Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm runing gameservers, private vpn servers and I'm monitoring my system with cacti, and as I see I have a continously ~3 Mb/s (20-24Mbit) outgoing traffic on my eth0 iface (when no one on gameservers, and on vpn. -- with a bit less traffic have the same problem on an other box). Tried to find out with iftop, iptraf, nethogs, but I can't see any traffic like this.
iftops shows that I have some connections on port 3128. As I know, that is usually a proxy port and I have some connections from adult sites to gameserver ports. In iptables I've DROP every In and Output connections from that port and from "adult address". Allready looked up, that I dont run process on port 3128, but nothing happens the traffic is there.
Simply: I have no idea how to find out what eats my bandwidth)
Is there a way, that shows me who, or what is using my iface like this? Thanks.
Single server, several servers, virtualization, VPS, shared host, colocation, whatever else HW specs?
Quote:
Originally Posted by popecrob
I have a continously ~3 Mb/s (20-24Mbit) outgoing traffic on my eth0 iface (..) I can't see any traffic like this.
Provided you're not on a VPS or shared host and provided you're running the right rule set Netfilter should be able to "-j LOG"* all traffic or if you can run tcpdump, something like 'tcpdump -i [device] -n -nn -N -s 0 -w /path/to/savefile.pcap', and can host the /path/to/savefile.pcap file (send me an email if you don't want to publicize a D/L URI) I'd love to have a look at the packet capture.
Several servers on dedicated boxes. I'm using debian lenny, and squeeze (HW specs in the mail). I've doing this for a while, but this problem is shows up about a month ago.
I've closed the in and outgoing port to 3128 and 27660 (this port makes the most traffic on destination side(so I blocked it for nothing on local)), and the traffic gets smaller, but now 12 hours later the traffic comes back again and the dest port is 27660 again on some strange addresses. As I see more detailed the traffic, it's made by the gameservers. So when I stops a gameserver process on a high traffic port, the traffic is gets away on it. But when I start it again, the traffic is come back and communicating with the same iport again(than before), and about with the same ammount of traffic. The investigated gameserver is started with original files.
Run the PCAP through Wireshark, filter for "data.data contains 74:61:74:75:73" and you'll see most of the traffic is actually your game servers polling for and receiving game status data. Probably talking to master lists but that's for you to check.
I've understood what happening. I've got DDoS attack to some of my gameservers. The query "getstatus" in 60 byte length UDP packets coming to (some thousand in a second) my cod servers (one-by-one) and the answer is a ~800byte UDP packet to the sender, who should drop it, so my Outbound is under load. If I block an attacking ip, then in seconds I've got an other, so I need to filter it in Iptables. My idea, based on seen on an other forum, that I filtering UDP packet by length, and look the "getstatus" string in it and drop it if reaches an amount of query in a second.
I've tcpdumped one cod server traffic to pcap file, and directly to a human readable format, and as I saw these shows totaly different length. Pcap (wireshark) shows 60bytes udp query, readable dump shows 15bytes (I don't understand it yet).
readable dump:
Quote:
11:00:15.457181 IP <attacker_ip>.27660 > <my_ip>.28984: UDP, length 15
11:00:15.457190 IP <attacker_ip>.27660 > <my_ip>.28984: UDP, length 15
11:00:15.458024 IP <attacker_ip>.27660 > <my_ip>.28984: UDP, length 15
11:00:15.458057 IP <normal_player's_ip>.11649 > <my_ip>.28984: UDP, length 58
11:00:15.458091 IP <my_ip>.28984 > <attacker_ip>.27660: UDP, length 798
11:00:15.458275 IP <my_ip>.28984 > <attacker_ip>.27660: UDP, length 798
11:00:15.458462 IP <my_ip>.28984 > <attacker_ip>.27660: UDP, length 798
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.