Strange traffic
-
Is there an easy way to show what is causing traffic to use my internet connection?
I am running pfSense 1.2-beta-1 (not updated it yet)
At 1:30pm GMT today my WAN port jump to 350k/s on both the in and outbound, and hasnt stopped since. Its a 10mbit cable modem line, with about 750k upload, so its eating quite a bit of my upload bandwidth.
The traffic isnt coming inside the lan as the internal graphs aren't showing the same spike so its something on the net talking directly to the firewall (or vice versa) but i cant figure out what.
I can use the "states" page to show current connections, but that doesnt tell me how much data is being pushed. Also someone suggested i use "trafshow -a 32" from the shell, but that doesn't seem to work (unknown command??).
Anyone got any other ideas ?
-
you need to install it
@http://doc.pfsense.org/index.php/How_can_I_monitor_bandwidth_usage%3F:Another option for viewing real time throughput is trafshow. To install it, log in via SSH, choose option 8 and run:
pkg_add -r trafshow
rehashTo run it, at a SSH command prompt, run:
trafshow
Then select the interface.
-
Ok thanks that seems to have worked. Its showing me that theres a constant stream of UDP requests from an ip address to the sip port (5060).
If i stop my sip proxy then the outbound traffic goes away, but the inbound traffic doesnt stop.
Also despite me putting reject or block rules against that IP address, when i restart the sip proxy, the outbound traffic starts back up again, suggesting that the firewall isnt blocking the traffic for some reason.
A packet capture shows that the incoming traffic is a SIP packet "REGISTER sip: SIP/2.0" and the outbound replies when the proxy is enabled are "Status-Line: SIP/2.0 407 Proxy Authentication Required"
Does this indicate a brute force attack of some kind ? or am i missing something obvious here?
The IP in question doesnt appear to be related to my SIP provider, so i dont think its them, but thats my next port of call.