11

I have a ubuntu box running 14.04 , Over the past couple days I have been having network issues on all my devices. This ubuntu box is wired directly into router. After some common trouble shooting steps I found that when I disconnected my ubuntu box from my router all problems went away... weird right?

In my Router logs this is what is stated when the ubuntu box is plugged in

Oct 23 20:57:25 unknown user.warn kernel: nf_conntrack: table full, dropping packet.

Over and over and over again

I looked up that error and found that basically my router is being flooded with a crap ton of connections but I have no idea why I have not changed anything on my ubuntu box.

I ran a live session of Ubuntu and the problem does not rear its head when in the live session

I then installed Nethog which provided me with this.... I have NO IDEA what this means or what is happening or why its happening. The only web servers I run on my ubuntu box are nzbdrone and sabnzbd. Normally I would just reformat and be done with this but problem is I have a software raid 5 I am running with 10 TB of stuff I dont wanna lose.

enter image description here

( shows no PID just ?'s)

Someone please tell me how I can stop this it is crippling my network

Riking
  • 117
Artemis17
  • 111

1 Answers1

20

That looks like a load of outgoing connections to an Amazon CloudFront node.
CloudFront is Amazon's content delivery network product. It could be hosting anything.

So to answer your headline question: No, you aren't being ddossed. This isn't distributed and it's not an attack. Your computer is nuking your network by creating too many connections for your router.

To properly diagnose you would need to either:

  • Intercept the outgoing traffic with something like Wireshark.
  • Work out the application sending the requests.

But given that you're running two pretty substantial downloading applications, they would be my first obvious suspects. Shut them down and see if things improve.

In my limited experience with NZB, it might be that you just need to limit the number of connections they're making. Many will split files into dozens of chunks and the downloader will use multiple threads on each. If you tell the downloader to just do a couple of chunks at a time, you might see better performance.

Or get a better router.

Oli
  • 293,335
  • My router is a Asus N66U running Tomato , Also I shut down my NZB programs to be sure it wasnt causing the issue and they were not. I downloaded wireshark but according to wireshark I have no network interfaces. – Artemis17 Oct 24 '14 at 12:57
  • 1
    For wireshark, see this – Oli Oct 24 '14 at 12:59
  • netstat -anp | grep :80 might hint you to the processes running wild – Hagen von Eitzen Oct 24 '14 at 15:50
  • Well thanks Guys Im not sure what I did but I was thinking I run a Plex server on this ubuntu box which like 2 people have the login for. So I changed my password for plex and I also updated plex on ubuntu and now I am not dropping any packets and router is not crashing. I think Plex uses Amazon servers in some capacity? I hope this stays resolved and that this helps someone else. Thanks so much everyone for taking time to help me means a lot. – Artemis17 Oct 24 '14 at 16:45
  • 2
    @BradNohra Plex might occasionally download metadata from Amazon but that's not particularly high bandwidth, and certainly not the kind of thing that should cause problems with any reasonable router. The only time Plex should be using a lot of bandwidth is if someone is streaming from it. – David Z Oct 24 '14 at 16:56
  • I lied the problem is back. When i went home and ran nethog again I wasnt seeing the problem usually it starts up very fast and doesnt stop and its back again im gonna try that wireshark thing when I get home and report back. – Artemis17 Oct 24 '14 at 19:13
  • I am running wireshark as root based on the link you provided @oli but when I stop the capture the save and save as under file are not clickable not sure what to do to be able to show you guys the data? Also while the program is running it constantly fades dark and light. Thanks for the Help – Artemis17 Oct 25 '14 at 02:39
  • Todays ip is 142.4.194.24 department of health canada? – Artemis17 Oct 25 '14 at 03:37
  • I ran wireshark for a few hours when I ran out to dinner and I have like three huge files?? Should I post them somewhere where someone can get a look? or is there someway I could easily find the answer? – Artemis17 Oct 25 '14 at 12:23
  • 1
    No. Examine it yourself. Filter by HTTP traffic (assuming that is what's most prevalent) and see what it's requesting and from where. – Oli Oct 25 '14 at 15:57