The Lurker
Fully [H]
- Joined
- Jul 1, 2001
- Messages
- 19,170
I recently setup Sophos UTM on a spare machine and have been learning some fascinating things about network security.
Most recently, going through the l dashboards I have discovered that uTorrent running on my server is sending out huge amounts of traffic to the university of Iowa. I tried to figure out why, but I have no idea how to narrow down what specifically in the client is trying to communicate to this IP. I tried using wireshark to obtain more info but that only tells me that the protocol is a GSVP.
This is the log entry from Sophos:
2016:10:09-20:45:06 sophos ulogd[6840]:
id="2105"
severity="info"
sys="SecureNet"
sub="ips"
name="UDP flood detected"
action="UDP flood"
fwrule="60013"
initf="eth0"
srcip="172.16.0.6"
dstip="128.255.150.200"
proto="17"
srcport="38599"
dstport="57279"
One more producing tons of traffic.
2016:10:09-21:32:00 sophos ulogd[6840]:
id="2105"
severity="info"
sys="SecureNet"
sub="ips"
name="UDP flood detected"
action="UDP flood"
fwrule="60013"
initf="eth0"
srcip="172.16.0.6"
dstip="209.222.15.232
srcport="38599"
dstport="51413"
What could this be?
Most recently, going through the l dashboards I have discovered that uTorrent running on my server is sending out huge amounts of traffic to the university of Iowa. I tried to figure out why, but I have no idea how to narrow down what specifically in the client is trying to communicate to this IP. I tried using wireshark to obtain more info but that only tells me that the protocol is a GSVP.
This is the log entry from Sophos:
2016:10:09-20:45:06 sophos ulogd[6840]:
id="2105"
severity="info"
sys="SecureNet"
sub="ips"
name="UDP flood detected"
action="UDP flood"
fwrule="60013"
initf="eth0"
srcip="172.16.0.6"
dstip="128.255.150.200"
proto="17"
srcport="38599"
dstport="57279"
One more producing tons of traffic.
2016:10:09-21:32:00 sophos ulogd[6840]:
id="2105"
severity="info"
sys="SecureNet"
sub="ips"
name="UDP flood detected"
action="UDP flood"
fwrule="60013"
initf="eth0"
srcip="172.16.0.6"
dstip="209.222.15.232
srcport="38599"
dstport="51413"
What could this be?
Last edited: