Hi,

I've been notified by the excellent Linode warning service (thank you very much for it!) that my bandwith on one of my Linodes is really high, in the last hours specially.

In this linode I got just an email server, behind a firewall (Shorewall). I got 5 Mb/sec, which is way too much for this service.

I cannot see any service listening to a strange port. I can't see any log file growing more than usual. The disk space usage is normal.

Any idea of how can I know what is happening with my traffic? Is it possible that it is just spam? At this rate, I will have to stop it before I reach the monthly limit.

Thank you very much for any help you can provide.

Note: all the traffic is incoming.

Use tcpdump to monitor the incoming traffic (it filters out ssh):

tcpdump -i eth0 -n not port 22

Thanks. After stopping all the services, I run it and I saw a lot of traffic in port 25, which I strongly believe it's not normal traffic, and the bw usage was still high.

The computer is now shutdown, and I opened a support ticket. Hopefully I will get an answer soon.

port 25 is SMTP (email)

sure you're not running an open relay, and spammers are relaying through you? sure you're not just seeing a large volume of incoming email?

He does say the traffic is all incoming, but it still could be spam attempts, if he's rejecting the emails after SMTP time. In fact, I wonder if the spam is being queued on the server (along with, perhaps, the bounce messages).

Thanks for the comments. AFAIK, I'm not running an open relay. At least some tests like http://verify.abuse.net/cgi-bin/relaytest says I am not.

Looking at the mail logs, I can see a "normal" amount of spam attempts. That means, I got a logged SMTP connection every 5 seconds, or even longer.

And...

root@ffh2:/var/spool/postfix# postqueue -p
Mail queue is empty

But now I don't know if it is running against SMTP anymore. I'm seeing strange things. For example, from tcpdump:

10:53:09.072144 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 43239758:43304918(65160) ack 1697 win 61 <nop,nop,timestamp 3739324725 1056406213>
10:53:09.119718 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 43370078:43435238(65160) ack 1697 win 61 <nop,nop,timestamp 3739324775 1056406260>
10:53:09.120282 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 43500398:43565558(65160) ack 1697 win 61 <nop,nop,timestamp 3739324775 1056406263>
10:53:09.121022 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 43565558:43630718(65160) ack 1697 win 61 <nop,nop,timestamp 3739324775 1056406263>
10:53:09.121639 IP 192.168.134.122.mysql > 192.168.133.68.39696: P 43630718:43695878(65160) ack 1697 win 61 <nop,nop,timestamp 3739324775 1056406263>
10:53:09.169717 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 43761038:43826198(65160) ack 1697 win 61 <nop,nop,timestamp 3739324825 1056406310>
10:53:09.170241 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 43891358:43956518(65160) ack 1697 win 61 <nop,nop,timestamp 3739324825 1056406312>
10:53:09.170910 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 43956518:44021678(65160) ack 1697 win 61 <nop,nop,timestamp 3739324825 1056406313>
10:53:09.171509 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 44021678:44086838(65160) ack 1697 win 61 <nop,nop,timestamp 3739324825 1056406313>
10:53:09.171903 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 44086838:44151998(65160) ack 1697 win 61 <nop,nop,timestamp 3739324825 1056406314>
10:53:09.219871 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 44151998:44217158(65160) ack 1697 win 61 <nop,nop,timestamp 3739324875 1056406360>
10:53:09.220474 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 44282318:44347478(65160) ack 1697 win 61 <nop,nop,timestamp 3739324875 1056406361>
10:53:09.221134 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 44347478:44412638(65160) ack 1697 win 61 <nop,nop,timestamp 3739324875 1056406362>
10:53:09.221863 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 44412638:44477798(65160) ack 1697 win 61 <nop,nop,timestamp 3739324875 1056406363>
10:53:09.269265 IP 192.168.134.122.mysql > 192.168.133.68.39696: . 44542958:44573366(30408) ack 1697 win 61 <nop,nop,timestamp 3739324925 1056406410>

Who are those 192.168.x.x? They are not me, as far as I understand. Why do I capture this traffic with tcpdump?

I had my server off for more than 16 hours, and as soon as I boot it, the traffic is there.

Any idea?

Have you used netstat to check ports? As root:

netstat -tp

James

Yes, and nothing unusual. In fact, yesterday I stopped all the services, and traffic was still high.

On the IRC, it seems I am not the only one suffering from this, and it might be a problem in the datacenter.

ferfer i spoke to your on IRC this morning. I've had a response to my support ticket, apparently the problem is with "bandwidth stat collection on newark42".

They've said we won't be charged for bandwidth over-use this month as its a technical fault.

I only went and installed shorewall as soon as I saw my stats! -ah well, been meaning to do it for a while anyway!

Yes, they did the same for my ticket. And for the last ~4 hours everything seems to be ok.

I already had shorewall installed, so I felt pretty confident. And my spam rate, although it is high to my taste, it was not *so* high to justify that incoming bandwidth.

Anyway, I feel more relaxed now. Hope they can fix it completely soon.