Where is incoming traffic coming from?

Amedee @ Ubuntu amedee-ubuntu at amedee.be
Mon Aug 3 08:14:47 UTC 2009 

> -----Original Message-----
> From: ubuntu-users-bounces at lists.ubuntu.com [mailto:ubuntu-users-
bounces at lists.ubuntu.com] On Behalf Of NoOp
> Sent: Monday, August 03, 2009 5:29 AM
> To: ubuntu-users at lists.ubuntu.com
> Subject: Re: Where is incoming traffic coming from?
>
> On 08/02/2009 08:03 PM, Florian Diesch wrote:
> > NoOp <glgxg at sbcglobal.net> writes:
> >
> >> On 08/02/2009 04:24 PM, Amedee @ Ubuntu wrote:
> >> ...
> >>>
> >>> FYI: after I added 193.190.67.15 to /etc/shorewall/blacklist and
> restarted
> >>> shorewall, the traffic stopped. To save you a whois: that's Belnet,
> a very
> >>> reputable Belgian research network that interconnects all Belgian
universities and that also has a large Linux mirror. They are
> supposed to
> >>> be "good guys".
> >>>
> >>> Weird... but I have no time to investigate at the moment.
> >>>
> >>
> >> It's a mirror:
> >> http://193.190.67.15/mirror/
> >> ftp://193.190.67.15/
> >
> > It's ftp.belnet.be
>
> Well yes, that's already been established & easy enough to figure out. $
host 193.190.67.15
> 15.67.190.193.in-addr.arpa domain name pointer ftp.belnet.be
>
> However if you pop http://193.190.67.15 a browser you get redirected to
http://193.190.67.15/mirror/
>
> What to you suppose the following implies?
> ====
> Welcome to the BELNET public FTP cluster ftp.belnet.be !
>
> This archive is provided through a cluster of 12 dual processor, dual
core Intel Xeon 3 GHz machines, each having 4 GB of RAM. The 16 TB FTP
archive is taken from an iSCSI SATA SAN.
>
> This cluster is located in Brussels, Belgium and operated by BELNET, the
> Belgian Education and Research Network. If you have any problem,
question or mirror request, please send them to ftpmaint at belnet.be. This
archive is also available through the following means:
> ====

People, please...
I've got the impression that you're all missing the point here.
I *know* what Belnet is. Let me explain something.

I live in Belgium. When I'm working on my home computer and I need to
download something, then Belnet is the mirror that I use most of the time.
Because it is fast and reliable. Belnet is the government funded national
research network that connects schools, universities, and government
departments. These guys know what they are doing. If I had to say that
it's my mistake or their mistake, then I would say my mistake, without any
doubt.

But the problem is not with my desktop pc at home, it's with my mail/web
server "somewhere in the cloud". Until the end of june, the old server was
physically located in a datacenter somewhere in Belgium. I don't know
exactly where but that does not matter. On the old server I never had a
lot of traffic, perhaps 1-2 GB/month.

In june the person who runs Dom0 wanted to switch to a cheaper root server
(the datacenter charged a lot for energy), so he got one from Hetzner, in
Germany. He set up a new DomU and I reinstalled my server from scratch. At
least starting the last week of june I saw that the server got a lot of
incoming traffic. I have made very detailed notes of my configuration (and
I have started to blog about it, http://amedee.be/linux/server, in Dutch).
But unfortunately I didn't document the exact date that the traffic
started. I installed vnstat somewhere in the last week of june; I changed
my DNS records to point to the new server in the last week of june and I
saw the traffic in the last week of june. I don't know what came first.
The new server was already online during the whole month of june and it
didn't see a lot of traffic until the last 3-4 days. This may be a
coincidence.

"Empirically observed covariation is a necessary but not sufficient
condition for causality" (E. Tufte)

There is one thing that I'm absolutely sure of: I never *knowingly* made a
connection to Belnet from the new server. For example, the sources.list
points to a mirror in Germany.


I suggest that you all let it rest until I get my hands on the dumpfile.
Until then, it's all just wild guesses.
Meanwhile I have learned a lot about shorewall, iptraf and ntop. :)

Kind regards,
Amedee

More information about the ubuntu-users mailing list