Incoming traffic load very high, help needed.

Hi,

First I want to say thanks to everyone at linode, I've been using the service for over a year and I love it!

Now to my problem:

February is only three days old, and already I have incoming traffic accumulated at 2.16 GB, and peaks of sustained incoming traffic at over 1 Mbit/second. (Accumulated bandwidth out is only 42 MB!)

I first suspected an SSH brute force-type attack so I changed from the standard port 22 to a new one (I checked auth.log and there were a lot of different "Invalid user").

However, since I did that there seems to have been an increase in incoming traffic. The only other things I have accessible over the network are Apache (port 80) and proftpd (port 21). I can't really restrict access to apache I guess, and the proftpd logs show no signs of any failed login attempts.

Any suggestions to what I can do to fix this? It's eating up bandwidth that I pay for…

13 Replies

use a program like iptraf to see what kind of traffic is going in/out.

I am having the same problem, and put in a support ticket. I have used over 13gig of incoming bandwidth in the past 3 days and less than 500mb outgoing.

If it does turn out to be apache traffic or similar that is being abused, you can do some (very) rudimentary rate-limiting:

-A INPUT -m limit --limit 24/second --limit-burst 32 -p tcp -m multiport --dports http,https -j ACCEPT
-A INPUT -p tcp -m multiport --dports http,https -m comment -j DROP

You might need to tweak the the numbers, but basically this will allow any 1 host to make 24 connections per second on port 80/443, and burst to 32/sec. Anything over that will be discarded.

When I run iftop it seems that only two IP addresses are involved in the larger chunks of data transfer:

192.168.133.77:mysql to 192.168.133.75:random port

However, In my php scripts I connect to mysql over localhost and my mysql server is configured to only accept connections on localhost.

Is the data i send over the localhost connection counted as incoming traffic to the server all of a sudden?

My accumulated incoming bandwidth is now 2.55 GB which is about 4% of my monthly allotment.

192.168.. should be a private IP address (inside the Linode datacenter you're in) and the traffic shouldn't count towards your monthly allowance.

nevertheless, you should find out why that guy is connecting to your DB (or trying to).

why not open a support ticket and have the ops find out who that IP belongs to and figure out what's going on.

My issue was due to a bug. It looks like they patched XEN last night. I have used 5+gb of bandwidth per day, all month till today. Now I am back to normal, maybe 500mb if I'm lucky.

@bes:

When I run iftop it seems that only two IP addresses are involved in the larger chunks of data transfer:

192.168.133.77:mysql to 192.168.133.75:random port

I just started getting these today, opening support ticket now.

James

what data center are you guys in ?

i don't see anything like this but i don't have a mysql open (esp. not with a port open to the outside)

My datacenter is in Dallas.

I'm in Dallas and I have the same issue. A steady incoming stream of about 20K for the last 24+ hours.

Jeff

I'm in Newark… although it seems that now the data rate has gone back to normal… did they fix anything?

Still the same in Dallas…. 2120 CST 2/6/09

A constant 20K rate is coming from:

li40-20.members.linode.com

dalapp1.careerliason.com

It has been going on for over 24 hours.

Looks like the source is someone with a linode.

fos

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct