Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I see in tcpdump that one of my network hosts makes massive UDP traffic to some hosts. It's two way: both recieving and transmitting it (not a virus?). I suppose it uses some kind of torrent software to share files, but I thought torrents use TCP, not UDP. Am I wrong?
Here is what I see in tcpdump -n -i eth1 host 10.10.10.8:
Code:
08:52:31.718446 IP 212.122.188.91.63709 > 10.10.10.8.9315: UDP, length: 42
08:52:31.738382 IP 80.72.67.78.17150 > 10.10.10.8.9315: UDP, length: 42
08:52:31.754586 IP 10.10.10.8.9315 > 82.82.206.30.26995: UDP, length: 42
08:52:31.758394 IP 83.228.37.1.13956 > 10.10.10.8.9315: UDP, length: 110
08:52:31.774466 IP 10.10.10.8.9315 > 195.62.22.21.14871: UDP, length: 42
08:52:31.788369 IP 83.228.37.1.13956 > 10.10.10.8.9315: UDP, length: 42
08:52:31.844540 IP 10.10.10.8.9315 > 84.43.149.204.8455: UDP, length: 54
08:52:31.865712 IP 10.10.10.8.9315 > 213.240.233.68.7195: UDP, length: 1072
If I'm wrong and that doesn't seem like torrent traffic, help me understand what kind of session is that.
I did a bit of searching on this and while there is not a lot of info it would appear that this could arise from virus infections on a MS SQL system. I did a whois search on some of the ip addresses listed and one is the Bulgarian Govt Minister's servers. If this is the case, one wonders how secure your highest level government documents are. You need to report this to the relevant sys admins for the ip addresses you have. You also need to have a good look at your own security since you need to have only those ports you need, open and the rest closed via your firewall. The only ones I have open are, 68, 123, 6112, 6119, and 4000"
I don't see that port 123 nowhere
About BitTorrent: I thought this port range is not reserved and can vary according to the client's configurations. Besides the virus possibility what other program can cause UDP load? Is it suitable to deny all forwarded UDP packets?
Originally posted by ivanatora I don't see that port 123 nowhere
yeah, there's no port 123 in the info you posted...
Quote:
About BitTorrent: I thought this port range is not reserved and can vary according to the client's configurations.
bittorrent uses tcp ports 6881-6999... you don't need to open the entire range for bittorrent to work, though... bittorrent will try and start a connection using whichever ports within that range you've opened... first it will try 6881, then 6882, then 6883, etc.
Quote:
Besides the virus possibility what other program can cause UDP load? Is it suitable to deny all forwarded UDP packets?
yes, you should block all packets that you don't need... for example, on my PC the only UDP packets which are allowed to go out are the ones going to port 53, cuz that's the DNS server port... i have no need for any other UDP packets to go out so everything else is blocked...
Given the fact the host at 10.10.10.8 is communicating with seven other hosts on the internet -and- all within a one second timeframe, I would consider unpluging this device from your network. Then login to this device and figure out whether or not this is valid traffic.
BTW: With the exception of one packet, the packet sizes seem small. i.e. small data portion within packets.
The reasearch goes on.
I am not very suspicious about connecting to 7 host in less than a second, it is within the technology of the torrent networks: connecting to as much host as possible in order to not eat up the whole bandwith of one host.
About disallowing to forward UDP packets, are you sure that DNS uses UDP on port 53? Isn't it only TCP there? If one service using UDP appeared, there could be more. Can you name some more except DNS?
I think you have got fixated with torrent connections. A whois search on '212.122.160.0 - 212.122.191.255'
inetnum: 212.122.160.0 - 212.122.191.255
org: ORG-CoM1-RIPE
netname: BG-GOVERNMENT-19990722
descr: Bulgarian Government Network
descr: Council of Ministers
country: BG
Why would your Council of Ministers be sending packets to your server? I'll guarantee it's not torrent.
Originally posted by ivanatora About disallowing to forward UDP packets, are you sure that DNS uses UDP on port 53? Isn't it only TCP there?
yes, i'm sure... DNS queries use UDP port 53... DNS queries don't use any TCP at all...
Quote:
If one service using UDP appeared, there could be more. Can you name some more except DNS?
well, some multi-player FPS games use it, for example... but really, it's you as the network administrator who must determine which UDP transmissions you want/need to allow... you don't need to think of every possible UDP transmission, just make rules allowing the ones you actually want/need and have your policy filter everyting else...
BTW, keep in mind that i'm talking about outgoing UDP packets... as far as incoming packets are concerned, well i'm not sure what kinda services you are running on your external interface, or if you are doing any port-forwarding or what have you... if you aren't doing any of that then all incoming UDP packets which aren't found to be ESTABLISHED,RELATED should be getting filtered...
Originally posted by TigerOC
Why would your Council of Ministers be sending packets to your server? I'll guarantee it's not torrent.
Ok, you discovered us. Bad. We are turkish secret net-agents stealing classified documents from the Bulgarian Goverment. They will suffer
Now seriously The use on 10.10.10.8 was told to check his PC for viruses and it is up to him ti fix his own machine.
Let me see if I have understood you corectly. You described these iptables rules:
iptables -I FORWARD -p udp --dport ! 53 -o eth0 -j DROP
iptables -I FORWARD -p udp -m state --state INVALID,NEW -o eth1 -j DROP
eth0 is the external interface, and eth1 is the internal one. Is that right?
Originally posted by ivanatora The use on 10.10.10.8 was told to check his PC for viruses and it is up to him ti fix his own machine.
this is fine, but still, keep in mind that on a NAT setup everything he sends-out will look like it's sent-out by YOU, so it's a good idea to limit what he can send out... the Bulgarian Secret Government Agents won't go knocking on HIS door, they will come knocking on YOURS...
Quote:
Let me see if I have understood you corectly. You described these iptables rules:
iptables -I FORWARD -p udp --dport ! 53 -o eth0 -j DROP
iptables -I FORWARD -p udp -m state --state INVALID,NEW -o eth1 -j DROP
eth0 is the external interface, and eth1 is the internal one. Is that right?
no, not really... what i was describing actually looked more like this:
Code:
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p UDP -i eth1 -o eth0 --dport 53 \
-m state --state NEW -j ACCEPT
of course you'd need your other rules in there, like for web browsing, ftp, etc:
Code:
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p UDP -i eth1 -o eth0 --dport 53 \
-m state --state NEW -j ACCEPT
iptables -A FORWARD -p TCP -i eth1 -o eth0 --dport 80 \
-m state --state NEW -j ACCEPT
iptables -A FORWARD -p TCP -i eth1 -o eth0 --dport 443 \
-m state --state NEW -j ACCEPT
iptables -A FORWARD -p TCP -i eth1 -o eth0 --dport 21 \
-m state --state NEW -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
I would just like to throw in a good resource on the DNS traffic behavior, which in fact is rather complex.
This link give info on how to configure the firewall for DNS in different setups.
Originally posted by ugge I would just like to throw in a good resource on the DNS traffic behavior, which in fact is rather complex.
it might be complex if you are setting-up your own full-blown DNS server, but it's quite simple (simply forward 53/UDP) when all you need is to let clients on your LAN send DNS queries to your ISP's DNS servers (which seems to be the case here)...
that's a nice link for anyone wanting to set-up a full-blown DNS server, though...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
