Strange traffic on my node.
I've been getting traffic like this from iptraf all day:
> UDP (168 bytes) from 64.22.109.153:17500 to 255.255.255.255:17500 (src HWaddr fefd40166d ?
? UDP (168 bytes) from 64.22.109.153:17500 to 64.22.109.255:17500 (src HWaddr fefd40166d99 ?
? UDP (168 bytes) from 64.22.109.153:17500 to 255.255.255.255:17500 (src HWaddr fefd40166d ?
? UDP (168 bytes) from 64.22.109.153:17500 to 64.22.109.255:17500 (src HWaddr fefd40166d99 ?
? UDP (168 bytes) from 64.22.109.153:17500 to 255.255.255.255:17500 (src HWaddr fefd40166d ?
? UDP (168 bytes) from 64.22.109.153:17500 to 64.22.109.255:17500
Problem is, none of these are my IP addresses!
Has anybody ever seen traffic on their node where the originator/recipient of data weren't even on your Linode-assigned IPs? If so, could you shed some light on the mystery?
Thanks!
7 Replies
Note that this data is being sent to the broadcast address (.255) which means every host on your subnet is getting it. Some other linode is sending this data to everyone – that is where it is coming from.
Note that you also posted the IP of the source host, so..
Dropbox
So, the traffic's probably harmless. I'd ignore it.
@hoopycat:
That's
, a file storage/synchronization system. If the "Enable LAN Sync" option in the client is set, it will try to sync with other friendly clients on the same IP subnet to cut down on WAN traffic. This is handy if you have a desktop machine and a laptop, but is relatively pointless on a Linode. DropboxSo, the traffic's probably harmless. I'd ignore it.
Not really, LAN sync over the private network would save you bandwidth if you have multiple linodes syncing to dropbox.
We used to use dropbox to back up our web root on our linode, but the lack of one-way sync made it problematic; now we just do nightly rsyncs and incremental backups on the result.
I wonder if there's any way I could block all of this without breaking something.
@A32:
It's still bugging me, though :-)
This is part of being connected to the Internet…and, we all have to get used to it. I allegedly get 250 GB of transfer from Comcast, but 9-10GB of that a month is burnt on ARP for other systems and junk that isn't for me, including SSH scans, vulnerability checks, and so forth.
The only thing you truly have control over is your own system, not anyone else's -- this is the key to becoming enlightened as a sysadmin. Deal with the traffic when it arrives, and don't let it bother you. You'll feel a lot better when you stop worrying about it.
Before someone says bandwidth quota!:
@Google:
((168 bytes) / (30 seconds)) * 31 days = 14.3041992 megabytes
@A32:I wonder if there's any way I could block all of this without breaking something.
Why, so that it doesn't log? Sure:
iptables -I INPUT # -s 64.22.109.153 -p udp --dport 17500 -j DROP
What number to replace the "#" with is left as an exercise for the reader, since I don't know your firewall configuration. Read iptables(8). If you use ufw or Shorewall or something, don't use this – use it instead.
@A32:
I wonder if there's any way I could block all of this without breaking something.
If all you are worried about is seeing it in iptraf, you can go into the "Filters…" submenu and set up an "IP…" filter rule.