You are not logged in.
EDIT: PROBLEM SOLVED : computer was in DMZ and receiving lots of DNS requests for an unknown reason...
Last edited by Kooothor (2013-07-03 16:43:13)
ktr
Offline
When you say "a very very fresh install", what do you mean exactly? Did you restore anything from backup? What's installed?
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline
When you say "a very very fresh install", what do you mean exactly? Did you restore anything from backup? What's installed?
Installed it today. I only restored my firefox profile and some .dotfiles (vimrc, zshrc, tmux.conf, .Xdefaults).
The more I investigate, the more I think it's DNS related... But why connect to so many different servers ? And why so much bandwidth, and just after boot !
Last edited by Kooothor (2013-07-03 00:05:23)
ktr
Offline
Did you test before you started to restore things?
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline
Not really no (yeah I know, big error). But I think we can safely rule out the malware idea. And after boot I have basically nothing running except dhcp. So I'm gonna search this way.
EDIT : when I stop dhcpcd, I don't have these connexions anymore \o/
I'll try using a static IP config.
Last edited by Kooothor (2013-07-03 00:14:08)
ktr
Offline
Why do you think it is DNS related? (Feel free not to answer this question - I'm just interested.)
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline
Why do you think it is DNS related? (Feel free not to answer this question - I'm just interested.)
Because some server names had dns in it. And one was root-servers.net which is a root server for dns. Also, see edit of previous post. And thanks for trying to help me btw
EDIT : connexions are back without dhcpcd running and with static IP address config
Last edited by Kooothor (2013-07-03 00:18:37)
ktr
Offline
Please show a screenshot of iftop with ports shown ("p" key).
Offline
http://i.imgur.com/piV2Sn7.jpg
http://i.imgur.com/ZX6zfnh.jpg
It seems a lot of them are :domain.
Last edited by Kooothor (2013-07-03 00:27:33)
ktr
Offline
Please run "tcpdump -vv" till you get a sizable output and show it to us.
Offline
Thanks lucke for trying to troubleshoot my problem.
Here is the tcpdump output : http://pastebin.com/T6dsXbMj
Looks like UDP requests.
BTW: this is only 10 secs of sniffing !
Last edited by Kooothor (2013-07-03 00:47:52)
ktr
Offline
It looks to me as if the net thought you were a DNS server, and your computer was responding "I am not". Setting up a firewall and dropping (udp) packets on port 53 should help, at least when it comes to eating your upload.
Offline
Yeah I browsed this page too.
The weird thing is that I should sit behind a firewall (from my internet box), not forwarding anything to this computer directly.
And by using iptables, DROP on udp on INPUT, I was able to stop the transmitted flux, so that's good.
But I can't manage to DROP the incoming flux ! (with iptables -I {OUTPUT,FORWARD} -p udp -j DROP) .
Even with iptables configured like : DROP ALL THE THINGS FROM ANYWHERE GOING TO ANYWHERE (tcp, udp), I still have this traffic.
So yes, I think you are right, the web thinks I'm a DNS server.
/me going to bed.
Last edited by Kooothor (2013-07-03 01:51:36)
ktr
Offline
Well, you can drop the incoming packets, as in not respond to them. You can't stop them from coming.
Those DNS amplification attacks seem to be a different beast, but at least the same domain is somehow involved.
Offline
Ok so just for posterity :
My main computer was in DMZ, so my router was forwarding all the UDP packets (DNS requests) to my computer, and it was eating all my bandwidth.
Removing my computer from the DMZ solved the problem.
Now, as to why my home adress was receiving zillions of DNS requests, I have no idea...
ktr
Offline