Finding source of traffic



  • Hi All,

    Starting about a week ago, I am seeing a repeat spike in traffic for about 8 minutes at a time.  It shows up on the WAN RRD graph, but not the LAN graph.  The traffic also does not show up on the Squidguard Sarg report, which makes me think it is not port 80 traffic.

    What would be the best way for me to figure out where this traffic is coming from?

    WAN - 8 Hours https://www.dropbox.com/s/kdpxs2otl9ib7g9/WAN-8_hours.png
    WAN - 1 Month https://www.dropbox.com/s/3ff5zaufktqpdxt/WAN-1_month.png
    LAN - 8 Hours https://www.dropbox.com/s/8wn1yy9jwrn2bz5/LAN-8_hours.png
    LAN - 1 Month https://www.dropbox.com/s/40pxqf9jga1tz2i/LAN-1_month.png

    Thanks in advance for the help.

    Brad


  • Netgate Administrator

    Since that appears to be WAN in-pass traffic what firewall rules do you have on WAN?

    What version of pfSense are you running? Do you have any exposed services? NTP and DNS have both been widely exploited recently and should definitely not be exposed to WAN unless you have a good reason.

    It could be simply that your WAN address changed (do you have a dynamic WAN IP?) and the previous holder of that IP was hosting some service.

    If it happens regularly, which it does, just look at the state table when it's happening to see where the traffic is coming from and on what port.

    Steve



  • Thanks for the response.  I will dig into the state table this evening.  In the mean time, here are some answers to your questions:

    @stephenw10:

    Since that appears to be WAN in-pass traffic what firewall rules do you have on WAN?

    Allowing:
    Ping
    1194 (VPN)
    1195 (VPN)
    1196 (VPN)
    8843 (Web interface)
    3389 (RDP)

    I enabled logging on 3389, but that doesn't seem to be it. (I know allowing 8443 and 3389 isn't a great idea, however we are still working on getting all of the clients in a VPN)

    @stephenw10:

    What version of pfSense are you running? Do you have any exposed services? NTP and DNS have both been widely exploited recently and should definitely not be exposed to WAN unless you have a good reason.

    Version: 2.1-RELEASE
    NTP and DNS are not exposed externally.

    @stephenw10:

    It could be simply that your WAN address changed (do you have a dynamic WAN IP?) and the previous holder of that IP was hosting some service.
    Steve

    We do have an dynamic WAN IP, I will try to see the last time it changed.

    Thanks again for the response.  I will keep digging.

    Brad


  • Netgate Administrator

    I assume those firewall rules, other than the webinterface, are for port forwards such that traffic on there would show on the LAN graph (if that's your only other interface).

    Traffic on WAN but not LAN is either something allowed by a firewall rule, could be someone trying to brute force your webgui for example (that would appear in the system log) or a response to something pfSense has requested. If you are running Snort for example it could be downloading new rules and failing to apply them correctly. Some package you tried to install which is continually downloading and failing.

    Steve



  • I haven't been able to figure out what is going on here.  I went ahead and disabled port 8843 from the outside and logged all ping request, however the odd traffic continues.

    In terms of packages, here is what is installed:
    Lightsquid
    mailreport
    NRPE v2
    pfBlocker - 4 lists set to download daily
    Sarg
    squid
    squidGuard

    I will keep looking at the States table, but nothing it jumping out at me.  Any other thoughts would be greatly appreciated.

    Thanks for the help so far.


Log in to reply