V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
Recommended Services
Amazon Web Services
LeanCloud
New Relic
ClearDB
bobopu
V2EX  ›  云计算

服务器流入流量基本未变,流出流量突然成倍增长是什么原因?

  •  
  •   bobopu · 2014-05-22 09:49:21 +08:00 · 4809 次点击
    这是一个创建于 3869 天前的主题,其中的信息可能已经有所发展或是发生改变。
    ubuntu系统,这两天流入流量基本未变,但流出流量增长了3-4倍,请分析一下是什么原因?初步排除病毒/肉鸡问题。
    17 条回复    2014-05-22 16:55:26 +08:00
    mahone3297
        1
    mahone3297  
       2014-05-22 09:58:10 +08:00
    如何监控流入流出流量?请教。。。
    hq5261984
        2
    hq5261984  
       2014-05-22 09:59:25 +08:00
    是否有视频或者大型文件在服务器上。如果有可能是迅雷或者干的。
    mhycy
        3
    mhycy  
       2014-05-22 10:02:04 +08:00
    查查日志?
    bobopu
        4
    bobopu  
    OP
       2014-05-22 10:05:19 +08:00
    @mahone3297 最简单的,阿里云云盾里可以很清楚的看到,如果你不是阿里云的主机,可以装个安全狗也能看到。
    bobopu
        5
    bobopu  
    OP
       2014-05-22 10:06:18 +08:00
    @hq5261984 没有视频或大型文件,就几个静态页面,连数据库都没。
    bobopu
        6
    bobopu  
    OP
       2014-05-22 10:06:29 +08:00
    @mhycy 恩,正在翻日志。
    ericls
        7
    ericls  
       2014-05-22 10:10:24 +08:00 via Android   ❤️ 1
    iftop
    ShunYea
        8
    ShunYea  
       2014-05-22 11:19:41 +08:00
    被盗链了?
    bobopu
        9
    bobopu  
    OP
       2014-05-22 11:48:13 +08:00
    @ShunYea 就几个静态页面,连图都没,不存在盗链。
    阿里云给了个关闭UDP外发的脚本
    check_os_release()
    {
    while true
    do
    os_release=$(grep "Red Hat Enterprise Linux Server release" /etc/issue 2>/dev/null)
    os_release_2=$(grep "Red Hat Enterprise Linux Server release" /etc/redhat-release 2>/dev/null)
    if [ "$os_release" ] && [ "$os_release_2" ]
    then
    if echo "$os_release"|grep "release 5" >/dev/null 2>&1
    then
    os_release=redhat5
    echo "$os_release"
    elif echo "$os_release"|grep "release 6" >/dev/null 2>&1
    then
    os_release=redhat6
    echo "$os_release"
    else
    os_release=""
    echo "$os_release"
    fi
    break
    fi
    os_release=$(grep "Aliyun Linux release" /etc/issue 2>/dev/null)
    os_release_2=$(grep "Aliyun Linux release" /etc/aliyun-release 2>/dev/null)
    if [ "$os_release" ] && [ "$os_release_2" ]
    then
    if echo "$os_release"|grep "release 5" >/dev/null 2>&1
    then
    os_release=aliyun5
    echo "$os_release"
    elif echo "$os_release"|grep "release 6" >/dev/null 2>&1
    then
    os_release=aliyun6
    echo "$os_release"
    else
    os_release=""
    echo "$os_release"
    fi
    break
    fi
    os_release=$(grep "CentOS release" /etc/issue 2>/dev/null)
    os_release_2=$(grep "CentOS release" /etc/*release 2>/dev/null)
    if [ "$os_release" ] && [ "$os_release_2" ]
    then
    if echo "$os_release"|grep "release 5" >/dev/null 2>&1
    then
    os_release=centos5
    echo "$os_release"
    elif echo "$os_release"|grep "release 6" >/dev/null 2>&1
    then
    os_release=centos6
    echo "$os_release"
    else
    os_release=""
    echo "$os_release"
    fi
    break
    fi
    os_release=$(grep -i "ubuntu" /etc/issue 2>/dev/null)
    os_release_2=$(grep -i "ubuntu" /etc/lsb-release 2>/dev/null)
    if [ "$os_release" ] && [ "$os_release_2" ]
    then
    if echo "$os_release"|grep "Ubuntu 10" >/dev/null 2>&1
    then
    os_release=ubuntu10
    echo "$os_release"
    elif echo "$os_release"|grep "Ubuntu 12.04" >/dev/null 2>&1
    then
    os_release=ubuntu1204
    echo "$os_release"
    elif echo "$os_release"|grep "Ubuntu 12.10" >/dev/null 2>&1
    then
    os_release=ubuntu1210
    echo "$os_release"
    else
    os_release=""
    echo "$os_release"
    fi
    break
    fi
    os_release=$(grep -i "debian" /etc/issue 2>/dev/null)
    os_release_2=$(grep -i "debian" /proc/version 2>/dev/null)
    if [ "$os_release" ] && [ "$os_release_2" ]
    then
    if echo "$os_release"|grep "Linux 6" >/dev/null 2>&1
    then
    os_release=debian6
    echo "$os_release"
    else
    os_release=""
    echo "$os_release"
    fi
    break
    fi
    os_release=$(grep "openSUSE" /etc/issue 2>/dev/null)
    os_release_2=$(grep "openSUSE" /etc/*release 2>/dev/null)
    if [ "$os_release" ] && [ "$os_release_2" ]
    then
    if echo "$os_release"|grep "13.1" >/dev/null 2>&1
    then
    os_release=opensuse131
    echo "$os_release"
    else
    os_release=""
    echo "$os_release"
    fi
    break
    fi
    break
    done
    }

    exit_script()
    {
    echo -e "\033[1;40;31mInstall $1 error,will exit.\n\033[0m"
    rm -f $LOCKfile
    exit 1
    }

    config_iptables()
    {
    iptables -I OUTPUT 1 -p tcp -m multiport --dport 21,22,23,25,53,80,135,139,443,445 -j DROP
    iptables -I OUTPUT 2 -p tcp -m multiport --dport 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186 -j DROP
    iptables -I OUTPUT 3 -p udp -j DROP
    iptables -nvL
    }

    ubuntu_config_ufw()
    {
    ufw deny out proto tcp to any port 21,22,23,25,53,80,135,139,443,445
    ufw deny out proto tcp to any port 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186
    ufw deny out proto udp to any
    ufw status
    }

    ####################Start###################
    #check lock file ,one time only let the script run one time
    LOCKfile=/tmp/.$(basename $0)
    if [ -f "$LOCKfile" ]
    then
    echo -e "\033[1;40;31mThe script is already exist,please next time to run this script.\n\033[0m"
    exit
    else
    echo -e "\033[40;32mStep 1.No lock file,begin to create lock file and continue.\n\033[40;37m"
    touch $LOCKfile
    fi

    #check user
    if [ $(id -u) != "0" ]
    then
    echo -e "\033[1;40;31mError: You must be root to run this script, please use root to execute this script.\n\033[0m"
    rm -f $LOCKfile
    exit 1
    fi

    echo -e "\033[40;32mStep 2.Begen to check the OS issue.\n\033[40;37m"
    os_release=$(check_os_release)
    if [ "X$os_release" == "X" ]
    then
    echo -e "\033[1;40;31mThe OS does not identify,So this script is not executede.\n\033[0m"
    rm -f $LOCKfile
    exit 0
    else
    echo -e "\033[40;32mThis OS is $os_release.\n\033[40;37m"
    fi

    echo -e "\033[40;32mStep 3.Begen to config firewall.\n\033[40;37m"
    case "$os_release" in
    redhat5|centos5|redhat6|centos6|aliyun5|aliyun6)
    service iptables start
    config_iptables
    ;;
    debian6)
    config_iptables
    ;;
    ubuntu10|ubuntu1204|ubuntu1210)
    ufw enable <<EOF
    y
    EOF
    ubuntu_config_ufw
    ;;
    opensuse131)
    config_iptables
    ;;
    esac

    echo -e "\033[40;32mConfig firewall success,this script now exit!\n\033[40;37m"
    rm -f $LOCKfile
    thinkxen
        10
    thinkxen  
       2014-05-22 12:50:40 +08:00
    @mahone3297 iptraf等或者监控宝之类的网站,也可以问机房要MRTG
    @bobopu 还是看网站日志~~
    hydrazt
        11
    hydrazt  
       2014-05-22 13:09:08 +08:00   ❤️ 1
    tcpdump抓包分析。
    之前有遇到类似情况,当网络丢包严重时,系统会将无ack响应的数据库重发,间接导致流出数据量翻倍。
    bobopu
        12
    bobopu  
    OP
       2014-05-22 14:12:07 +08:00
    @hydrazt 哥们,太感谢你了,果然是这台服务器在将数据包转发到另一台服务器(死机)时得不到响应,持续发包所致,重启后解决。
    wzxjohn
        13
    wzxjohn  
       2014-05-22 14:14:04 +08:00
    珍爱生命,远离安全狗。
    bobopu
        14
    bobopu  
    OP
       2014-05-22 14:27:06 +08:00
    @wzxjohn 这个东西也并非一无是处,设置起来比较简便。但坑爹的是我有台阿里云的win服务器,在装了安全狗打开ARP后,服务器就像癫痫发作一样,一阵能联网一阵又不行,把阿里云的工程师都给搞晕了,找了一圈都没发现问题所在,最后原来是ARP防御模块似乎与阿里云的网络环境不兼容所致。
    lang1pal
        15
    lang1pal  
       2014-05-22 15:59:38 +08:00
    @mahone3297 vnstat
    wzxjohn
        16
    wzxjohn  
       2014-05-22 16:41:57 +08:00
    @bobopu Win的安全狗隐患更大,很多人因为安全狗导致了各种Bug,最后一查都是安全狗的原因。
    bobopu
        17
    bobopu  
    OP
       2014-05-22 16:55:26 +08:00
    @wzxjohn 现在在win服务器上安装的是SEP12,效果挺好。
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   5895 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 22ms · UTC 06:16 · PVG 14:16 · LAX 22:16 · JFK 01:16
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.