3

I have a laptop using Kubuntu 18.04.3 and most of the time I use my phone as a Wi-Fi hotspot. Therefore, I have a limited quantity of internet connection. Until recently, everything was fine, I had to check some time the amount of mobile data left, but it was enough for my use.

But for about three weeks, my laptop uses much more internet connection than usual. While in general I was using ~1-2GB per day, I saw this number increase to 10-11GB a day. Since the amount of mobile data is important to me, I tried to check where this "leak" is coming from.

I use iftop regularly to see where this comes from. It seems that when I use a browser (whether Firefox or Brave), after a random amount of time, one domain / address (I'm not sure about the term) downloads about 4MB (megabytes, not megabits) per second. The domains/addresses responsible are 2606:4700::6812:15e2 and 104.16.218.84. Using whois, it appears that both are owned by Cloudflare (but I don't know if this information is relevant here).

The second one is an IP address, so I tried to block it with iptables but I don't know what to do with the first one. Does somebody know a way to fix this?

Edit: my first question was about how to block this kind of address but I'm looking for a solution that is more easy to implement. Currently, what I'm doing is that I very regularly check iftop to try to identify the addresses responsible for the "leaks" of internet data. But this is not ideal since it requires my attention quite regularly and because I have the impression that each time I block an address, another takes its place.

For now, I only see two solutions:

  • set in place a sort of alert to automatically block an address that downloads more than a certain amount of data (but I have no idea how to do it)

  • or try to find the first cause of the problem and fix it directly. As I said, this problem only appeared 3 weeks ago (whereas I use my phone as Wi-Fi hotspot for about two years). I checked dpkg.log and dpkg.log.1 in /var/log to see if the appearance of this problem coincided with the installation of a program. The only program I installed in this period was clamav, which I have removed without solving my problem.

Any idea where this can come from? A program update?

bretauv
  • 81
  • 1
    That is an IP address as well, only an IPv6 address whereas the other is an IPv4 address. It can be blocked with iptables just as well. – Jos Jul 06 '20 at 07:54
  • 1
    @Jos Thanks, iptables didn't work with this adress so I used ip6tables and then iptables-persistent to keep this after reboot – bretauv Jul 06 '20 at 08:09
  • Another thing you could do is use wireshark or similar and capture all DNS lookups coming from your computer. You can then filter out only the results that actually resolve to one of the suspect IPs (which can/will change with time) to maybe see what's actually getting hit. If it's only happening when your browser is open, consider using an adblocker as well. Cloudflare also has way more IPs than you can (or should) block -- it's better to trace down the actual problem instead of trying to solve it with iptables in this case. – Kaz Wolfe Jul 10 '20 at 23:23
  • @KazWolfe I installed wireshark but I never used it before and I don't understand what your two first sentences mean. Also, I already have an adblocker (uBlock Origin). I understand why blocking IPs is just a temporary solution, but as I said, using wireshark is a mystery for me. – bretauv Jul 11 '20 at 08:12

2 Answers2

1

You wouldn't happen to be using cloudfare's dns? or maybe your phone is, by default? What port(s) are the connections going to?

Because of the nature of their business, I would think that you are using a site that is using their services... Did any of the sites you use stop working correctly when you blocked the IPs you've already blocked?

.......it "SEEMS" clamav is the one you should still be focusing on...

https://gethpinfo.com/showdomain/www.clamav.net.html

There are your suspect IPs. I could be wrong but cloudfare is a proxy, and clamav.net is on their IP space. I would configure clamav to do updates on demand in this situation... BUT being that you still see the traffic and you say you removed it??? may or may not have solve the original problem.

...OR confirm that clamav is truly removed

According to their site, this is cloudfare's IP ranges, if you still want to block them. https://www.cloudflare.com/ips/

WU-TANG
  • 3,071
  • I'll answer in the order: 1) I don't really know how to check the DNS I use so I went here and it says that the owner of the DNS server is Bouygues Telecom (a French ISP). 2) None of the sites I visit are affected by the block of some IPs. 3) clamav is truly removed. – bretauv Jul 11 '20 at 07:57
  • According to the first site that I posted, the communication may still coming from clamav.Did you check it out? if you look here: https://gethpinfo.com/showipadresse/104.16.218.84.html

    you'll see one of the domains listed on the bottom of the page for that address is clamav.net... if you click that link, it takes you to the page that i previously posted. So if you are indeed STILL receiving traffic from that address, it most likely is from clamav.net (being that there are no other domains listed on that portion of the page)

     – WU-TANG Jul 11 '20 at 19:37
  • I thought I removed everything from clamav but apparently I forgot to remove clamav-daemon and clamav-freshclam, I will let you know how it goes and if I still have "leaks" of data – bretauv Jul 15 '20 at 15:35
  • Cool... but if you really actually want clamav, setting it to manual updates only, may solve your problem. I will admit, I have not checked my traffic so I don't know if that is happening on my system. But I installed it with apt-get and I turned off all the updates in the clamav software.. I think it still gets software updates through the ubuntu repository, but the virus definitions I have to download them manually... I am thinking the definitions are your problem. glad you found it either way – WU-TANG Jul 15 '20 at 16:03
  • stupid me... just realized that I had the exact same problem you have (most likely) a while ago... I wish I could give you more specifics on how to fix it but. Clamav was stuck trying to download some update. In /var/log/syslog it showed the repeated attempts. I think by default it checks every hour, but it was showing constant failures to download and retrying. By looking through the log and the databases, main.cvd, daily.cvd, etc. I was able to determine which one was the problem... All I remember was I removed one and/or manually updated one and it stopped trying to download abnormally – WU-TANG Jul 17 '20 at 02:34
  • In /var/lib/clamav... I think i didn't have a daily.cld and I copied the main.cld to the daily... or maybe vice versa.. and then let it update normally. My system says it's doing updates automatically, so maybe I suggested wrong earlier. Maybe setting it for me to do the updates manually is the thing that broke it. BECAUSE I NEVER DID THEM!!! and then maybe I decided to let it do it automatically after i got it straightened out. I truly don't remember. Either way, you may not care, I know you are trying to just get rid of it... but if you decide to look into, hopefully this helps a little. – WU-TANG Jul 17 '20 at 03:03
0

@WU-TANG was right (but I write a new and clear answer here because he/she pointed several possibilities).

Indeed, it is very likely (can't be 100% sure) that the problem was due to clamav. I thought I removed it but turns out that freshclam was still here. I purged everything that was related to clamav and my Internet consumption seems to be back to normal.

However, before doing that, I blocked several IPv4 and IPv6 addresses using iptables-persistent. This is the reason why I say it is only likely that removing clamav was the solution: maybe I blocked enough addresses (but I seriously doubt it).

Therefore, if someone encounters that problem, my number 1 action would be to check /var/log/dpkg.log (or dpkg.log.1) to see if it could have been caused by the installation of a particular program. If it turns out that the installation of a program coincided with this, then I would remove it to see if it changes something.

bretauv
  • 81