Thread Info
  • Replies 31 replies
  • Subscribers 14 subscribers
  • Views 27501 views
  • Users 0 members are here
Options
Suggested

Excessive Up2Date Traffic

AlatarK

Recently (2-3 days) I've noticed regular periodic spikes of Up2Date traffic. Checking the flow monitor, I see a 5-6MB/s spike tagged  Sophos UTM Upd2Date every 25 seconds. The total (in Top Clients by Application) was 142GB just yesterday.

There's nothing unusual in the Up2Date log. Checks every 15 minutes with the occasional new pattern successfully installed. Nothing in the IPS log either except regular DNS Amplification Attacks every few minutes, but those have been happening for months.

I can't really see any way to debug this from within the firewall. Do I have to put a monitor on the outside interface and run a packet capture?

Thanks as always for suggestions,

Paul

Parents

  • I think the problem is not the up2date-prozess itself, there is no problem to see in the log.
    But i see a problem in the smtp-log:

    2021:07:08-02:26:29 mail exim-in[16946]: 2021-07-08 02:26:29 H=mail2.tchibo.de [194.115.167.42]:3202 Warning: xxxx.xxxx profile excludes greylisting: Skipping greylisting for this message

    2021:07:08-02:26:29 mail exim-in[16946]: 2021-07-08 02:26:29 H=mail2.tchibo.de [194.115.167.42]:3202 Warning: xxxx.xxxx profile excludes SANDBOX scan

    2021:07:08-02:26:50 mail exim-in[16946]: 2021-07-08 02:26:50 1m1Hs5-0004PK-32 spam acl condition: spamd: failed to connect to any address for 127.0.0.1: Connection refused

    2021:07:08-02:26:50 mail exim-in[16946]: 2021-07-08 02:26:50 1m1Hs5-0004PK-32 spam acl condition: all spamd servers failed

    2021:07:08-02:26:50 mail exim-in[16946]: 2021-07-08 02:26:50 1m1Hs5-0004PK-32 H=mail2.tchibo.de [194.115.167.42]:3202 Warning: ACL "warn" statement skipped: condition test deferred

    2021:07:08-02:26:50 mail exim-in[16946]: 2021-07-08 02:26:50 1m1Hs5-0004PK-32 <= prvs=8161b01c6=service@eduscho.at H=mail2.tchibo.de [194.115.167.42]:3202 P=esmtps X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=24119

    Is this problem also to see at your sophos?
    regards Peter

Reply

  • I think the problem is not the up2date-prozess itself, there is no problem to see in the log.
    But i see a problem in the smtp-log:

    2021:07:08-02:26:29 mail exim-in[16946]: 2021-07-08 02:26:29 H=mail2.tchibo.de [194.115.167.42]:3202 Warning: xxxx.xxxx profile excludes greylisting: Skipping greylisting for this message

    2021:07:08-02:26:29 mail exim-in[16946]: 2021-07-08 02:26:29 H=mail2.tchibo.de [194.115.167.42]:3202 Warning: xxxx.xxxx profile excludes SANDBOX scan

    2021:07:08-02:26:50 mail exim-in[16946]: 2021-07-08 02:26:50 1m1Hs5-0004PK-32 spam acl condition: spamd: failed to connect to any address for 127.0.0.1: Connection refused

    2021:07:08-02:26:50 mail exim-in[16946]: 2021-07-08 02:26:50 1m1Hs5-0004PK-32 spam acl condition: all spamd servers failed

    2021:07:08-02:26:50 mail exim-in[16946]: 2021-07-08 02:26:50 1m1Hs5-0004PK-32 H=mail2.tchibo.de [194.115.167.42]:3202 Warning: ACL "warn" statement skipped: condition test deferred

    2021:07:08-02:26:50 mail exim-in[16946]: 2021-07-08 02:26:50 1m1Hs5-0004PK-32 <= prvs=8161b01c6=service@eduscho.at H=mail2.tchibo.de [194.115.167.42]:3202 P=esmtps X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=24119

    Is this problem also to see at your sophos?
    regards Peter

Children
  • in reply to PRad

    Clearly several of us have the same problem, but nothing coming down the pipeline seems to resolve it. It's now been three weeks and I've just checked again -- by switching back to Auto Pattern Updates -- and the issue is still the same.

    I see nothing unusual in our SMTP logs (or any other logs, for that matter), but we run only inbound SMTP traffic thru the UTM.

    As mentioned above, our traffic spikes are also coming from Akamai servers, but that's hardly unusual. I imagine that's how Sophos distributes their pattern updates.

    Paul

  • in reply to PRad

    I don't even use SMTP (not even turned on) and the Up2Date patterns over the past two months has been much bigger than previous months for me.  I am not seeing what some of you are (10-100GB a day) but it is noticeable.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

Unfiltered HTML