Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 19 replies
  • Answers 1 answer
  • Subscribers 11 subscribers
  • Views 59851 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unwanted traffic originating at UTM

KlausBeulen

Hi all,

since a few days I have a problem with unwanted traffic originating at the external interface of my UTM. It's destination addresses are from 17.0.0.0/8 (Apple?), the traffic seems to be HTTP (port 80), the application is classified as "doof" (see also screenshots):

1) Does anyone have an idea why the UTM communicates with these addresses?
2) How can I block this traffic (I tried a simple FW rule with the external interface as source, and also an application control rule, but both did not block it).

Any idea?

Thanks a lot,
    Klaus.



This thread was automatically locked due to age.
  • 0 in reply to ThomasBrewster

    This is still a huge problem for our home network. A few data points:

    1) We were on vacation for a couple of days, and as soon as we got home, our upload bandwidth went from zero to 4Mbps (our cable provider's max upload). So, one would think this is being caused by one of the devices that was brought into the home.  However...

    2) I disconnected the entire network from the LAN port of the UTM9 and the problem continued!  I believe this proves that the traffic is being generated from the UTM appliance itself OR is some time of Amplification Attack.  This is somewhat confirmed by my next point...

    3) When you use Flow Monitor to watch interface In and Out traffic, there are huge amounts of Out traffic on the WAN interface, but there is no matching In traffic on the LAN interface.  Further, if you click "Clients" next to "doof", it shows the WAN interface name!  Where, on any other application in Flow Monitor on that same page, if you click Clients, it will show one or more local IP addresses (i.e. our local clients.

    My current theory is that we have a mobile device that is somehow being "attacked" and the attack follows it.  So, even with the device off the network, it will continue to get attacked until it shows up on a new network, at which point the attack follows to their new IP.  Further, it must be one of our phones, since the only devices brought into the network after returning from vacation were 4 iPhones and one Android. To test this theory, the next time this happens, I will disable Wi-Fi on each phone (so that device moves to their cell data IP) then slowly re-introduce those phones to the network and see if I can narrow down which one it is.

    @ThomasBrewster can you remind me where you find "Skip Transparent Mode Destination Hosts/Nets"?

    - Scott

  • 0 in reply to sneader

    Scott - that option is Under Web Protection --> Filtering Options --> Misc --> Transparent Mode Skiplist (see attached screenshot)

    A couple of more notes on this issue for that that are looking into it. We have about ~20 Sophos UTM units in service and only one of them showed this issue. The unit that showed the issue was a SG135 running 9.405-5. The traffic that appears to initiate the problem was Apple iOS application update downloads (best guess here)  as  we disable all iOS device iCloud backups while debugging the problem. Once the problem starts all endpoint network connection/communication can be halted but the issue still goes on, we unplugged client devices one at a time to debug the problem. This supports  comments that it's a proxy configuration / exception issue.

    I confirmed that if the HTTP Proxy (Web Filtering) is disabled all high outbound traffic ceases. I believe that I created a proxy exception for all checks to traffic to the 17.0.0.0/8 network but that did not fix the issue (not 100% that this was fully tested)

    But I satisfied that adding the 17.0.0.0/8 to the Transparent Mode destination skiplist fixed our issue. It has not reoccurred in the week since we added it and it was occurring daily previously.

    Regards,
    Thomas

  • 0

    I'm running a Master/Slave combination of two UTM220 for a network on a ship, our data connection is via VSAT and this problem often saturates our uplink at 2Mbps.  I too was hoping that the latest update would solve the issue but it is ongoing.  It is affecting our QoS as page requests are often struggling to leave the ship.

    At first I believed that the Sophos UTM had been compromised in some way however I am unsure.  It is sending a tremendous amount of data; 2Mbps may not seem like a lot but aggregated we must be in the hundreds of GBs by now.

    Has anyone managed to inspect the packets yet?

  • 0 in reply to KieranJames

    Hi, and welcome to the UTM Community!

    Does the 'Bandwidth Usage' tab in 'Network Usage' reporting provide any insight?  Hopefully, you've gotten a ticket open with Sophos Support or your reseller.

    Cheers - Bob

  • 0 in reply to KieranJames

    Does adding this exception in still block the traffic or just hide it from reporting it ? 

  • 0 in reply to SimonGoode

    I have the traffic allowed, but bandwidth limited. I'm not in front of a UTM currently but I believe whether it is allowed depends on the firewall packet filter settings and there may be a check box below the transparent proxy setting to allow the traffic.

  • 0

    I am seeing the same thing. Version 9.406-3

  • 0 in reply to SimonGoode

    I have checked with our VSAT service provider's traffic statistics and the reported traffic does not appear since just after the modification.  However there has been a few other changes along with the updates for the UTM.  So I cannot say with 100% certainty that this fixed the problem.  However the problem does not seem to exist anymore.

  • 0

    Very old post - but I stumbled over it while looking for an explanation: I've seen that this is regarding application 'doof' (German word for dumb or silly). Looking at application control I can see that this category is used for 'General browsing and streaming games from online gaming site doof.' Social gaming site. Hope this helps.

    KR

    Andreas