mirror that's causing traffic without you
initiating it explictely.
Post by Amedee @ Ubuntu
Post by Siggy Brentrup
- http-proxy
Not much traffic on the proxy, I can see that very well. And it's been
going on since before I installed squid.
Post by Siggy Brentrup
- DNS cache
I'll look into it.
I'll have a look at the other posting now.

Regs
Siggy
--
Please don't Cc: me when replying, I might not see either copy.
bsb-at-psycho-dot-informationsanarchistik-dot-de
or: bsb-at-psycho-dot-i21k-dot-de
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20090802/e748c810/attachment.pgp>
drew einhorn
2009-08-02 16:17:23 UTC
Permalink
What's upstream from the box that's receiving the mystery traffic?

There are are several ways to monitor the traffic before it gets to your
box.

1) if the upstream box is a managed switch you can "mirror" the traffic
to a spare port,

2) if you have an old ethernet hub (not a switch),
you can put between the upstream box and the
box getting the mystery traffic.

3) you can build an ethernet tap.

http://enigmacurry.com/category/electronics/

4) if you have a spare box you can stick two ethernet cards into,
you can manually configure a bridge using command line tools,
or just install one of many linux based router distributions.

5) There may be other options depending on what the
current upstream box is.

Once you have a hardware configuration
that supports capturing all the traffic,
before it gets to the firewall filters that
drops the traffic before you see it,

then you can use wireshark to analyze the traffic,
or, if the box capturing the traffic is not running X,
you can use tcpdump to capture a binary file first,
then ftp it to a box with x and a wireshark.
--
Drew Einhorn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20090802/1bb2d596/attachment.html>
Amedee @ Ubuntu
2009-08-03 00:25:43 UTC
Permalink
Post by drew einhorn
What's upstream from the box that's receiving the mystery traffic?
The box itself is a Xen DomU, upstream it's a Xen Dom0, and upstream from
there it's the hetzner.de datacenter somewhere in Bavaria. Several hundred
km from where I live so no hands on.
Perhaps I should have mentioned that earlier?
Post by drew einhorn
There are are several ways to monitor the traffic before it gets to your
box.
The person who runs the Dom0 did a capture and let wireshark loose on it.
193.190.67.15 was identified with over 700 MB of traffic in one hour. That
would account for several gigabytes per day.
Post by drew einhorn
1) if the upstream box is a managed switch you can "mirror" the traffic
to a spare port,
If it was a real physical machine under my desk, I would hook it up to my
HP ProCurve 1800-24G and mirror one switchport, as you suggest.
Post by drew einhorn
2) if you have an old ethernet hub (not a switch),
you can put between the upstream box and the
box getting the mystery traffic.
I have that somewhere as a doorstop, I think.
But I don't think that I can put a physical hub between a Dom0 and a
virtual DomU. ;-)
Post by drew einhorn
3) you can build an ethernet tap.
http://enigmacurry.com/category/electronics/
That also requires physical access.
Post by drew einhorn
4) if you have a spare box you can stick two ethernet cards into,
you can manually configure a bridge using command line tools,
or just install one of many linux based router distributions.
Plenty spare boxes, but no physical access.
Post by drew einhorn
5) There may be other options depending on what the
current upstream box is.
Once you have a hardware configuration
that supports capturing all the traffic,
before it gets to the firewall filters that
drops the traffic before you see it,
then you can use wireshark to analyze the traffic,
or, if the box capturing the traffic is not running X,
you can use tcpdump to capture a binary file first,
then ftp it to a box with x and a wireshark.
That's what the other guy did (who runs the Dom0). He sent me the
wireshark analysis and that showed a lot of traffic from 193.190.67.15
(Belnet).
Next thing I'll do is ask him to ftp me the dump file. But not today.
Sleep needed. Have to get up in 5 hours, and I drank one Nalu too much.
:-D

--
Amedee
drew einhorn
2009-08-03 02:26:16 UTC
Permalink
Post by Amedee @ Ubuntu
Post by drew einhorn
What's upstream from the box that's receiving the mystery traffic?
The box itself is a Xen DomU, upstream it's a Xen Dom0, and upstream from
there it's the hetzner.de datacenter somewhere in Bavaria. Several hundred
km from where I live so no hands on.
Perhaps I should have mentioned that earlier?
The Dom0 is the best and easiest place to capture the traffic to be analyzed
in this case.
Things would be very difficult if the Dom0 admin was not cooperating.

