Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 19 replies
  • Answers 1 answer
  • Subscribers 11 subscribers
  • Views 59792 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unwanted traffic originating at UTM

KlausBeulen

Hi all,

since a few days I have a problem with unwanted traffic originating at the external interface of my UTM. It's destination addresses are from 17.0.0.0/8 (Apple?), the traffic seems to be HTTP (port 80), the application is classified as "doof" (see also screenshots):

1) Does anyone have an idea why the UTM communicates with these addresses?
2) How can I block this traffic (I tried a simple FW rule with the external interface as source, and also an application control rule, but both did not block it).

Any idea?

Thanks a lot,
    Klaus.



This thread was automatically locked due to age.
  • 0

    Hi, Klaus, and welcome to the UTM Community!

    Search the Web Filtering log from yesterday for those two Apple IPs.  I bet you'll find it's one or more clients getting an update for Apple software.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    thanks for the quick answer.

    That's what I also initially assumed, however the traffic seems to be initiated by the UTM itself, since there are about 1.2 Mbps going out of the external interface, but only a fraction of that is entering the internal interface (see screenshots). Is there a possibility to block traffic originating from the UTM itself?

    Regards,
       Klaus.

  • 0 in reply to KlausBeulen

    I also am seeing this traffic, in my case it is a problem because my asymmetrical WAN connection is limited at 1.5Mbps, and this "doof" traffic is significantly more than any other outgoing traffic and I am getting frequent connection failures due to timeouts.

    I also tried blocking it, trying first the easy way, using the block button on the interface flow monitor table, which created an application control rule that had no apparent effect.  I then attempted to block all traffic originating at WAN adress to the 7 Apple IP addresses in the flow monitor list, which was also ineffective.

    Because this is a home network, and it isn't as easy to ignore family as it is users at work, I am hoping for some better definition of what and why this traffic is.  Is there detailed application definition information available somewhere? A little more detailed than the

    General browsing and streaming games from online gaming site doof.

    that is listed in the information in the Application Control list.  Especially since the description doesn't even give a URL and googling for doof gaming site is ambiguous at best.

    Any clues?

    Tim

  • 0 in reply to timhauber

    I hoped I could get rid of this traffic by the last update of UTM9 (installed it on Wednesday), but after a while the same effect (over 1 Mbps of outgoing traffic to Apple IPs) took place, which resulted in disconnects of my IPTV and other problems :(. In the end, I replaced the UTM with my old Tomato router (WRT-54g), now everything is fine again (no Apple traffic, no disconnects).

  • 0

    I'm having the exact same problem.  The external IP of my UTM 9 is swamping my outgoing connection (4MB/s), going to several Apple IPs. The UTM9 labels this as "doof". Where the flow monitor shows other traffic with the actual internal IP of the source/destination of traffic... in this case, it always shows my external ISP IP.  It's killing my service here, and I do not know how to block it.

    Any additional ideas out there?

    I have never heard of "doof" and a Google search landed me to this thread.. it seems the only people interested in "doof" are UTM 9 users?  And it is interesting that Klaus solved the problem by switching to a different router/firewall?  It makes it seem like this is some type of attack against UTM 9 appliances?

    - Scott

  • 0 in reply to sneader

    If these are to Apple IPs, it's likely updates that are being handled by Web Filtering.  If this is the case, then it's the Apple server that times out and the Proxy that renews the download attempt.  This is an indication of improperly configured Filtering Exceptions for Apple.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob.  This is all upload bandwidth.  i.e. something is leaving our network, to the tune of 4 to 5MB/s, going TO Apple.  So, this isn't IOS update stuff. However, I suppose it could be iCloud backups, but I would not suspect that these would be done over non-SSL port 80. I still cannot find a real definition for what "doof" is (and why the UTM identifies this port 80 traffic as such)

    - Scott

  • 0

    I'm seeing the same "doof" as an application however my traffic count is much higher (around 14.1gb).

    Additionally, the top 10 application categories are also showing for gaming around the same size of traffic so I am assuming they are both linked

    Has anyone found a way of blocking this ?

  • 0 in reply to SimonGoode

    We're seeing something very similar.

    Our top consumers of traffic are all all Apple IP addresses and the traffic is consuming 100% of our outbound (upstream) bandwidth for hour long periods.

    Here are some excepts from a daily executive report from a holiday when very few actual users were in the office.

    TOP10 Servers" - all Apple IP addresses.

    Total packets: 10 400 810
    Total traffic: 8.6 GB
        IP User / Host Packets Traffic %
    1 us 17.132.4.58 17.132.4.58 694 050 788.0 MB 8.98 %
    2 us 17.132.4.59 17.132.4.59 635 962 663.7 MB 7.56 %
    3 us 17.132.4.63 17.132.4.63 591 525 643.4 MB 7.33 %
    4 us 17.132.29.62 17.132.29.62 527 676 594.2 MB 6.77 %
    5 us 17.132.4.61 17.132.4.61 544 596 552.6 MB 6.30 %
    6 us 17.132.29.57 17.132.29.57 472 065 516.7 MB 5.89 %
    7 us 17.132.29.60 17.132.29.60 404 921 434.4 MB 4.95 %
    8 us 17.132.29.61 17.132.29.61 367 425 428.3 MB 4.88 %
    9 us 17.132.4.56 17.132.4.56 377 261 404.2 MB 4.61 %
    10 us 17.132.29.56 17.132.29.56 351 504 388.3 MB 4.42 

    Top service is HTTP (port 80)

    TOP Applications = iCloud and doof.

    Total packets: 10 400 804
    Total traffic: 8.6 GB
      Application Packets Traffic %
    1 iCloud 3 787 873 3.6 GB 41.72 %
    2 doof 2 884 527 3.5 GB 40.88 %

    As a test I've turned off the web proxy temporarily to see if the problem is proxy related and at first test it appears to be.
    As a further test to debug the issues I've re-enabled the web proxy and have added a "Skip Transparent Mode Destination Hosts/Nets" for the Apple subnet of 17.0.0.0/8

    Regards,
    Thomas

  • 0 in reply to ThomasBrewster

    For any that may be following along with this odd issue, this it what seems  to have fixed it;

    • Setup "Skip Transparent Mode Destination Hosts/Nets" for the Apple subnet of 17.0.0.0/8 (allow traffic as desired)
    • Clear Proxy cache
    • Restart proxy services (turn off/on web filtering)

    I'm not sure if that is the best solution, but it seems to be working for the past 24 hours. 

Unfiltered HTML