Ubuntu Home Server Packetstorm

1

I have a home plex server that runs various pieces of software and fills various roles. It's running the latest Ubuntu with all the latest packages/updates. About every 10 days or so, it starts packet storming a public IP address, and getting storm'd back. This completely kills all other network traffic.

I first tried just checking out the common bandwidth users, but nothing I have is unrated/unlimited on that box.

I then tried iftop and other various programs (this took me a few times since I can't use the pipes at ALL when this happens) to see if I could trace the process of who is sending the traffic. iftop sees the traffic, but even netstat doesn't output a process ID. I then thought it might've been NFS traffic, after reading a few articles about NFS being kernel level without a traditional process id (I hope that is the right language) but to no avail.

Finally I just turned my netgear switch mirroring on and captured the traffic from another computer. Lo and behold it's garbage traffic. TCP Dup ACKs all the way down. Here's a small 8MB segment (about 100,000 packets over 4 seconds). I captured a larger file 1-minute capture, but it's all practically the same.

Any ideas how to trace this bad boy down and/or stop it? The small capture is here: http://s000.tinyupload.com/index.php?file_id=45384481152498730142 and I can use a different service if you recommend one.

For those without Wireshark, the remote TCP connection is 46.105.201.50:80. The local port changes, but is always in the 60,000 - 70,000 block.

Thanks for the help!

toobulkeh

Posted 2015-01-15T01:08:37.743

Reputation: 123

Why was this downvoted? – toobulkeh – 2015-01-15T02:08:34.170

Answers

0

Sounds like you've got a DDoS tool hiding on your system, or someone's attacking you. Network flooding on a regular interval with garbage data, and the "destination" fighting back? Classic.

First step is to drop packets to or from that ip address at the firewall level. This should cut down on the clogged tubes. Then poke around and look for any suspicious binaries/files. If you can't find any, I'd recommend just burning the OS and starting again.

Ohnana

Posted 2015-01-15T01:08:37.743

Reputation: 671

Thanks! What suspicious things are there? I'm well versed in Windows... but Ubuntu? I didn't know people did ubuntu rootkits! :3 – toobulkeh – 2015-01-16T03:57:20.833

They'll usually have goofy names. You may even be able to open them with vi, because malware for Linux commonly takes the form of perl and shell scripts. Check /var/www/html (if you have a web server), /tmp, the home directories of users (including root), and any other directory that sees a lot of file traffic. Linux most definitely has rootkits, chkrootkit and rkhunter will find common ones for you. – Ohnana – 2015-01-16T13:19:54.920

What's a good way to find directories that see a lot of file traffic? – toobulkeh – 2015-01-17T00:49:57.037

Asked: 2015-01-15T01:08:37.743

Viewed: 81 times

Active: 2015-01-15T16:54:08.960