That's what the other guy did (who runs the Dom0). He sent me the
Post by Amedee @ Ubuntu
wireshark analysis and that showed a lot of traffic from 193.190.67.15
(Belnet).
Fortunately the Dom0 admin is cooperating.
--
Drew Einhorn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20090802/4ab5303e/attachment.html>
Amedee @ Ubuntu
2009-07-31 08:17:23 UTC
Permalink
Post by Siggy Brentrup
Post by Amedee @ Ubuntu
Hello,
# vnstat -d
10.07. 19.15 GB | 17.26 GB | 36.41 GB
Anything particular on 10.07.? It's the only day where rx/tx ratio
approaches 1.
That may be the day when I did a full backup of my server and rsynced it
to somewhere else. Don't focus on that day please.
Post by Siggy Brentrup
I don't know what exactly vnstat counts. In an argument with my ISP I
once was told that they count all traffic, even the one dropped
resp. rejected by my firewall, but even then numbers seem to be
extrodinary high.
Vnstat counts every packet that reaches the network card, even packets
that get dropped/rejected. Your ISP is right.
Post by Siggy Brentrup
Counters below don't tell much since they don't
cover a full day. You might save counter values every hour and
look what after a possible pattern.
Will do. Shorewall was already running for a while, but I just configured
accounting yesterday.
Post by Siggy Brentrup
Even with windoze broadcasts you're dropping the numbers seem
exceedingly high, you have to provide more data. Next time
please come with a URL, these tables make mails way too big.
Sorry, next time I'll use pastebin. The thought occured to me when I
reread my mail - after I sent it.
--
Amedee
Siggy Brentrup
2009-07-31 11:28:21 UTC
Permalink
Post by Amedee @ Ubuntu
Post by Siggy Brentrup
I don't know what exactly vnstat counts. In an argument with my ISP I
once was told that they count all traffic, even the one dropped
resp. rejected by my firewall, but even then numbers seem to be
extrodinary high.
Vnstat counts every packet that reaches the network card, even packets
that get dropped/rejected. Your ISP is right.
That depends on your point of view. This dispute was back when I had
to pay per megabyte after exceeding 5G of traffic per month. When
dropping packets, unwanted traffic amounted to ~20%. There must be a
lot of Windoze boxes on that subnet :( As a result I had to pay an
extra ~100?/month for unwanted traffic - ISP is in power. With a
proper flatrate that I have now I don't care much about that traffic
as long as it doesn't slow down the line.
Post by Amedee @ Ubuntu
Next time
Post by Siggy Brentrup
please come with a URL, these tables make mails way too big.
Sorry, next time I'll use pastebin. The thought occured to me when I
reread my mail - after I sent it.
the list will be grateful :)
Siggy
--
Please don't Cc: me when replying, I might not see either copy.
bsb-at-psycho-dot-informationsanarchistik-dot-de
or: bsb-at-psycho-dot-i21k-dot-de
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20090731/e8ef99b2/attachment.pgp>
Amedee @ Ubuntu
2009-08-03 08:14:47 UTC
Permalink
-----Original Message-----
From: ubuntu-users-bounces at lists.ubuntu.com [mailto:ubuntu-users-
bounces at lists.ubuntu.com] On Behalf Of NoOp
Sent: Monday, August 03, 2009 5:29 AM
To: ubuntu-users at lists.ubuntu.com
Subject: Re: Where is incoming traffic coming from?
Post by Florian Diesch
Post by NoOp
...
Post by Amedee @ Ubuntu
FYI: after I added 193.190.67.15 to /etc/shorewall/blacklist and
restarted
Post by Florian Diesch
Post by NoOp
Post by Amedee @ Ubuntu
shorewall, the traffic stopped. To save you a whois: that's Belnet,
a very
Post by Florian Diesch
Post by NoOp
Post by Amedee @ Ubuntu
reputable Belgian research network that interconnects all Belgian
universities and that also has a large Linux mirror. They are
supposed to
Post by Florian Diesch
Post by NoOp
Post by Amedee @ Ubuntu
be "good guys".
Weird... but I have no time to investigate at the moment.
http://193.190.67.15/mirror/
ftp://193.190.67.15/
It's ftp.belnet.be
Well yes, that's already been established & easy enough to figure out. $
host 193.190.67.15
15.67.190.193.in-addr.arpa domain name pointer ftp.belnet.be
However if you pop http://193.190.67.15 a browser you get redirected to
http://193.190.67.15/mirror/
What to you suppose the following implies?
====
Welcome to the BELNET public FTP cluster ftp.belnet.be !
This archive is provided through a cluster of 12 dual processor, dual
core Intel Xeon 3 GHz machines, each having 4 GB of RAM. The 16 TB FTP
archive is taken from an iSCSI SATA SAN.
This cluster is located in Brussels, Belgium and operated by BELNET, the
Belgian Education and Research Network. If you have any problem,
question or mirror request, please send them to ftpmaint at belnet.be. This
====
People, please...
I've got the impression that you're all missing the point here.
I *know* what Belnet is. Let me explain something.

I live in Belgium. When I'm working on my home computer and I need to
download something, then Belnet is the mirror that I use most of the time.
Because it is fast and reliable. Belnet is the government funded national
research network that connects schools, universities, and government
departments. These guys know what they are doing. If I had to say that
it's my mistake or their mistake, then I would say my mistake, without any
doubt.

But the problem is not with my desktop pc at home, it's with my mail/web
server "somewhere in the cloud". Until the end of june, the old server was
physically located in a datacenter somewhere in Belgium. I don't know
exactly where but that does not matter. On the old server I never had a
lot of traffic, perhaps 1-2 GB/month.

In june the person who runs Dom0 wanted to switch to a cheaper root server
(the datacenter charged a lot for energy), so he got one from Hetzner, in
Germany. He set up a new DomU and I reinstalled my server from scratch. At
least starting the last week of june I saw that the server got a lot of
incoming traffic. I have made very detailed notes of my configuration (and
I have started to blog about it, http://amedee.be/linux/server, in Dutch).
But unfortunately I didn't document the exact date that the traffic
started. I installed vnstat somewhere in the last week of june; I changed
my DNS records to point to the new server in the last week of june and I
saw the traffic in the last week of june. I don't know what came first.
The new server was already online during the whole month of june and it
didn't see a lot of traffic until the last 3-4 days. This may be a
coincidence.

"Empirically observed covariation is a necessary but not sufficient
condition for causality" (E. Tufte)

There is one thing that I'm absolutely sure of: I never *knowingly* made a
connection to Belnet from the new server. For example, the sources.list
points to a mirror in Germany.


I suggest that you all let it rest until I get my hands on the dumpfile.
Until then, it's all just wild guesses.
Meanwhile I have learned a lot about shorewall, iptraf and ntop. :)

Kind regards,
Amedee

Continue reading on narkive:
Loading...