ISP Traffic for other hosts

azcoder2 · 10-18-2005, 12:18 PM

I have a dedicated host at a local ISP. They are charging me for more than 20gb of traffic a day. I am sure that the box is not getting that much traffic - I have even limited all traffic by using iptables to filter only to my address.

TCPDump reveals a ton of traffic that is not destined for my host. I see http, ms-sql, etc.. traffic destined for other hosts.

Just to verify - This should not happen if they gave me a dedicated server on a switch correct? I should only see traffic destined for my host or broadcst traffic, correct?

Thanks for any reply....

zymurgist · 10-18-2005, 12:36 PM

You're going to get hit with random traffic. Even with iptable, it still has to process that traffic to make sure its not a trusted host. Just make sure you are dropping packets with iptables and not rejecting them, which will double your I/O. The best way to avoid processing them at all is to turn off all daemons that you're not using and close those ports completely. Use tcpwrappers when possible, too.

azcoder2 · 10-18-2005, 01:01 PM

I have shutdown all external services except Tomcat and SSH. Netstat shows only ports from those services as listening. I have temporarily set iptables to filter only to my client IP.

Still - I am getting tons of traffic for other hosts.

Should'nt the switch only be routing to my host broadcast traffic and traffic destined for my host? I should not see traffic destined for another host connected to a different port on the switch, correct?

Thanks again for your help

zymurgist · 10-18-2005, 01:11 PM

Yes, you shouldn't see traffic for other hosts, but you may be getting port scanned. Its all too common and it will jack up your numbers.

azcoder2 · 10-18-2005, 01:35 PM

Thanks for your help zymurgist.

I am seeing tons of traffic with src AND destination for other hosts. I even changed the primary bound ip on eth0 to a non-routable 192.168 address, and I still see tons of traffic with src and destination for other hosts.

I have sent a tcpdump to the isp. This time they are saying "we are looking into it and will get back to you" instead of the standard "check your logs" reply I received twice before.

I can't believe how much time and frustration this has caused me - at first I was worried my box had been comprimised.

Again, thanks for your help......

zymurgist · 10-18-2005, 01:40 PM

Is your NIC in promiscuous mode? It shouldn't be reading all traffic on the LAN.

azcoder2 · 10-18-2005, 04:18 PM

I believe TCPDUMP puts it into promiscuous mode.

But my understanding is that, even in promiscuous mode, the switch should not be routing any packets to that host that are not destined for the host. In other words, if you put a sniffer between the host and a port on the switch, the only traffic sent to that port on the switch is traffic destined for that mac address(and broadcast traffic). And the only traffic destined for that mac should be traffic for the ip(s) of the host.

The host cannot see all traffic on the switch, only traffic routed to it.

Does that sound correct?

Thanks again for any help....

fur · 10-19-2005, 02:21 AM

There are a few things I can think that may be going on..

They may have you plugged into a hub.

They have you plugged into a swicth, but it is acting like a hub possibly because of another user that is plugged into it is using some ARP spoofing/poisoning attacks, and basically turning it into a hub.

They may also have the port your server is plugged into set to a monitor mode for some reason. That mode is normally used for IDS sensors so they can see all traffic that passes through the switch.

If you are plugged into a switch you should not see any http, or any other non broadcast traffic on your interface that does not have your IP in the destination field of the IP packet.

azcoder2 · 10-22-2005, 09:42 AM

I thought some you might enjoy this. The ISP did finally assume accountability:

"Our engineers have discovered that there was a faulty switch that was flooding multiple servers. You bandwidth figures along with other affected customers will be recalculated and corrected. Attached are the comments from the engineer.
"Its a resultant of faulty cisco switch, MIS is deploying a patch to fix this.
Submitted a DBA request to reset the bandwidth for all the affected customers from 10/10/05."

We apologize for the confusion and inconvenience this has caused you, but we will definately correct our error and work to ensure that it will not happen again. Thank you for your patience."

Of course, this was after they told me to "check the logs" and that "administration of a dedicated box is my responsibility" several times.

zymurgist · 10-24-2005, 01:22 PM

Nice work. you should get a kick-back from all of the other co-lo'ers that you just saved a ton of money for.