Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 19 replies
  • Answers 1 answer
  • Subscribers 11 subscribers
  • Views 59803 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unwanted traffic originating at UTM

KlausBeulen

Hi all,

since a few days I have a problem with unwanted traffic originating at the external interface of my UTM. It's destination addresses are from 17.0.0.0/8 (Apple?), the traffic seems to be HTTP (port 80), the application is classified as "doof" (see also screenshots):

1) Does anyone have an idea why the UTM communicates with these addresses?
2) How can I block this traffic (I tried a simple FW rule with the external interface as source, and also an application control rule, but both did not block it).

Any idea?

Thanks a lot,
    Klaus.



This thread was automatically locked due to age.
Parents
  • 0

    I'm seeing the same "doof" as an application however my traffic count is much higher (around 14.1gb).

    Additionally, the top 10 application categories are also showing for gaming around the same size of traffic so I am assuming they are both linked

    Has anyone found a way of blocking this ?

  • 0 in reply to SimonGoode

    We're seeing something very similar.

    Our top consumers of traffic are all all Apple IP addresses and the traffic is consuming 100% of our outbound (upstream) bandwidth for hour long periods.

    Here are some excepts from a daily executive report from a holiday when very few actual users were in the office.

    TOP10 Servers" - all Apple IP addresses.

    Total packets: 10 400 810
    Total traffic: 8.6 GB
        IP User / Host Packets Traffic %
    1 us 17.132.4.58 17.132.4.58 694 050 788.0 MB 8.98 %
    2 us 17.132.4.59 17.132.4.59 635 962 663.7 MB 7.56 %
    3 us 17.132.4.63 17.132.4.63 591 525 643.4 MB 7.33 %
    4 us 17.132.29.62 17.132.29.62 527 676 594.2 MB 6.77 %
    5 us 17.132.4.61 17.132.4.61 544 596 552.6 MB 6.30 %
    6 us 17.132.29.57 17.132.29.57 472 065 516.7 MB 5.89 %
    7 us 17.132.29.60 17.132.29.60 404 921 434.4 MB 4.95 %
    8 us 17.132.29.61 17.132.29.61 367 425 428.3 MB 4.88 %
    9 us 17.132.4.56 17.132.4.56 377 261 404.2 MB 4.61 %
    10 us 17.132.29.56 17.132.29.56 351 504 388.3 MB 4.42 

    Top service is HTTP (port 80)

    TOP Applications = iCloud and doof.

    Total packets: 10 400 804
    Total traffic: 8.6 GB
      Application Packets Traffic %
    1 iCloud 3 787 873 3.6 GB 41.72 %
    2 doof 2 884 527 3.5 GB 40.88 %

    As a test I've turned off the web proxy temporarily to see if the problem is proxy related and at first test it appears to be.
    As a further test to debug the issues I've re-enabled the web proxy and have added a "Skip Transparent Mode Destination Hosts/Nets" for the Apple subnet of 17.0.0.0/8

    Regards,
    Thomas

  • 0 in reply to ThomasBrewster

    For any that may be following along with this odd issue, this it what seems  to have fixed it;

    • Setup "Skip Transparent Mode Destination Hosts/Nets" for the Apple subnet of 17.0.0.0/8 (allow traffic as desired)
    • Clear Proxy cache
    • Restart proxy services (turn off/on web filtering)

    I'm not sure if that is the best solution, but it seems to be working for the past 24 hours. 

  • 0 in reply to ThomasBrewster

    This is still a huge problem for our home network. A few data points:

    1) We were on vacation for a couple of days, and as soon as we got home, our upload bandwidth went from zero to 4Mbps (our cable provider's max upload). So, one would think this is being caused by one of the devices that was brought into the home.  However...

    2) I disconnected the entire network from the LAN port of the UTM9 and the problem continued!  I believe this proves that the traffic is being generated from the UTM appliance itself OR is some time of Amplification Attack.  This is somewhat confirmed by my next point...

    3) When you use Flow Monitor to watch interface In and Out traffic, there are huge amounts of Out traffic on the WAN interface, but there is no matching In traffic on the LAN interface.  Further, if you click "Clients" next to "doof", it shows the WAN interface name!  Where, on any other application in Flow Monitor on that same page, if you click Clients, it will show one or more local IP addresses (i.e. our local clients.

    My current theory is that we have a mobile device that is somehow being "attacked" and the attack follows it.  So, even with the device off the network, it will continue to get attacked until it shows up on a new network, at which point the attack follows to their new IP.  Further, it must be one of our phones, since the only devices brought into the network after returning from vacation were 4 iPhones and one Android. To test this theory, the next time this happens, I will disable Wi-Fi on each phone (so that device moves to their cell data IP) then slowly re-introduce those phones to the network and see if I can narrow down which one it is.

    @ThomasBrewster can you remind me where you find "Skip Transparent Mode Destination Hosts/Nets"?

    - Scott

  • 0 in reply to sneader

    Scott - that option is Under Web Protection --> Filtering Options --> Misc --> Transparent Mode Skiplist (see attached screenshot)

    A couple of more notes on this issue for that that are looking into it. We have about ~20 Sophos UTM units in service and only one of them showed this issue. The unit that showed the issue was a SG135 running 9.405-5. The traffic that appears to initiate the problem was Apple iOS application update downloads (best guess here)  as  we disable all iOS device iCloud backups while debugging the problem. Once the problem starts all endpoint network connection/communication can be halted but the issue still goes on, we unplugged client devices one at a time to debug the problem. This supports  comments that it's a proxy configuration / exception issue.

    I confirmed that if the HTTP Proxy (Web Filtering) is disabled all high outbound traffic ceases. I believe that I created a proxy exception for all checks to traffic to the 17.0.0.0/8 network but that did not fix the issue (not 100% that this was fully tested)

    But I satisfied that adding the 17.0.0.0/8 to the Transparent Mode destination skiplist fixed our issue. It has not reoccurred in the week since we added it and it was occurring daily previously.

    Regards,
    Thomas

Reply
  • 0 in reply to sneader

    Scott - that option is Under Web Protection --> Filtering Options --> Misc --> Transparent Mode Skiplist (see attached screenshot)

    A couple of more notes on this issue for that that are looking into it. We have about ~20 Sophos UTM units in service and only one of them showed this issue. The unit that showed the issue was a SG135 running 9.405-5. The traffic that appears to initiate the problem was Apple iOS application update downloads (best guess here)  as  we disable all iOS device iCloud backups while debugging the problem. Once the problem starts all endpoint network connection/communication can be halted but the issue still goes on, we unplugged client devices one at a time to debug the problem. This supports  comments that it's a proxy configuration / exception issue.

    I confirmed that if the HTTP Proxy (Web Filtering) is disabled all high outbound traffic ceases. I believe that I created a proxy exception for all checks to traffic to the 17.0.0.0/8 network but that did not fix the issue (not 100% that this was fully tested)

    But I satisfied that adding the 17.0.0.0/8 to the Transparent Mode destination skiplist fixed our issue. It has not reoccurred in the week since we added it and it was occurring daily previously.

    Regards,
    Thomas

Children
No Data
Unfiltered HTML