SOLVED Traffic on WAN interface only

G.D. Wusser Esq. · Dec 11, 2014, 8:30 PM

Something new for me. The traffic graph shows a lot of traffic in and out on WAN interface only. This traffic does not show up on any of the internal interfaces. The firewall logs are silent on the remote addresses that the traffic graph reports.

Please suggest how to diagnose this.

Meanwhile, I am getting the Wireshark out…

G.D. Wusser Esq. · Dec 11, 2014, 8:50 PM

Looks like a DNS attack, lots of UDP packets, IP probably spoofed.

stephenw10 · Dec 11, 2014, 9:02 PM

If it's outbound traffic as well do you have your DNS forwarder accidentally exposed? Are you being used as part of a DNS amplification attack?

Steve

G.D. Wusser Esq. · Dec 11, 2014, 9:35 PM

There is authoritative DNS server behind the firewall. It issuses packets (Server Failure) in response, though these packets are about the same size at the requests, so should make the server useless for DNS amplification attacks.

My packet capture shows that I have about equal amount of inbound and outbound traffic, while the pfSense traffic graph shows that I pipe out twice as much as I take in. What the..?

KOM · Dec 11, 2014, 9:36 PM

Are you running Squid? I've seen cases where the caching by Squid shows a LOT of traffic, like Windows Updates, going to WAN that doesn't go anywhere else for some reason.

G.D. Wusser Esq. · Dec 11, 2014, 9:45 PM

Ok, I am stupid, LOL. I was just too quickly changing between the interfaces on the Traffic Graph. It takes a while for it to start showing the data.

However I still cannot account for about half of the outgoing traffic on one of the internal interfaces. No Squid on this install.

G.D. Wusser Esq. · Dec 11, 2014, 10:13 PM

Another strange thing. Despite creating A WAN rule blocking by IP address. A very small percentage of UDP packets still come through. The packets are incoming from the Internet, and the IP is most likely spoofed.

stephenw10 · Dec 11, 2014, 10:48 PM

State not cleared from the firewall?

Steve

G.D. Wusser Esq. · Dec 11, 2014, 10:49 PM

UDP - no state. Most of the packets get blocked, just a few single ones get through…

I am going to restart the box for good measure, and test again, though.

stephenw10 · Dec 11, 2014, 10:56 PM

Ha! good point. ::)

G.D. Wusser Esq. · Dec 11, 2014, 11:07 PM

I rebooted the pfSense and the packet leak has stopped. Hmmm…

kejianshi · Dec 11, 2014, 11:14 PM

I'd be looking for malware on my network. I doubt seriously its a pfsense problem.

G.D. Wusser Esq. · Dec 11, 2014, 11:25 PM

It is smells like a reflected attack, not amplified though, since the packets in and out are the same size. I stopped the attack at the firewall level.

I think there is an issue with pfSense traffic graph, the traffic does not add up. I think it shows exactly double outgoing the traffic for local interfaces. I am still investigating, this will take more time to accumulate the data from different network segments and add it all up.

G.D. Wusser Esq. · Dec 11, 2014, 11:35 PM

Found this: https://forum.pfsense.org/index.php?topic=67295.0

stephenw10 · Dec 11, 2014, 11:35 PM

Check the forum. There are a number of threads about double counting on the traffic graphs. I've never seen it though, it seems to happen only under specific conditions.

Ah, typed too slow! Yep that's one of them.

Steve

kejianshi · Dec 11, 2014, 11:36 PM

Yep - Sometimes pfsense reports traffic bandwidthh incorrectly, which is much less troubling than having a bunch of phantom traffic.

G.D. Wusser Esq. · Dec 11, 2014, 11:52 PM

Thanks for your help everybody. This was a compound issue, and it looks like everything has been explained now. I appreciate the help.