[unisog] large netflow values and skype?

Peter Van Epp vanepp at sfu.ca
Thu Jun 22 15:44:31 GMT 2006


On Thu, Jun 22, 2006 at 01:05:10PM +1000, David Herd wrote:
> Hi,
> I'm receiving reports of large netflows over various ports on some of 
> our machines.
> I've looked at the machines and they don't seem to have anything major 
> wrong.
> I've made sure that they have the latest OS patches, virus programs and
> anti-spyware tools.  I've also checked for rootkits.  What I have 
> found is that
> most of the machines have Skype on them.
> 
> I know that under certain conditions Skype will promote a machine to 
> a supernode.
> Is this what I'm seeing?
>
        Yep, although without a firewall it isn't usually 80 or 53 :-). Check
for flows with a dest port of 33033 which is the Skype directory service. If
the same machines are doing that then you likely have skype and if there
are a large number of flows (this is over 24 hours on one of our super nodes
from argus) you probably also have a supernode or nodes (we have 2 at the 
moment and often have 3 or 4):

                         unique host/ports     successfull connections

xxx.yy.zz.154            532,538            503,628

and the detail argus log of skype directory traffic

22 Jun 06 08:16:49           udp   xxx.yy.zz.154.55809 <->    64.246.48.23.33033
 1        1         53           388         CON
22 Jun 06 08:17:01           udp   xxx.yy.zz.154.55809 <->    64.246.48.23.33033
 1        1         53           409         CON
22 Jun 06 08:17:11           udp   xxx.yy.zz.154.55809 <->    64.246.48.23.33033
 1        1         420          88          CON
22 Jun 06 08:16:01           rtp   xxx.yy.zz.154.55809 <->    66.235.180.9.33033
 1        1         475          73          CON

 and a slice of general traffic (which is traffic shaped by our
packeteer to contain bandwidth use, this will do 6+ megs per second if not
shaped (our packeteer is shaping this to control bandwidth to 8 conversations):

22 Jun 06 08:01:56           tcp    61.64.254.58.3462   ->   xxx.yy.zz.154.55809 3        4         168          237         CON
22 Jun 06 08:03:05           udp  208.176.47.158.7518  <->   xxx.yy.zz.154.55809 1        1         139          77          CON
22 Jun 06 08:03:05           udp   201.78.170.56.61977 <->   xxx.yy.zz.154.55809 1        1         142          62          CON
22 Jun 06 08:03:05           udp   xxx.yy.zz.154.55809 <->    201.79.187.5.60409 1        1         62           154         CON
22 Jun 06 08:03:05           udp   xxx.yy.zz.154.55809 <->    62.85.74.149.13896 1        1         473          72          CON
22 Jun 06 08:03:05           udp   xxx.yy.zz.154.55809 <-> 220.189.229.130.14159 1        1         62           148         CON
22 Jun 06 08:03:05           udp   xxx.yy.zz.154.55809 <->     208.35.21.2.31333 1        1         53           503         CON
22 Jun 06 08:03:05           udp   xxx.yy.zz.154.55809 <->  218.167.66.153.59717 1        1         62           140         CON

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada


More information about the unisog mailing list