Excessive transfer usage
I just got a 64 MB Linode yesterday, and in just about 24 hours, I've seemed to generate…
Incoming: 1.55 GB
Outgoing: 1.34 GB
Total: 2.90 GB
…of transfer. It's 12% of my monthly allowance. All I've done is set a Gentoo install, trash it, and set up a Debian install. And get SSH working… didn't start using the server yet or cofigure any services. How on earth could I have used up all that bandwidth? Or am I getting that many port scans…?
/puzzled
ged
14 Replies
caker
Linode Staff
BTW, for Debian: apt-get install iptraf tcpdump
-Chris
I did a quick dump and found that most of the traffic that's hitting me is requests to open the IRC port. I don't have an ircd and the port's closed, but I'm still getting a ton of them. I kind of expect port scans but I wasn't expecting that.
Anyone have an idea what I could do?
@ged:
I just got a 64 MB Linode yesterday, and in just about 24 hours, I've seemed to generate…
Incoming: 1.55 GB
Outgoing: 1.34 GB
Total: 2.90 GB
…of transfer.
@ged:Thanks caker. Turning on the firewall is a good idea as well.
I'm still having a lot of my bandwidth burned up though. I did a quick dump and found that most of the traffic that's hitting me is requests to open the IRC port. I don't have an ircd and the port's closed, but I'm still getting a ton of them. I kind of expect port scans but I wasn't expecting that.
http://gednet.com/ip_traffic-2.log Anyone have an idea what I could do?
The packets coming in on 6667 are one thing, but if they're not connecting, how much can they total? Looking at the log, the packets to 6667 are 48 bytes each.
What is going out in 24 hours that added up to 1.34 GB? grep the log for the outgoing.
About the incoming: if you did two installs, that's likely to be a big chunk of your total incoming (1.55 GB), no? Gentoo is 800 MB itself.
@fieschko:
The packets coming in on 6667 are one thing, but if they're not connecting, how much can they total? Looking at the log, the packets to 6667 are 48 bytes each.
What is going out in 24 hours that added up to 1.34 GB? grep the log for the outgoing.
Good point, the numbers just don't add up. I'll run a trace for a while and try to see what's what.
@fieschko:
About the incoming: if you did two installs, that's likely to be a big chunk of your total incoming (1.55 GB), no? Gentoo is 800 MB itself. Also a good point; that's the first thing I thought of. I did a Gentoo install @ 800 MB and then a Debian at 80 MB, plus maybe about ~120mb worth of installs to the deb box (apache, php, etc.)
I'll run some dumps for a while.
@ged:
I'll run a trace for a while and try to see what's what.
I did a Gentoo install @ 800 MB and then a Debian at 80 MB, plus maybe about ~120mb worth of installs to the deb box (apache, php, etc.)
I'll run some dumps for a while.
Or, watch in realtime: doiptraf -fin an ssh session, select 'Statistical breakdown – by port'
Sat Jun 26 22:29:58 2004; UDP; eth0; 208 bytes; from host9.linode.com:53 to li4-153.members.linode.com:2060
Sat Jun 26 22:29:58 2004; UDP; eth0; 71 bytes; from li4-153.members.linode.com:2061 to host9.linode.com:53
Transfers within the datacenter aren't supposed to count against your bandwidth so I'm not sure if this is the primary issue, but I looked at 1 second of your log and of 104 packets, 58 were to or from host9.
The data from the host looks like DNS since the host port is 53
After taking a look at the IPs for the linode and the host they do appear to be on different subnets. So that may be where some of the bandwidth usage is coming from
Adam
I've run another one w/name lookup off and hope to get something more meaningful out of it.
@fieschko:
Or, watch in realtime: do
iptraf -fin an ssh session, select 'Statistical breakdown – by port'
Done. I ran stats by port for about 40 minutes today.
I'm at a loss… I had about 1.7 MB/min of IRC connect attempts. If that's average, then that would add up to about 2.4 GB per day (72 GB per month!) in transfer. Wheeeeeeee
If anyone is curious (or thinks I'm nuts), here's the stats dumphere's the top 20 list
Must've been an irc service on this IP before I guess.
It's all 48 byte requests, with a 40 byte reply back from my machine. Even if I figure out how to not reply (I'm still learning) I'm going to be looking at about a GB of traffic a day.
I'm assuming that out of the box Debian won't act as any kind of irc relay, right? I don't know squat about ircd.
Chris - any ideas? Would Linode be willing to give me a different IP? Assuming folks out there notice they're not connecting, I hope it should die down in a few weeks (?) and the IP would be useable again.
ged
Adam
caker
Linode Staff
@ged:
Chris - any ideas? Would Linode be willing to give me a different IP? Assuming folks out there notice they're not connecting, I hope it should die down in a few weeks (?) and the IP would be useable again.
Absolutely. Shoot me a support ticket. I think this IP was mentioned by someone else as having excessive traffic, so perhaps I'll quarantine it for a while.
-Chris
@ged:
It's all 48 byte requests, with a 40 byte reply back from my machine. Even if I figure out how to not reply (I'm still learning) I'm going to be looking at about a GB of traffic a day.
ged
With portsentry it's simple to create an iptables INPUT rule to DROP on 6667, log the offending ip and then to ignore all connection attempts from that ip.
@caker:
Shoot me a support ticket.
Done!
@fieschko:
With portsentry it's simple to create an iptables INPUT rule to DROP on 6667, log the offending ip and then to ignore all connection attempts from that ip.
Thanks for the tip fieschko… I'll check it out.
Thanks for the support everyone
@caker:
"iptraf" and "tcpdump" are your friends
:)
ntop is much better, in regards that it reports to you via a web interface. there are a lot of reports, you can even drill down to specific protocol (pop3, http, dns, etc). I can't believe I never heard this awesome utility before….
For debian users, it's apt-get install ntop, then you can see the report straight away via
Nifty.
edit:
see mine here -
cheers, HS