Constant incoming traffic on an idle VPS

Hello, today I found that one of my idle VPS receives a constant ~1Mbps incoming traffic.
Since it is an idle VPS, it shouldn't receive such incoming traffic.
The outgoing traffic is normal, and my other idle VPS do not receive such incoming traffic.
What could it be?

Comments

  • You have to consider that the IP you get from your provider has been recycled and used by other customers before you so it could be lots of things really.

    But in a nutshell, just because you're idling it doesn't mean it's as good as dead :smiley:

  • @TheDP said:
    You have to consider that the IP you get from your provider has been recycled and used by other customers before you so it could be lots of things really.

    But in a nutshell, just because you're idling it doesn't mean it's as good as dead :smiley:

    I want to understand what does it means. Do you mean that others are trying to connect to my server and send some traffics?
    Regarding recyclying, this constant traffic only appears this month. Before that it has been idling for several months without such incoming traffic.

  • On what ports are you receiving it? I assume UDP

  • @TheDP said:
    You have to consider that the IP you get from your provider has been recycled and used by other customers before you so it could be lots of things really.

    But in a nutshell, just because you're idling it doesn't mean it's as good as dead :smiley:

    Outgoing, maybe but incoming? Are you sure about this?

  • @Fritz said:

    @TheDP said:
    You have to consider that the IP you get from your provider has been recycled and used by other customers before you so it could be lots of things really.

    But in a nutshell, just because you're idling it doesn't mean it's as good as dead :smiley:

    Outgoing, maybe but incoming? Are you sure about this?

    I see no difference in the possibilities really, like I said, it could be anything, especially without any data or details being presented/shared.

    OP would be better off asking his/her provider.

  • tcpdump & Wireshark can show you what traffic it is.

    Thanked by (3)zxrlha vyas kvidden
  • @zxrlha said:
    Do you mean that others are trying to connect to my server and send some traffics?
    ... Before that it has been idling for several months without such incoming traffic.

    It only takes a minor slip of the keyboard, in someone else's DNS config, to send people to your IP in error.

    @yoursunny said:
    tcpdump & Wireshark can show you what traffic it is.

    This seems by far the best first step, especially if you have no active services to confuse the data. On linux tcpdump is a trivial install, use 'tcpdump not host 123.123.123.123 and not arp' to filter out your own terminal traffic and local ARP, see what you're getting...

    Thanked by (3)zxrlha jaden _MS_
  • NeoonNeoon OGSenpai
    edited December 2021

    tcpdump and check from where.
    I had a VPS with 150GB Traffic and some idiot within the same subnet send me 10GB of DNS traffic per day, which resulted in suspension of the vps.

    kurwa

    Won't buy anything below 500GB anymore, pain in the arse.

    Thanked by (1)zxrlha
  • @yoursunny @cochon @Neoon
    Thanks for the suggest. I use tcpdump and capture some packets.
    However, I could not understand the results.
    For example: UDP results:

    13:35:16.707737 IP (tos 0x0, ttl 32, id 44610, offset 0, flags [DF], proto UDP (17), length 63)
        ec2-54-246-47-134.eu-west-1.compute.amazonaws.com.5300 > dnslas.netrope.com.domain: 2823+ A? gs.tya.msedge.net. (35)
    13:35:16.715560 IP (tos 0x0, ttl 64, id 4872, offset 0, flags [DF], proto UDP (17), length 43)
        206.253.164.124.47636 > 255.255.255.255.10008: UDP, length 15
    13:35:16.751664 IP (tos 0x0, ttl 244, id 3977, offset 0, flags [DF], proto UDP (17), length 63)
        ec2-44-201-209-205.compute-1.amazonaws.com.63990 > dnslas.netrope.com.domain: 30019+ NS? myethikos.info.az. (35)
    13:35:16.754552 IP (tos 0x0, ttl 128, id 23838, offset 0, flags [none], proto UDP (17), length 49)
        209.141.55.93.62689 > 209.141.55.255.32414: UDP, length 21
    13:35:16.781173 IP6 (flowlabel 0xd0856, hlim 1, next-header UDP (17) payload length: 58) fe80::216:25ff:fe7b:56b6.9001 > ff02::114.9001: [udp sum ok] UDP, length 50
    13:35:16.807955 IP (tos 0x0, ttl 128, id 12513, offset 0, flags [none], proto UDP (17), length 78)
        stefan.treylis.org.netbios-ns > 209.141.55.255.netbios-ns: UDP, length 50
    13:35:16.807955 IP (tos 0x0, ttl 128, id 12559, offset 0, flags [none], proto UDP (17), length 78)
        creller.netbios-ns > 205.185.122.255.netbios-ns: UDP, length 50
    13:35:16.810843 IP (tos 0x0, ttl 128, id 14353, offset 0, flags [none], proto UDP (17), length 49)
        209.141.40.44.55581 > 209.141.40.255.32412: UDP, length 21
    

