You are not logged in.

#1 2013-07-02 23:29:29

Kooothor
Member
From: Paname
Registered: 2008-08-02
Posts: 226

[solved] Unknown and numerous connections showing on iftop

EDIT: PROBLEM SOLVED : computer was in DMZ and receiving lots of DNS requests for an unknown reason...

Last edited by Kooothor (2013-07-03 16:43:13)


ktr

Offline

#2 2013-07-02 23:53:38

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: [solved] Unknown and numerous connections showing on iftop

When you say "a very very fresh install", what do you mean exactly? Did you restore anything from backup? What's installed?


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#3 2013-07-03 00:02:24

Kooothor
Member
From: Paname
Registered: 2008-08-02
Posts: 226

Re: [solved] Unknown and numerous connections showing on iftop

cfr wrote:

When you say "a very very fresh install", what do you mean exactly? Did you restore anything from backup? What's installed?

Installed it today. I only restored my firefox profile and some .dotfiles (vimrc, zshrc, tmux.conf, .Xdefaults).
The more I investigate, the more I think it's DNS related... But why connect to so many different servers ? And why so much bandwidth, and just after boot !

Last edited by Kooothor (2013-07-03 00:05:23)


ktr

Offline

#4 2013-07-03 00:06:43

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: [solved] Unknown and numerous connections showing on iftop

Did you test before you started to restore things?


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#5 2013-07-03 00:09:11

Kooothor
Member
From: Paname
Registered: 2008-08-02
Posts: 226

Re: [solved] Unknown and numerous connections showing on iftop

Not really no hmm (yeah I know, big error). But I think we can safely rule out the malware idea. And after boot I have basically nothing running except dhcp. So I'm gonna search this way.

EDIT : when I stop dhcpcd, I don't have these connexions anymore \o/
I'll try using a static IP config.

Last edited by Kooothor (2013-07-03 00:14:08)


ktr

Offline

#6 2013-07-03 00:11:14

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: [solved] Unknown and numerous connections showing on iftop

Why do you think it is DNS related? (Feel free not to answer this question - I'm just interested.)


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#7 2013-07-03 00:15:20

Kooothor
Member
From: Paname
Registered: 2008-08-02
Posts: 226

Re: [solved] Unknown and numerous connections showing on iftop

cfr wrote:

Why do you think it is DNS related? (Feel free not to answer this question - I'm just interested.)

Because some server names had dns in it. And one was root-servers.net which is a root server for dns. Also, see edit of previous post. And thanks for trying to help me btw wink

EDIT : connexions are back without dhcpcd running and with static IP address config hmm

Last edited by Kooothor (2013-07-03 00:18:37)


ktr

Offline

#8 2013-07-03 00:19:19

lucke
Member
From: Poland
Registered: 2004-11-30
Posts: 4,018

Re: [solved] Unknown and numerous connections showing on iftop

Please show a screenshot of iftop with ports shown ("p" key).

Offline

#9 2013-07-03 00:26:22

Kooothor
Member
From: Paname
Registered: 2008-08-02
Posts: 226

Re: [solved] Unknown and numerous connections showing on iftop

http://i.imgur.com/piV2Sn7.jpg
http://i.imgur.com/ZX6zfnh.jpg

It seems a lot of them are :domain.

Last edited by Kooothor (2013-07-03 00:27:33)


ktr

Offline

#10 2013-07-03 00:36:57

lucke
Member
From: Poland
Registered: 2004-11-30
Posts: 4,018

Re: [solved] Unknown and numerous connections showing on iftop

Please run "tcpdump -vv" till you get a sizable output and show it to us.

Offline

#11 2013-07-03 00:42:33

Kooothor
Member
From: Paname
Registered: 2008-08-02
Posts: 226

Re: [solved] Unknown and numerous connections showing on iftop

Thanks lucke for trying to troubleshoot my problem.

Here is the tcpdump output : http://pastebin.com/T6dsXbMj
Looks like UDP requests.

BTW: this is only 10 secs of sniffing !

Last edited by Kooothor (2013-07-03 00:47:52)


ktr

Offline

#12 2013-07-03 01:30:40

lucke
Member
From: Poland
Registered: 2004-11-30
Posts: 4,018

Re: [solved] Unknown and numerous connections showing on iftop

It looks to me as if the net thought you were a DNS server, and your computer was responding "I am not". Setting up a firewall and dropping (udp) packets on port 53 should help, at least when it comes to eating your upload.

http://dnsamplificationattacks.blogspot … tasia.html

Offline

#13 2013-07-03 01:38:03

Kooothor
Member
From: Paname
Registered: 2008-08-02
Posts: 226

Re: [solved] Unknown and numerous connections showing on iftop

Yeah I browsed this page too.
The weird thing is that I should sit behind a firewall (from my internet box), not forwarding anything to this computer directly.
And by using iptables, DROP on udp on INPUT, I was able to stop the transmitted flux, so that's good.
But I can't manage to DROP the incoming flux ! (with iptables -I {OUTPUT,FORWARD} -p udp -j DROP) .
Even with iptables configured like : DROP ALL THE THINGS FROM ANYWHERE GOING TO ANYWHERE (tcp, udp), I still have this traffic.

So yes, I think you are right, the web thinks I'm a DNS server.

/me going to bed.

Last edited by Kooothor (2013-07-03 01:51:36)


ktr

Offline

#14 2013-07-03 02:00:36

lucke
Member
From: Poland
Registered: 2004-11-30
Posts: 4,018

Re: [solved] Unknown and numerous connections showing on iftop

Well, you can drop the incoming packets, as in not respond to them. You can't stop them from coming.

Those DNS amplification attacks seem to be a different beast, but at least the same domain is somehow involved.

Offline

#15 2013-07-03 16:42:14

Kooothor
Member
From: Paname
Registered: 2008-08-02
Posts: 226

Re: [solved] Unknown and numerous connections showing on iftop

Ok so just for posterity :

My main computer was in DMZ, so my router was forwarding all the UDP packets (DNS requests) to my computer, and it was eating all my bandwidth.
Removing my computer from the DMZ solved the problem.

Now, as to why my home adress was receiving zillions of DNS requests, I have no idea...


ktr

Offline

Board footer

Powered by FluxBB