This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Large amount of traffic hitting external interface only?

Yesterday, we seemed to get hit by a very large amount of traffic externally.

When I looked at the dashboard, the WAN was at 100% of our bandwidth and the LANS, DMZ's were trickling along with normal traffic.

Now when somebody is downloading/uploading, you can see that the LAN's/DMZ's would be up and sometime match exactly. But this time it wasn't which meant that nobody was downloading/uploading.

But clicking on the WAN and digging into it did not really reveal much either eg multiple ip's being connected by one didn't exactly stand out from the others.

So what could it be? A large email going to the proxy? A DDOS? Anybody know how to get the UTM to reveal this information in real time?



This thread was automatically locked due to age.
Parents
  • If the 100% was on inbound traffic, Louis, then it was probably a DDoS.  If outbound, it could have been many things.

    On the Dashboard, click on the box that's at 100% to activate the Flow Monitor.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • If the 100% was on inbound traffic, Louis, then it was probably a DDoS.  If outbound, it could have been many things.

    On the Dashboard, click on the box that's at 100% to activate the Flow Monitor.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Hi Bob,

    that's one of the first things I do. In this case, it didn't really show anything. There was nothing that was grabbing all of the bandwidth eg the biggest hitter was 3mb and we were up at a full 30mb.

    just wondering what others do to investigate these things when they happen ie if they are running http, smtp, ftp proxy etc

  • My first step is a tcpdump on the WAN interface. With the result I set filters in the tcpdump to exclude known traffic. It's a fast way to get an idea what happens

  • Hi Papa,

    could you expand on that? I'm not sure how tcpdump would have helped me in this case? If I have 100 users going out to multiple sites, smtp proxy, http proxy and ftp proxy on the go, I'm not sure how I would filter things out to give me something that is hitting my wan more than anything else?