Troubleshooting strange traffic patterns

So, I was just happened to glance at my MRTG graph today, and noticed my outbound bandwidth was pegged.

 

 

 

 

 

That seemed a bit strange, so I checked my weekly and monthly charts.

 

 

It’s kind of weird that it’s cyclical. I popped up iftop to see what the top talker was.. something was shoving 27mb/s outbound. But there was no single source. I loaded up darkstats and ntop too, but all they showed was lots of traffic going different places. I finally sorted by port, and it all showed port 80. So – I killed apache, and the traffic stopped.

Initially I feared I’d been turned into a proxy server somehow – but when I checked my logs, all I saw was chinese ip addresses downloading my mp3 of “Whatever-You-Like-T.I.-Cover-1.mp3” over and over again every second. So – I renamed that file, and all traffic is back to normal. Kids these days.

For anybody who’s wondering, the MP3 was posted in 2009, and you can hear it on youtube here.

 

This entry was posted in Misc. Bookmark the permalink.

One Response to Troubleshooting strange traffic patterns

  1. Jason says:

    Or, you could just set this up:

    #!/bin/sh

    wget -O /tmp/chinakorea.txt http://www.okean.com/sinokoreacidr.txt > /dev/null 2>&1

    for i in `grep -v ^# /tmp/chinakorea.txt | awk ‘{print $1}’`
    do
    /sbin/iptables -I INPUT -p tcp -s $i -j DROP
    done

Leave a Reply