My bandwidth usage is too high!

Hi,

I've been notified by the excellent Linode warning service (thank you very much for it!) that my bandwith on one of my Linodes is really high, in the last hours specially.

In this linode I got just an email server, behind a firewall (Shorewall). I got 5 Mb/sec, which is way too much for this service.

I cannot see any service listening to a strange port. I can't see any log file growing more than usual. The disk space usage is normal.

Any idea of how can I know what is happening with my traffic? Is it possible that it is just spam? At this rate, I will have to stop it before I reach the monthly limit.

Thank you very much for any help you can provide.

Note: all the traffic is incoming.

9 Replies

Use tcpdump to monitor the incoming traffic (it filters out ssh):

tcpdump -i eth0 -n not port 22

Thanks. After stopping all the services, I run it and I saw a lot of traffic in port 25, which I strongly believe it's not normal traffic, and the bw usage was still high.

The computer is now shutdown, and I opened a support ticket. Hopefully I will get an answer soon.

port 25 is SMTP (email)

sure you're not running an open relay, and spammers are relaying through you? sure you're not just seeing a large volume of incoming email?

He does say the traffic is all incoming, but it still could be spam attempts, if he's rejecting the emails after SMTP time. In fact, I wonder if the spam is being queued on the server (along with, perhaps, the bounce messages).

Thanks for the comments. AFAIK, I'm not running an open relay. At least some tests like http://verify.abuse.net/cgi-bin/relaytest says I am not.

Looking at the mail logs, I can see a "normal" amount of spam attempts. That means, I got a logged SMTP connection every 5 seconds, or even longer.

And…

root@ffh2:/var/spool/postfix# postqueue -p

Mail queue is empty

But now I don't know if it is running against SMTP anymore. I'm seeing strange things. For example, from tcpdump:

10:53:09.072144 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 43239758:43304918(65160) ack 1697 win 61 10:53:09.119718 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 43370078:43435238(65160) ack 1697 win 61 10:53:09.120282 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 43500398:43565558(65160) ack 1697 win 61 10:53:09.121022 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 43565558:43630718(65160) ack 1697 win 61 10:53:09.121639 IP 192.168.134.122.mysql > 192.168.133.68.39696: P 43630718:43695878(65160) ack 1697 win 61 10:53:09.169717 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 43761038:43826198(65160) ack 1697 win 61 10:53:09.170241 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 43891358:43956518(65160) ack 1697 win 61 10:53:09.170910 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 43956518:44021678(65160) ack 1697 win 61 10:53:09.171509 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 44021678:44086838(65160) ack 1697 win 61 10:53:09.171903 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 44086838:44151998(65160) ack 1697 win 61 10:53:09.219871 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 44151998:44217158(65160) ack 1697 win 61 10:53:09.220474 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 44282318:44347478(65160) ack 1697 win 61 10:53:09.221134 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 44347478:44412638(65160) ack 1697 win 61 10:53:09.221863 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 44412638:44477798(65160) ack 1697 win 61 10:53:09.269265 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 44542958:44573366(30408) ack 1697 win 61 Who are those 192.168.x.x? They are not me, as far as I understand. Why do I capture this traffic with tcpdump?

I had my server off for more than 16 hours, and as soon as I boot it, the traffic is there.

Any idea?

Have you used netstat to check ports? As root:

netstat -tp

James

Yes, and nothing unusual. In fact, yesterday I stopped all the services, and traffic was still high.

On the IRC, it seems I am not the only one suffering from this, and it might be a problem in the datacenter.

ferfer i spoke to your on IRC this morning. I've had a response to my support ticket, apparently the problem is with "bandwidth stat collection on newark42".

They've said we won't be charged for bandwidth over-use this month as its a technical fault.

I only went and installed shorewall as soon as I saw my stats! -ah well, been meaning to do it for a while anyway!

Yes, they did the same for my ticket. And for the last ~4 hours everything seems to be ok.

I already had shorewall installed, so I felt pretty confident. And my spam rate, although it is high to my taste, it was not so high to justify that incoming bandwidth.

Anyway, I feel more relaxed now. Hope they can fix it completely soon.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct