LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-16-2009, 08:33 PM   #1
K0ld
LQ Newbie
 
Registered: Jun 2009
Posts: 2

Rep: Reputation: 0
Angry 10x increase in received packets


Today, I noticed a 10x increase in received packets. Usually, my server use around 5GB/day of bandwidth, however all of a sudden it increased to 50GB/day (according to vnstat on eth0):
rx 1750.40 kB/s 27904 packets/s
tx 699.48 kB/s 11099 packets/s

Pretty soon DC might plug off my server if this won't stop. How am I suppose to detect from where those packets come from and filter them? Also I guess I should report to DC after.

Any help will be much appreciated.
 
Old 06-16-2009, 11:56 PM   #2
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,240

Rep: Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324
Show distro name & version.
Also, which service(s) is this occurring on.
Show example logfiles.
 
Old 06-17-2009, 12:36 AM   #3
K0ld
LQ Newbie
 
Registered: Jun 2009
Posts: 2

Original Poster
Rep: Reputation: 0
Linux debian 2.6.18-6-686-bigmem #1 SMP Fri Dec 12 17:49:59 UTC 2008 i686 GNU/Linux

I typed:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

To calculate and count the number of connections each IP address makes to the server and I managed to set iptables to drop packets from IP i've found to have over 400 connections. However right now I get this (using the above command; pasting only those with high values):
467
1357 127.0.0.1

As you can see there are 467 from unknown(?) ip and 1357 from localhost, which I both completely don't understand. Other thing is, I'm sure the other IP I blocked with iptables is still sending me packets, but that I can't block (just to drop them, as I did). So what to do now? That's how it looks right now (after setting up iptables for the abusive IP):

Traffic average for eth0

rx 1210.70 kB/s 19216 packets/s
tx 14.63 kB/s 126 packets/s
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
netstat : packets directly received from backlog pcarey Linux - Newbie 1 06-12-2009 09:15 AM
Wireless card--No received packets. david1123 Linux - Wireless Networking 3 01-19-2006 11:17 PM
LXer: Geophysical Development Corporation Deploys Panasas and Achieves 10x Increase in Linux Cluster Performance LXer Syndicated Linux News 0 01-11-2006 07:46 AM
which are these 0.0.0.0 source ip packets i received? linux_lover2005 Linux - Networking 1 04-29-2005 08:58 PM
packets sent VS packets received fsasya Linux - Networking 0 07-18-2004 08:11 PM


All times are GMT -5. The time now is 12:20 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration