Feedback

type to search

Welcome

Wiki pages

Top 5 groups

Top 5 users

Recent badges

By: [ Editor ] Asked

How can I track down 'phantom' inbound traffic?

I have a freshly-installed Debian Squeeze machine in a datacenter. iptables is set to drop and log any non-ssh packets.


As soon as I plug the machine in, bwm-ng shows 1.5mbit/sec of inbound traffic from the public internet. There are no dropped packets logged in kern.log. There are no services running on the machine other than SSH, which is showing no activity.

I asked my provider to put me on a different subnet, and the problem followed me. My other machines are unaffected. How can I figure out what is going on? I don’t know where to look.

0

maniac.nl [ Editor ]

Best method is to install a network-sniffer, use either tcpdump or wireshark. Have a look at the traffic coming in, possibly filtering out the traffic you know about until you get to the traffic you are looking for.


Depending on the protocols / ports / details you could try to limit it, for example by null-routing the traffic, or asking your upstream ISP to block this traffic, so it doesn’t get delivered to your box (and move over your connection)
NN comments
or Cancel
You need to join Debian to complete this action, click here to do so.