Results 1 to 3 of 3
  1. #1
    Join Date
    Jun 2009

    tracking unknown incoming traffic

    how do i find out what this traffic is going to? I've got CSF running pretty tight and nothing is in the block logs...

    # Care should be taken with this option. It's entirely possible that you will
    # see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD
    # and HTTP so it could be quite easy to trigger, especially with a lot of
    # closed connections in TIME_WAIT. However, for a server that is prone to DOS
    # attacks this may be very useful. A reasonable setting for this option might
    # be arround 300.
    # To disable this feature, set this to 0
    CT_LIMIT = "160"
    # Connection Tracking interval. Set this to the the number of seconds between
    # connection tracking scans
    CT_INTERVAL = "30"
    # If you only want to count specific ports (e.g. 80,443) then add the ports
    # to the following as a comma separated list. E.g. "80,443"
    # Leave this option empty to count all ports against CT_LIMIT
    CT_PORTS = "80,443"
    HTTPd service:

  2. #2
    I use two commands to identify these kind of traffic. To view connections to my server, I use netstat.

    netstat -tun

    This command displays all table and you can append "| grep SYN" to view connection attempts. Some times these kind of traffic can be just dumy packages created by automated tools. Simply this command shows you incomming packages.

    tcpdump -i eth0 -n

    It outputs very fast but gives idea about source of attack. You can append " > output.txt" and dump the out put to a file and review easily. Last word, as far as I know, there is no way to prevent this attacks. You should contact to your service provider with the outputs of these commands. They usually are able to block the source on gateways of your network. I hope this help. Good luck...

  3. #3
    It seems that there are some malicious script running on the server (probably IRC bot). Check the current running processes.

    ps aux | grep nobody

    Also, do a netstat as mentioned by cybervolkan.
    Last edited by Kailash12; 08-11-2009 at 01:29 AM.

Similar Threads

  1. Help!!! Urgent, unknown incoming traffic
    By monster9 in forum Dedicated Server
    Replies: 5
    Last Post: 12-09-2004, 03:28 AM
  2. Looking for ISP who charges for incoming traffic only
    By Anatole in forum Running a Web Hosting Business
    Replies: 6
    Last Post: 10-30-2001, 10:57 AM
  3. Incoming data traffic
    By Ales in forum Dedicated Server
    Replies: 4
    Last Post: 10-09-2001, 05:39 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts