WAN Traffic is way more than LAN traffic, what's going on?



  • I'm so confused by this, as I don't have any packages enabled that could be using bandwidth. Any thoughts?

    Here's the traffic graphs when I'm downloading a file.

    and here's the traffic graphs when there's almost no LAN traffic whatsoever.

    I'd really appreciate some guidance, as I'm kinda new to pfsense. Thank you whoever reads this :)



  • Are you running squid?



  • Nope :/ I have no packages installed which is why I'm so confused, cause I know if I had Squid or another package installed that would be where the problem is.



  • Sniff your traffic sand see what it is?



  • @Harvy66:

    Sniff your traffic sand see what it is?

    Yes, capture on WAN and see what it is. You don't have to have anything going on from LAN to get traffic into WAN, seems like something is sending you traffic unsolicited.



  • Do you mean packet capture? If so I keep getting the Time Warner DNS server IP address.

    14:36:11.371105 IP 209.18.47.62 > 72.224.80.89: ip-proto-17
    14:36:11.371109 IP 209.18.47.62 > 72.224.80.89: ip-proto-17
    14:36:11.371136 IP 209.18.47.62.53 > 72.224.80.89.22982: UDP, length 6809
    14:36:11.371209 IP 209.18.47.62 > 72.224.80.89: ip-proto-17
    14:36:11.371234 IP 209.18.47.62 > 72.224.80.89: ip-proto-17
    14:36:11.371307 IP 209.18.47.62 > 72.224.80.89: ip-proto-17
    14:36:11.371700 IP 209.18.47.62 > 72.224.80.89: ip-proto-17
    14:36:11.371884 IP 209.18.47.62.53 > 72.224.80.89.22982: UDP, length 6809
    14:36:11.371958 IP 209.18.47.62 > 72.224.80.89: ip-proto-17
    14:36:11.371962 IP 209.18.47.62 > 72.224.80.89: ip-proto-17
    14:36:11.372010 IP 209.18.47.62 > 72.224.80.89: ip-proto-17
    14:36:11.372083 IP 209.18.47.62 > 72.224.80.89: ip-proto-17
    14:36:11.372092 IP 209.18.47.61.53 > 72.224.80.89.24150: UDP, length 6809
    14:36:11.372111 IP 209.18.47.61 > 72.224.80.89: ip-proto-17
    14:36:11.372184 IP 209.18.47.61 > 72.224.80.89: ip-proto-17
    14:36:11.372188 IP 209.18.47.61 > 72.224.80.89: ip-proto-17
    14:36:11.372236 IP 209.18.47.61 > 72.224.80.89: ip-proto-17
    14:36:11.372314 IP 209.18.47.61.53 > 72.224.80.89.24150: UDP, length 6809
    14:36:11.372319 IP 209.18.47.61 > 72.224.80.89: ip-proto-17
    14:36:11.372711 IP 209.18.47.61 > 72.224.80.89: ip-proto-17
    14:36:11.372885 IP 209.18.47.61 > 72.224.80.89: ip-proto-17
    14:36:11.372958 IP 209.18.47.61 > 72.224.80.89: ip-proto-17
    14:36:11.372985 IP 209.18.47.61.53 > 72.224.80.89.22982: UDP, length 6809
    14:36:11.373059 IP 209.18.47.61 > 72.224.80.89: ip-proto-17
    14:36:11.373062 IP 209.18.47.61 > 72.224.80.89: ip-proto-17
    14:36:11.373085 IP 209.18.47.61 > 72.224.80.89: ip-proto-17
    14:36:11.373700 IP 209.18.47.61 > 72.224.80.89: ip-proto-17
    14:36:11.373835 IP 209.18.47.61.53 > 72.224.80.89.22982: UDP, length 6809
    14:36:11.373908 IP 209.18.47.61 > 72.224.80.89: ip-proto-17
    14:36:11.373936 IP 209.18.47.61 > 72.224.80.89: ip-proto-17
    14:36:11.374008 IP 209.18.47.61 > 72.224.80.89: ip-proto-17
    14:36:11.374012 IP 209.18.47.61 > 72.224.80.89: ip-proto-17

    Not sure what that's about?



  • Looks like you're either taking part in, or being targeted by, a reflected DNS amplification DoS attack.



  • I switched my DNS servers to the Google ones, and now I'm almost 100% good again. I still have about .5 megabits of random traffic, but that's not bad at all for a 60 megabit connection. I guess I'm still under attack?



  • If just changing your DNS server stopped it, it's almost certainly because Google's smart enough to not reply to such garbage, and something inside your network is compromised and issuing those queries. Open the pcap you got previously (hopefully you saved it) in Wireshark and see what it's actually querying. Then capture on your LAN filtered on port 53 and find the host that's issuing those queries.

    The other possibility is it stopped just by coincidence, but that's unlikely.



  • If he was the victim of a DNS-AMP attack, nothing would change just because he changed DNS on his gateway or client, and any of his LAN clients doing excessive lookups also wouldn't care which DNS server was selected for use by pfSense.  There was something weird going on but I doubt it was a DoS attack.



  • @KOM:

    If he was the victim of a DNS-AMP attack, nothing would change just because he changed DNS on his gateway or client, and any of his LAN clients doing excessive lookups also wouldn't care which DNS server was selected for use by pfSense.  There was something weird going on but I doubt it was a DoS attack.

    That's the "stopped just by coincidence, but that's unlikely" part.

    Given that, it's more likely some client on his network is issuing queries that cause some remote server being targeted to send or receive a large amount of traffic. TWC's DNS server takes part, Google's much better than most if not all ISPs at limiting the impact of or blocking DNS amplification.