8

I launched an ubuntu-14.04-64bit instance in Amazon EC2 two days back. And I started Tomcat 7.0.54 in that instance and deployed my application war files. It has no other software installed other than tomcat and the default ones. In the past 2 days, its shows 858 GB of Data Transfer(Network Out) from that instance. I have attached a graph of Amazon CloudWatch Metric "Network Out"

enter image description here

My application does not do any data download/upload. Its a Java Spring application and the front end is in HTML&Javascript. My application traffic was very low (less than 20 hits) in those 2 days.

Is there a way to find out why these data transfers happened and also to find what data has been transferred. If you can see in graph, network out was 20gb per minute.

Some more info: Network in was negligible CPU Utilization was very high Everything else was low

Jatin
  • 201
  • 2
  • 6
  • 2
    Let me guess. You likely run a file download server. Without knowing it. I.e. you got rooted - likely because you do not really know how to set up a secure server. Definitly the most likely scenario given that hugh amount of traffic. – TomTom Jun 11 '14 at 09:19
  • @TomTom Ok. Can you please say more in it. In short, I took a new instance, installed java and ran tomcat. That's it. Nothing else. And it didn't download anything (bandwidth in was negligible) – Jatin Jun 11 '14 at 09:31
  • 3
    No. Having a professional set up your server may be a good idea. – TomTom Jun 11 '14 at 09:34
  • 1
    Your server is most likely compromised and used to perform [DoS](http://en.wikipedia.org/wiki/Denial-of-service_attack) attacks. –  Jun 11 '14 at 12:46

2 Answers2

2

As it seems that the traffic is not so rare, try to catch the transfer by some kind of alerting (can it be Amazon one or a custom script).

Then use netstat, nethogs, ps, tcpdump, etc... to identify the traffic source.

Stone
  • 6,941
  • 1
  • 19
  • 33
2

So the Issue was: The username password of the manager console of Apache Tomcat was tomcat/tomcat.

And someone I guess had deployed a war file which sent too many requests. Moreover, it even changed the permissions levels of the expanded directory in webapps. Major security blunder.

Jatin
  • 201
  • 2
  • 6