We had some severe Internet connection difficulties yesterday that caused much moaing an gnashing of teeth. I finally traced it to one workstation that had gotten into some sort of loop that was sending two packets back and forth as fast as our network would allow.
Some time with Wireshark provided the following.
Here is the flow:
A remote system is contacted by an app on the workstation; I do not know which app. That remote system then informs 69.164.223.38 (or some other host in that domain) about the contact.
x.38:443 (remote) then initiates a transaction with y.109 (local).
A secure connection is negotiated, TLSv1.2.
x.38 ends with “encrypted alert” packet to y.109
Here is where the DOS starts.
y.109 responds with TCP RST
x.38 sends TCP Dup ACK
Those two packets bounce back and forth as fast as our network allows.
If you open a web browser to linode.com, you’ll see that it’s a Provider (cloud platform) for developers.
That suggests that the cause of your traffic is some kind of small independent app.
If you don’t know what it is,
Then you can try
Capturing the packets with wireshark (you may be doing that already based on what you’ve posted). What you haven’t posted is the type of protocol Wireshark thinks is being used, and the** payload**. Analyze this yourself, if you need some help inspecting the packets, upload a relevant portion of your log to something a pastebin for others to inspect.
Reboot to clear all running apps, then monitor what is happening as you add one app at a time to suggest what app might be associated with your unknown traffic.
It’s hard to speculate what might really be happening without gathering more info.
Could be as innocent as a mis-configuration.
Could be faulty code, it’s probably more common than actual intentional exploits.
Or, could be an exploit or something that might lead to an exploit (maybe just probing?)
I finally tracked the faulty app. It is the OpenWeather Gnome desktop extension. The fact that the connection occurred every 10 minutes was a hint.
I delved into the security packets looking for something human readable. One contained the issuee of the certificate: <darksky.net>. Their website offers a (“scarily accurate”) weather app for mobile devices. Mentioned on the site is their source of weather data: <forecast.io>.
“Aha!” I thought. The desktop weather extension also uses <forecast.io> to obtain weather information. And <forecast.io> is hosted at <linode.com>. There does not appear to anything malicious involved; just some unfortunately poor coding.
There are still a couple aspects of the fault that are still not understood.
It does not occur every time the app connects to linode. Sometimes it would just end with the TCP RST, ACK.
I have the same app on another host with a similar configuration; no such loop has ever occurred.
PING indicates a 72 mS transit time. Yet when the two ends get into a loop, 100s of packets are sent and received by both ends within that time period, thoroughly saturating the connection to the Internet. I am guessing TCP pipelining is involved?