Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PFSense LAN Traffic Reached 300mbps


  • Please log in to reply
24 replies to this topic

#1 Ramelito

Ramelito

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 02 September 2016 - 07:13 AM

Good day,

I am an amateur network admin in a call center and i was just wondering why our LAN traffic based on our PFSense Firewall/ Router spiked to 300mpbs. Here, internet connection became slow and some calls went choppy but our Internet connection did not disconnect. Our Internet connection has a speed of 30mbps only by the way. Please see attached image for reference.

QUESTIONS:
1. Can this be a DOS attack made accidentally or intentionally?
2. I requested all active protocols during the same hour from our ISP and got the data with SIP RTP being the highest although there seems to be bittorrent active that time. May I know if RTP can cause network congestion that may reach 300mbs on a LAN?
 

Thank you very much in advance for you answers

 

-Ram Martinez

Attached Files



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:22 PM

Posted 02 September 2016 - 07:19 AM

SIP RTP: https://en.wikipedia.org/wiki/Real-time_Transport_Protocol

It's possible for RTP to cause network congestion, since RTP applications usually have the priority on QoS (on a well configured network). Do you have any employee using RTP applications/devices (in this case, VoIP or else)? Since it's a call center, it's possible that there's an issue with your VoIP setup if you have one.

I'm not a Network Admin, so these are only obversations made on the graphs you provided me.

Also relevant:

http://www.voip-info.org/wiki/view/QoS

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Ramelito

Ramelito
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 02 September 2016 - 07:32 AM

Thank you for valuable information Miss Aura

We have Two PFSense Router/ Firewall Configured and the other one is configured with QoS with VOIP as priority.
Might it be Bittorent that contributed to this? Because the PFsense traffic graph screenshot was taken from the PFsense that has no QoS configured. Because if it did we'll have to configure the same  QoS.
 

Yours,

Ram



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:22 PM

Posted 02 September 2016 - 07:36 AM

If you look at the BitTorrent protocol, you'll see that it's far less used than the SIP and RTP protocols, so I doubt it's the cause. Unless these Router/Firewall server different purposes, I would have both of them with the same configuration when it comes to QoS. Once done, check if the congestion stops.

How many VoIP phones/devices do you have? A lot? Since it's a call center, I expect it to be the main protocol used over there.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 Ramelito

Ramelito
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 02 September 2016 - 07:50 AM

We'll you do have a point Miss Aura. But I am Just concerned that it happened only yesterday and only a few minutes. I'm even surprised that it even reached 300mbps.
We have a total of 80 dialers using our PBX system on the PFsense that has no QoS.
the other firewall with QoS that has hosted SIPs are 60 dialers.

Both PFsense would be accepting TCP and UDP traffic.

 



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:22 PM

Posted 02 September 2016 - 07:55 AM

Did you check the log on the PBX system to see what was happening during the peak? An unusual number of calls in progress, waiting, incoming, etc.?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 Ramelito

Ramelito
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 02 September 2016 - 08:14 AM

Hi Miss Aura,

I'll try to get back to this and take a look at the pbx logs that you are referring to where I am not much familiar yet.

Thank you very much.

Ram Martinez



#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:22 PM

Posted 02 September 2016 - 08:17 AM

No problem. Whenever I'm investigating an issue like this, I always try to get the logs and look at every system that could be implicated in the issue to see if I can find similarities and such.

Good luck :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 Trikein

Trikein

  • Members
  • 1,321 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rhode Island, US
  • Local time:07:22 PM

Posted 02 September 2016 - 10:09 AM

Is it possible your dynamic throttle control disabled during QoS changes, causing each VOIP phone to use more bandwidth then otherwise?

 

By the way, have you investigated why Bittorrent is being used in a corporate environment? Linix Distro's? :orange: Even if it isn't causing the problem, you now have the IP of the person using it. 



#10 Ramelito

Ramelito
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 02 September 2016 - 10:24 AM

Hi Mr. Trikein,

Please see my reply in green.
Is it possible your dynamic throttle control disabled during QoS changes, causing each VOIP phone to use more bandwidth then otherwise?
>It may have been, because my understanding of how I have configured the QoS on our PFsense firewall, as long as there is voice traffic and other traffic passing through the same link, it will drop the others and let Voice traffic go first.

By the way, have you investigated why Bittorrent is being used in a corporate environment?
>We'll during this time bittorrent was not blocked and although we apply rules to the cisco router or the PFsense firewall to block the application, it seems that its packets are encrypted and still passes. So our solution was to apply QoS. for VOIP. And we also know whichever IP is using most bandwidth based on PFsense traffic graph.
 

QUESTION:
>Do you have any information on how to block or at least prevent bittorrent from creating any traffic?
Because the PFsense  Firewall: Traffic Shaper: Layer7 does not seem to work at all. And on the cisco router we also tried ACL blocking the bittorent app it self, but when tested , downloads on torrent still occurs.


 



#11 Ramelito

Ramelito
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 02 September 2016 - 10:32 AM

No problem. Whenever I'm investigating an issue like this, I always try to get the logs and look at every system that could be implicated in the issue to see if I can find similarities and such.

Good luck :)

Hi Again,

I just had access to the PBX directories.
May I know if im on the correct link?
RIght now I am here
/var/log



#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:22 PM

Posted 02 September 2016 - 10:35 AM

I don't know anything about PBX Servers sadly, so I won't be of much help. However it is obvious to me that these servers should keep logs of what they're doing hence why I suggested checking them.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 Trikein

Trikein

  • Members
  • 1,321 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rhode Island, US
  • Local time:07:22 PM

Posted 02 September 2016 - 10:42 AM

Are the IP's static/reserved? If so, can you physically find the computer (192.168.0.144) that is capable of the spike? RTP used more bandwidth overall but a spike in download bandwidth is likely Bittorrent. If you can find it, I would uninstall the program and put rules to stop it from happening on the PC itself. 

 

As for blocking the app, doesn't ACL only block IPv4 routing? If so, the application is probably using IPv6. Can't block specific ports because it uses UPnP. I am sure there is a good way to block them at the network level, I just can't think of it at the moment. Anyone else?

 

PS. I have experience with Avaya Communication Manager if that helps. Not so much with Cisco.


Edited by Trikein, 02 September 2016 - 10:44 AM.


#14 Ramelito

Ramelito
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 02 September 2016 - 10:42 AM

I don't know anything about PBX Servers sadly, so I won't be of much help. However it is obvious to me that these servers should keep logs of what they're doing hence why I suggested checking them.

I See,
I'll my supervisor about when he comes in.



#15 Ramelito

Ramelito
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 02 September 2016 - 10:53 AM

Are the IP's static/reserved? If so, can you physically find the computer (192.168.0.144) that is capable of the spike? RTP used more bandwidth overall but a spike in download bandwidth is likely Bittorrent. If you can find it, I would uninstall the program and put rules to stop it from happening on the PC itself. 

 

As for blocking the app, doesn't ACL only block IPv4 routing? If so, the application is probably using IPv6. Can't block specific ports because it uses UPnP. I am sure there is a good way to block them at the network level, I just can't think of it at the moment. Anyone else?

 

PS. I have experience with Avaya Communication Manager if that helps. Not so much with Cisco.

We'll, we can do that. Block the application or uninstall the application from the computer itself however if a user brings in his own device with the bittorent application this may not be possible. The only way I can think of is to block using the firewall ruless or at the router. By the way the IPs are statically assigned to most of our workstations and some aren't. For blocking in the cisco router, there's an option to block using TCP since bitorrent is TCP. We are continuously researching on how to do this in pfsense. :guitar:






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users