[olug] High traffic from firewall?

Justin Reiners justin at hotlinesinc.com
Fri Dec 23 10:19:39 CST 2016


Meh, It sucks but I can field strip a network in my sleep, and quite enjoy
it. Might even keep you from the inlaws for a bit! :) happy holidays!

On Fri, Dec 23, 2016 at 10:10 AM, Ben Hollingsworth <obiwan at jedi.com> wrote:

> There isn't any DSL/cable modem.  It's a linux firewall hooked directly to
> the the WiMAX radio.  I already tried sniffing the packets from my
> firewall, but it was mostly https.
>
> When I got home last night, I rebooted the firewall.  All the https
> traffic to just a few Windstream static IP's stopped, but it was replaced
> by a bunch of DNS traffic to countless different IP's.  The volume of
> traffic didn't change, oddly; it stayed steady at just over 5 Mbps up.
> Sometime around 4am, my son started downloading a bunch of Steam games.
> When that finished around 8am, all the unexpected traffic stopped.  No,
> Steam wasn't running prior to 4am.  It's been working fine so far the last
> couple hours with no unusual traffic.
>
> I'm gonna keep a close eye on it this weekend.  I've already downloaded
> the latest Ubuntu Server ISO (at work), so I'm ready to go if I do end up
> rebuilding the firewall this weekend.  Not really how I wanted to spend my
> 3.5-day Christmas weekend. Besides obligatory family stuff, I've got a barn
> that isn't going to build itself.
>
>
> On 12/23/2016 09:59 AM, Dan Linder wrote:
>
>> Can you throw a ethernet hub between the external firewall port and your
>> DSL/Cablemodem and sniff the traffic to get an idea what's in the traffic?
>> It won't be fun, but a few filters taking out the expected traffic should
>> help.
>>
>> Dan
>>
>> On Thu, Dec 22, 2016 at 1:00 PM, Ben Hollingsworth <obiwan at jedi.com>
>> wrote:
>>
>> OK, I'm concerned.  I have a headless linux (Ubuntu Server 14.04) firewall
>>> that controlls access to my home network via iptables.  It runs a DNS
>>> server, DHCP server, mail server (only for outgoing mail), and HTTP
>>> redirect server that points traffic to another internal server.  I try to
>>> keep the firewall locked down pretty tight, especially from the outside
>>> world.
>>>
>>> Beginning about 9am yesterday, my outgoing bandwidth from the firewall to
>>> the outside world has been pegged pretty constantly at about 5 Mbps.
>>> It's
>>> normally only a few kbps.  There's no significant traffice on the
>>> firewall's internal NIC, so all this traffic must be generated on the
>>> firewall itself.  Here's the MRTG graph:
>>> 
>>>
>>> I'm running tcpdump trying to diagnose it from work right now, but with
>>> the kids & wife at home all day, it's hard to know which traffic is them
>>> &
>>> which isn't.  Virtually all outgoing traffic is to an HTTPS port.  Once I
>>> get home, I can block individual IP's easily enough, but I'm concerned
>>> that
>>> I've got a bigger problem.
>>>
>>> What's the best way to determine if I've got a root kit on a linux
>>> server?  ps doesn't show anything suspicious, but no self respecting root
>>> kit would show up there, anyway.
>>>
>>
>
> --
> *Ben "Obi-Wan" Hollingsworth* obiwan at jedi.com <mailto:obiwan at jedi.com>
> www.Jedi.com <http://www.jedi.com>
> The stuff of earth competes for the allegiance I owe only to the
> Giver of all good things, so if I stand, let me stand on the
> promise that You will pull me through. /-- Rich Mullins/
>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>


More information about the OLUG mailing list