Re: traffic analysis

Tue, 21 Feb 2006 02:30:43 -0800 

Robin Becker wrote:
Our freeBSD 6.0 host is not yet in production, but appears to have outgoing traffic of around 140Mb/day; the http logs say 16 hits etc. The host provider said this 

"The server is on a /20-network, and this leads to high amounts of
background traffic (ARP, broadcast, etc.). These traffic types are
likely to be the reason for most of your outbound traffic."


I'm not sure I follow this argument. Does this mean I'm responding to 
large number of spurious requests? The provider's analysis of the input 
volume is pretty small (0Mb).



Is there a tool that can give me some reasonable data on this sort of 
problem? Perhaps I need to close down some services etc.


Is your server reachable from the Internet? does it have a firewall?


140MB a day sounds a lot to me, and your host should not contribute a 
lot to this kind of "background traffic":



ARP packets are sent on the local network only, ARP is used to maintain 
the arp table which matches hardware (MAC) addresses and ip addresses. 
An entry normally expires after one minute with no traffic.



Usually your host would only send arp requests to a very few hosts, the 
servers it connects to and the default router.


Broadcast not very common either, most traffic is unicast.


If your host's firewall does not drop packets to closed ports then it 
will send a response packet. It is common to see probes for example for 
port 137 for vulnerable windows machines.


This may explain the traffic.


You can run snort for 15 minutes and sum up what the traffic amounts to 
over 24 hs. or just enable your firewall with pass all and view the 
statistics to see.



Snort will also tell you the amount of traffic on other protocols such 
as ARP not reported by your firewall.


Cheers, Erik
--
Ph: +34.666334818                                  web: www.locolomo.org
S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt
Subject ID:  9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72
Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"






















					Reply via email to