Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Unknown IP Uploads

  1. #1
    Join Date
    Jan 2012
    Beans
    34

    Unknown IP Uploads

    Hi

    I have noticed over the past 2 months that my computer has been uploading at high speeds of around 300-400 KBs when there is no programs running in the background that should be causing this.

    I used Nethogs about a week ago and the results I got from that when I noticed that I was uploading was strange.

    The first time it was chromium that was uploading. Then a couple of IP addresses.

    72.21.194.22 which belongs to s3.amazonaws.com which is a cloud storage site run by Amazon.

    72.52.7.84 which belongs to prolexic.com which is "Prolexic is the world's largest and most trusted Distributed Denial of Service (DDoS) mitigation provider"

    and

    72.21.194.22 which again is from s3.amazonaws.com

    Does anybody know why this is happening? Any help at all would be much appreciated.

    Thank You.

  2. #2
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,609
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Unknown IP Uploads

    I have no idea, could be a background process. Its possible to block these specific ip addresses using a firewall. That's what I would do.

  3. #3
    Join Date
    Jan 2012
    Beans
    34

    Re: Unknown IP Uploads

    Quote Originally Posted by kevdog View Post
    I have no idea, could be a background process. Its possible to block these specific ip addresses using a firewall. That's what I would do.
    Honestly I don't know. If somebody can help me with that I can give it a try.

    There are more IP's though, they aren't using as much bandwidth but they are still uploading something.

    209.85.143.136 - google.com (markmonitor.com -Brand protection, domain name management, domain registration, and anti fraud solutions.)

    74.207.237.212 - linode.com (cloud storage)

    95.172.94.18
    95.172.94.40 - both of these are from ripe.net (The RIPE NCC is one of five Regional Internet Registries (RIRs) providing Internet resource allocations, registration services and coordination activities that support the operation of the Internet globally.)

    50.172.234.194 - ec2.amazonaws.com (amazon cloud storage)

    64.215.255.89 - arin.net (American Registry for Internet Numbers)


    Theres more but I haven't check who they are yet.

  4. #4
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,609
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Unknown IP Uploads

    The best thing to do is to just start blocking them incrementally. You are never going to do it all in one sweep. Block a few, look at the logs, block a few more, look at the logs, etc.

    I've got to run right now, but later I'll post a basic script file you can use to configure your iptables against the offending addresses. There are multiple ways to do this, however I'd recommend a script file since iptables needs to be repopulated after every boot.

  5. #5
    Join Date
    Jan 2012
    Beans
    34

    Re: Unknown IP Uploads

    Quote Originally Posted by kevdog View Post
    The best thing to do is to just start blocking them incrementally. You are never going to do it all in one sweep. Block a few, look at the logs, block a few more, look at the logs, etc.

    I've got to run right now, but later I'll post a basic script file you can use to configure your iptables against the offending addresses. There are multiple ways to do this, however I'd recommend a script file since iptables needs to be repopulated after every boot.
    Excellent thank you very much

  6. #6
    Join Date
    Mar 2006
    Location
    Williams Lake
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Unknown IP Uploads

    The connection to the Amazon servers, is because you have Ubuntu One enabled, the Google connection is probably because you have a gmail or other account with Google, and you don't sign out from it before shutting down. The others may have something to do with the DNS servers your ISP uses.

  7. #7
    Join Date
    Aug 2009
    Beans
    Hidden!

    Re: Unknown IP Uploads

    ...and to determine whats actually going on just run tcpdump to capture packets and then analyze traffic in say Wireshark.

  8. #8
    Join Date
    Jan 2012
    Beans
    34

    Re: Unknown IP Uploads

    Quote Originally Posted by cariboo907 View Post
    The connection to the Amazon servers, is because you have Ubuntu One enabled, the Google connection is probably because you have a gmail or other account with Google, and you don't sign out from it before shutting down. The others may have something to do with the DNS servers your ISP uses.
    when I run Ubuntu One the only results that come up in Nethogs are python and something else. I took a screen shot I'll attach it below.

    As for Google I don't have an email client set up on this computer, so the only way it would be doing that would be through Chromium at I had it closed at the time.

    Its the speed that made me notice. My connections is only 0.4Mb/s so its basically using up all my bandwidth.
    Attached Images Attached Images

  9. #9
    Join Date
    Jan 2012
    Beans
    34

    Re: Unknown IP Uploads

    Quote Originally Posted by unspawn View Post
    ...and to determine whats actually going on just run tcpdump to capture packets and then analyze traffic in say Wireshark.
    I did run Wireshark once when I noticed it, but to be honest I don't understand most of the stuff it say.

  10. #10
    Join Date
    Aug 2009
    Beans
    Hidden!

    Re: Unknown IP Uploads

    Quote Originally Posted by CaptainofCrunch View Post
    I did run Wireshark once when I noticed it, but to be honest I don't understand most of the stuff it say.
    Couple of ways about it: 0) learn about it (bit steep learning curve maybe ;-p) here or here and here and maybe check here (archive.org copy) if you can't get enough of that stuff or 1) ask specific questions or else 2) share the pcap for others to analyze.
    * In case of the latter you may want to obfuscate your IP address and scrub certain types of traffic (logins, cookies, destinations).

    ** Wrt your screen shot: running nethogs gives you process Ids. These PIDs you can then run through 'lsof' for more clues. For example running 'sudo lsof -Pwlnp 2085' should get you the process details from the second one listed in your screen shot. The caveat is the process has to be running, you can't do it afterwards.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •