Hi there!

I can't lookup what using my bandwidth.

I'm runing gameservers, private vpn servers and I'm monitoring my system with cacti, and as I see I have a continously ~3 Mb/s (20-24Mbit) outgoing traffic on my eth0 iface (when no one on gameservers, and on vpn. -- with a bit less traffic have the same problem on an other box). Tried to find out with iftop, iptraf, nethogs, but I can't see any traffic like this.

iftops shows that I have some connections on port 3128. As I know, that is usually a proxy port and I have some connections from adult sites to gameserver ports. In iptables I've DROP every In and Output connections from that port and from "adult address". Allready looked up, that I dont run process on port 3128, but nothing happens the traffic is there.
Simply: I have no idea how to find out what eats my bandwidth)

Is there a way, that shows me who, or what is using my iface like this? Thanks.

Single server, several servers, virtualization, VPS, shared host, colocation, whatever else HW specs?


Provided you're not on a VPS or shared host and provided you're running the right rule set Netfilter should be able to "-j LOG"* all traffic or if you can run tcpdump, something like 'tcpdump -i [device] -n -nn -N -s 0 -w /path/to/savefile.pcap', and can host the /path/to/savefile.pcap file (send me an email if you don't want to publicize a D/L URI) I'd love to have a look at the packet capture.

I've sent a mail to you with the pcap file!

Several servers on dedicated boxes. I'm using debian lenny, and squeeze (HW specs in the mail). I've doing this for a while, but this problem is shows up about a month ago.

I've closed the in and outgoing port to 3128 and 27660 (this port makes the most traffic on destination side(so I blocked it for nothing on local)), and the traffic gets smaller, but now 12 hours later the traffic comes back again and the dest port is 27660 again on some strange addresses. As I see more detailed the traffic, it's made by the gameservers. So when I stops a gameserver process on a high traffic port, the traffic is gets away on it. But when I start it again, the traffic is come back and communicating with the same iport again(than before), and about with the same ammount of traffic. The investigated gameserver is started with original files.

Is it possible that my files are infested?

Run the PCAP through Wireshark, filter for "data.data contains 74:61:74:75:73" and you'll see most of the traffic is actually your game servers polling for and receiving game status data. Probably talking to master lists but that's for you to check.

1 members found this post helpful.

I've understood what happening. I've got DDoS attack to some of my gameservers. The query "getstatus" in 60 byte length UDP packets coming to (some thousand in a second) my cod servers (one-by-one) and the answer is a ~800byte UDP packet to the sender, who should drop it, so my Outbound is under load. If I block an attacking ip, then in seconds I've got an other, so I need to filter it in Iptables. My idea, based on seen on an other forum, that I filtering UDP packet by length, and look the "getstatus" string in it and drop it if reaches an amount of query in a second.

I've tcpdumped one cod server traffic to pcap file, and directly to a human readable format, and as I saw these shows totaly different length. Pcap (wireshark) shows 60bytes udp query, readable dump shows 15bytes (I don't understand it yet).

readable dump:
Can someone help me out with an iptables entry?

I've this, but not working:
Or if someone have better ideas, I'm listening
Thanks!