Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 19 replies
  • Answers 1 answer
  • Subscribers 11 subscribers
  • Views 59794 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unwanted traffic originating at UTM

KlausBeulen

Hi all,

since a few days I have a problem with unwanted traffic originating at the external interface of my UTM. It's destination addresses are from 17.0.0.0/8 (Apple?), the traffic seems to be HTTP (port 80), the application is classified as "doof" (see also screenshots):

1) Does anyone have an idea why the UTM communicates with these addresses?
2) How can I block this traffic (I tried a simple FW rule with the external interface as source, and also an application control rule, but both did not block it).

Any idea?

Thanks a lot,
    Klaus.



This thread was automatically locked due to age.
Parents
  • 0

    I'm having the exact same problem.  The external IP of my UTM 9 is swamping my outgoing connection (4MB/s), going to several Apple IPs. The UTM9 labels this as "doof". Where the flow monitor shows other traffic with the actual internal IP of the source/destination of traffic... in this case, it always shows my external ISP IP.  It's killing my service here, and I do not know how to block it.

    Any additional ideas out there?

    I have never heard of "doof" and a Google search landed me to this thread.. it seems the only people interested in "doof" are UTM 9 users?  And it is interesting that Klaus solved the problem by switching to a different router/firewall?  It makes it seem like this is some type of attack against UTM 9 appliances?

    - Scott

Reply
  • 0

    I'm having the exact same problem.  The external IP of my UTM 9 is swamping my outgoing connection (4MB/s), going to several Apple IPs. The UTM9 labels this as "doof". Where the flow monitor shows other traffic with the actual internal IP of the source/destination of traffic... in this case, it always shows my external ISP IP.  It's killing my service here, and I do not know how to block it.

    Any additional ideas out there?

    I have never heard of "doof" and a Google search landed me to this thread.. it seems the only people interested in "doof" are UTM 9 users?  And it is interesting that Klaus solved the problem by switching to a different router/firewall?  It makes it seem like this is some type of attack against UTM 9 appliances?

    - Scott

Children
  • 0 in reply to sneader

    If these are to Apple IPs, it's likely updates that are being handled by Web Filtering.  If this is the case, then it's the Apple server that times out and the Proxy that renews the download attempt.  This is an indication of improperly configured Filtering Exceptions for Apple.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob.  This is all upload bandwidth.  i.e. something is leaving our network, to the tune of 4 to 5MB/s, going TO Apple.  So, this isn't IOS update stuff. However, I suppose it could be iCloud backups, but I would not suspect that these would be done over non-SSL port 80. I still cannot find a real definition for what "doof" is (and why the UTM identifies this port 80 traffic as such)

    - Scott

Unfiltered HTML