    And TCP results:

    13:31:32.092215 IP (tos 0x20, ttl 245, id 55108, offset 0, flags [none], proto TCP (6), length 44)
        103.170.120.61.16234 > workshop.mindmachinelabs.com.64579: Flags [S], cksum 0x5827 (correct), seq 11230, win 512, options [mss 536], length 0
    13:31:32.093461 IP (tos 0x0, ttl 245, id 29284, offset 0, flags [DF], proto TCP (6), length 44)
        103.170.121.98.40709 > 209.141.62.138.16578: Flags [S], cksum 0x80a6 (correct), seq 18480, win 512, options [mss 536], length 0
    13:31:32.097204 IP (tos 0x0, ttl 245, id 58631, offset 0, flags [none], proto TCP (6), length 44)
        92.63.197.5.49832 > e-poczta24.com.pl.65348: Flags [S], cksum 0xb31a (correct), seq 3565430931, win 1024, options [mss 536], length 0
    13:31:32.110735 IP (tos 0x0, ttl 245, id 31141, offset 0, flags [none], proto TCP (6), length 44)
        92.63.197.5.49832 > vps729.pool.xapp.ml.46714: Flags [S], cksum 0x4740 (correct), seq 3568101080, win 1024, options [mss 536], length 0
    

    Why those packets reach my VPS as their target IP addresses are different from my VPS address?

  • I see FranTech IP.
    They are known to have Tor exits that are used to send DDoS attacks.
    You need to unfran your network and cancel the idle VPS.

    I see one packet being broadcast to 255.255.255.255, so you would normally receive it.
    For the others, something is wrong on the host node, which causes your KVM to receive traffic intended for other KVM.

    Thanked by (3)zxrlha dahartigan _MS_
  • edited December 2021

    @yoursunny said:
    For the others, something is wrong on the host node, which causes your KVM to receive traffic intended for other KVM.

    Makes you wonder about the services the connections are really intended for :o though most of the endpoint ports look a bit random.

    Edit: My guess would be they're de-configured IP's on the host node that you're now getting by default/fallback. Ticket required.

    Thanked by (1)zxrlha
  • Thanks @yoursunny @cochon
    I'll ticket to Francisco.

  • i did see FranTech IPs ping my penis ports now and then. I wonder if he bans them or let them pollute the ips

  • Not_OlesNot_Oles Hosting ProviderContent Writer

    Hey @zxrlha ! It's been awhile. . . . May we please have a little update? I'm curious about what has happened! Thanks! Best wishes! ♒︎

    I hope everyone gets the servers they want!

  • @Not_Oles said:
    Hey @zxrlha ! It's been awhile. . . . May we please have a little update? I'm curious about what has happened! Thanks! Best wishes! ♒︎

    I sent a ticket to buyvm.
    They asked password for root. After I give it, they fixed it.
    However, it seems that they did nothing inside the VM, so I don't know why they ask for root password.

    Thanked by (1)Not_Oles
  • Normal.

    Try booting up an OVH vps for the first time. You will get hundreds of incoming connections, all trying to hack into your new, unpatched, vps.

    Thus, it has to be said that the end is nigh.

    Thanked by (1)Not_Oles

    ♻ Amitz day is October 21.
    ♻ Join Nigh sect by adopting my avatar. Let us spread the joys of the end.

Sign In or Register to comment.