1
I have a home plex server that runs various pieces of software and fills various roles. It's running the latest Ubuntu with all the latest packages/updates. About every 10 days or so, it starts packet storming a public IP address, and getting storm'd back. This completely kills all other network traffic.
I first tried just checking out the common bandwidth users, but nothing I have is unrated/unlimited on that box.
I then tried iftop and other various programs (this took me a few times since I can't use the pipes at ALL when this happens) to see if I could trace the process of who is sending the traffic. iftop sees the traffic, but even netstat doesn't output a process ID. I then thought it might've been NFS traffic, after reading a few articles about NFS being kernel level without a traditional process id (I hope that is the right language) but to no avail.
Finally I just turned my netgear switch mirroring on and captured the traffic from another computer. Lo and behold it's garbage traffic. TCP Dup ACKs all the way down. Here's a small 8MB segment (about 100,000 packets over 4 seconds). I captured a larger file 1-minute capture, but it's all practically the same.
Any ideas how to trace this bad boy down and/or stop it? The small capture is here: http://s000.tinyupload.com/index.php?file_id=45384481152498730142 and I can use a different service if you recommend one.
For those without Wireshark, the remote TCP connection is 46.105.201.50:80. The local port changes, but is always in the 60,000 - 70,000 block.
Thanks for the help!
Why was this downvoted? – toobulkeh – 2015-01-15T02:08:34.170