# Few mbits incoming traffic for no reason?



## Greg (Apr 23, 2015)

For the last few days  I have 2 to 4 mbits of incoming traffic hitting a fresh VPS with couple of sites on it that don't get any traffic at all.

I can see via the control panel (vestaCP) that none of them is getting any traffic.

iftop doesn't show any significant traffic to anything

top doesn't show any rogue processes

all ports but web and ssh are closed (nmap confirms it)

the server has the standard things for web, nginx, apache, php....

at this point I have no idea what causes the traffic and even worse how to identify it


----------



## rds100 (Apr 23, 2015)

Assuming this is a KVM VPS it could be roadcasts or just switches with expired MAC tables spewing unknown unicast to all ports, etc.

Run a tcpdump and see what the traffic is.


----------



## Nett (Apr 23, 2015)

I'd say this is SSH bruteforce traffic from attackers / hackers. Try changing your SSH port to something unusual and see if the traffic decreases.


----------



## raj (Apr 23, 2015)

Look in logs !


----------



## MartinD (Apr 23, 2015)

Try running netstat to see what the traffic is, i.e. TCP/UDP


```
netstat -sn
```


----------



## mojeda (Apr 23, 2015)

Try using *nethogs*, should be able to install it via apt-get install, yum install.

then run nethogs <interface> (nethogs eth0)


----------



## Greg (Apr 23, 2015)

rds100 said:


> Assuming this is a KVM VPS it could be roadcasts or just switches with expired MAC tables spewing unknown unicast to all ports, etc.
> 
> Run a tcpdump and see what the traffic is.


yeah it's VPS probably KVM

tcpdump outputs this, like a ton per second


17:31:59.486534 IP6 2001:19f0:5c00:8000::1 > ff02::1:ff92:6af9: ICMP6, neighbor solicitation, who has 2001:19f0:5c00:94c1:6cd7:94f:7a92:6af9, length 32
17:31:59.486637 IP6 2001:19f0:5c00:8000::1 > ff02::1:ff00:64: ICMP6, neighbor solicitation, who has 2001:19f0:5c00:94c4::64, length 32
17:31:59.486641 IP6 2001:19f0:5c00:8000::1 > ff02::1:ff00:64: ICMP6, neighbor solicitation, who has 2001:19f0:5c00:94c3::64, length 32
17:31:59.486757 IP6 2001:19f0:5c00:8000::1 > ff02::1:ff00:64: ICMP6, neighbor solicitation, who has 2001:19f0:5c00:94c4::64, length 32
17:31:59.486761 IP6 2001:19f0:5c00:8000::1 > ff02::1:ff89:4849: ICMP6, neighbor solicitation, who has 2001:19f0:5c00:94c2:f021:f49:7189:4849, length 32
17:31:59.486820 IP6 2001:19f0:5c00:8000::1 > ff02::1:ff08:3737: ICMP6, neighbor solicitation, who has 2001:19f0:5c00:94c6:5400:ff:fe08:3737, length 32
17:31:59.486862 IP6 2001:19f0:5c00:8000::1 > ff02::1:ff92:6af9: ICMP6, neighbor solicitation, who has 2001:19f0:5c00:94c1:6cd7:94f:7a92:6af9, length 32
17:31:59.486941 IP6 2001:19f0:5c00:8000::1 > ff02::1:ff00:64: ICMP6, neighbor solicitation, who has 2001:19f0:5c00:94c4::64, length 32
17:31:59.487038 IP6 2001:19f0:5c00:8000::1 > ff02::1:ff00:64: ICMP6, neighbor solicitation, who has 2001:19f0:5c00:94c3::64, length 32




Nett said:


> I'd say this is SSH bruteforce traffic from attackers / hackers. Try changing your SSH port to something unusual and see if the traffic decreases.


it is changed, no ssh attemps noticed so far. I monitor them



raj said:


> Look in logs !


obviosly i have no idea in which logs to check given the situation described in OP, but thanks for stating the obvious. Much helpful. You are great person!


----------



## Greg (Apr 23, 2015)

MartinD said:


> Try running netstat to see what the traffic is, i.e. TCP/UDP
> 
> 
> netstat -sn


here is the output


netstat -sn
Ip:
172467 total packets received
0 forwarded
0 incoming packets discarded
17062 incoming packets delivered
18158 requests sent out
Icmp:
0 ICMP messages received
0 input ICMP message failed.
ICMP input histogram:
26 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 26
IcmpMsg:
OutType3: 26
Tcp:
309 active connections openings
185 passive connection openings
133 failed connection attempts
2 connection resets received
1 connections established
16273 segments received
20091 segments send out
188 segments retransmited
0 bad segments received.
136 resets sent
Udp:
1013 packets received
26 packets to unknown port received.
0 packet receive errors
1038 packets sent
UdpLite:
TcpExt:
2 invalid SYN cookies received
3 resets received for embryonic SYN_RECV sockets
179 TCP sockets finished time wait in fast timer
76 delayed acks sent
299 packets directly queued to recvmsg prequeue.
813 bytes directly received in process context from prequeue
959 packet headers predicted
4 packets header predicted and directly queued to user
2198 acknowledgments not containing data payload received
11452 predicted acknowledgments
7 times recovered from packet loss by selective acknowledgements
166 fast retransmits
6 forward retransmits
15 other TCP timeouts
TCPLossProbes: 29
TCPLossProbeRecovery: 26
1 SACK retransmits failed
2 DSACKs received
1 connections reset due to unexpected data
TCPDSACKIgnoredNoUndo: 1
TCPSackMerged: 3
TCPSackShiftFallback: 628
TCPDeferAcceptDrop: 72
IPReversePathFilter: 1
TCPRcvCoalesce: 11
TCPSpuriousRtxHostQueues: 31
IpExt:
InNoRoutes: 3
InMcastPkts: 133
InBcastPkts: 24051
InOctets: 18157638
OutOctets: 14968413
InMcastOctets: 4788
InBcastOctets: 7308364
InNoECTPkts: 172447
InECT0Pkts: 20


Unfortunately I lack the expertize to make anything out of it


----------



## rds100 (Apr 23, 2015)

Open a ticket with Vultr, explain to them what do you see and give them this tcpdump. They should take care of their router, it shouldn't be blasting repeated neighbor solicitations like this. This probably hurts their router's CPU too.


----------



## VPS4LESS (Apr 23, 2015)

you can always get a Firewall. it will tell you what ip the traffic is coming from and what ip it is going to and what port it is using and policy type as well

and best of all it gives you a easy to understand GUI for those who are not total Geeks and don't understand all the numbers and such as you see in the post above.


----------

