[olug] High traffic from firewall?

[Ben Hollingsworth]

There isn't any DSL/cable modem.  It's a linux firewall hooked directly 
to the the WiMAX radio.  I already tried sniffing the packets from my 
firewall, but it was mostly https.

When I got home last night, I rebooted the firewall.  All the https 
traffic to just a few Windstream static IP's stopped, but it was 
replaced by a bunch of DNS traffic to countless different IP's.  The 
volume of traffic didn't change, oddly; it stayed steady at just over 5 
Mbps up.  Sometime around 4am, my son started downloading a bunch of 
Steam games.  When that finished around 8am, all the unexpected traffic 
stopped.  No, Steam wasn't running prior to 4am.  It's been working fine 
so far the last couple hours with no unusual traffic.

I'm gonna keep a close eye on it this weekend.  I've already downloaded 
the latest Ubuntu Server ISO (at work), so I'm ready to go if I do end 
up rebuilding the firewall this weekend.  Not really how I wanted to 
spend my 3.5-day Christmas weekend. Besides obligatory family stuff, 
I've got a barn that isn't going to build itself.

On 12/23/2016 09:59 AM, Dan Linder wrote:
> Can you throw a ethernet hub between the external firewall port and your
> DSL/Cablemodem and sniff the traffic to get an idea what's in the traffic?
> It won't be fun, but a few filters taking out the expected traffic should
> help.
>
> Dan
>
> On Thu, Dec 22, 2016 at 1:00 PM, Ben Hollingsworth <obiwan at jedi.com> wrote:
>
>> OK, I'm concerned.  I have a headless linux (Ubuntu Server 14.04) firewall
>> that controlls access to my home network via iptables.  It runs a DNS
>> server, DHCP server, mail server (only for outgoing mail), and HTTP
>> redirect server that points traffic to another internal server.  I try to
>> keep the firewall locked down pretty tight, especially from the outside
>> world.
>>
>> Beginning about 9am yesterday, my outgoing bandwidth from the firewall to
>> the outside world has been pegged pretty constantly at about 5 Mbps.  It's
>> normally only a few kbps.  There's no significant traffice on the
>> firewall's internal NIC, so all this traffic must be generated on the
>> firewall itself.  Here's the MRTG graph:
>> 
>>
>> I'm running tcpdump trying to diagnose it from work right now, but with
>> the kids & wife at home all day, it's hard to know which traffic is them &
>> which isn't.  Virtually all outgoing traffic is to an HTTPS port.  Once I
>> get home, I can block individual IP's easily enough, but I'm concerned that
>> I've got a bigger problem.
>>
>> What's the best way to determine if I've got a root kit on a linux
>> server?  ps doesn't show anything suspicious, but no self respecting root
>> kit would show up there, anyway.


-- 
*Ben "Obi-Wan" Hollingsworth* obiwan at jedi.com <mailto:obiwan at jedi.com> 
www.Jedi.com <http://www.jedi.com>
The stuff of earth competes for the allegiance I owe only to the
Giver of all good things, so if I stand, let me stand on the
promise that You will pull me through. /-- Rich Mullins/