Date: Tue, 21 Feb 2006 11:29:56 +0100 From: Erik Norgaard <norgaard@locolomo.org> To: Robin Becker <robin@reportlab.com> Cc: freebsd-questions@freebsd.org Subject: Re: traffic analysis Message-ID: <43FAEBA4.6080509@locolomo.org> In-Reply-To: <43FAE72D.4000208@chamonix.reportlab.co.uk> References: <43FAE72D.4000208@chamonix.reportlab.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Robin Becker wrote: > Our freeBSD 6.0 host is not yet in production, but appears to have > outgoing traffic of around 140Mb/day; the http logs say 16 hits etc. The > host provider said this > > "The server is on a /20-network, and this leads to high amounts of > background traffic (ARP, broadcast, etc.). These traffic types are > likely to be the reason for most of your outbound traffic." > > I'm not sure I follow this argument. Does this mean I'm responding to > large number of spurious requests? The provider's analysis of the input > volume is pretty small (0Mb). > > Is there a tool that can give me some reasonable data on this sort of > problem? Perhaps I need to close down some services etc. Is your server reachable from the Internet? does it have a firewall? 140MB a day sounds a lot to me, and your host should not contribute a lot to this kind of "background traffic": ARP packets are sent on the local network only, ARP is used to maintain the arp table which matches hardware (MAC) addresses and ip addresses. An entry normally expires after one minute with no traffic. Usually your host would only send arp requests to a very few hosts, the servers it connects to and the default router. Broadcast not very common either, most traffic is unicast. If your host's firewall does not drop packets to closed ports then it will send a response packet. It is common to see probes for example for port 137 for vulnerable windows machines. This may explain the traffic. You can run snort for 15 minutes and sum up what the traffic amounts to over 24 hs. or just enable your firewall with pass all and view the statistics to see. Snort will also tell you the amount of traffic on other protocols such as ARP not reported by your firewall. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43FAEBA4.6080509>