黑五的时候购买一个欧洲机器(ipv6 only),主要进行辅助工作(欧洲区域组网),日常流量使用比较少。
问题出现
时间来到今年一月份,登录服务器想部署一个新的项目,发现入站流量已经达到了 1.3T 之多,并且流量一直在持续入站。
问题排查以及尝试解决
经过 tcpdump 得出的日志发现,流量来自 ptr.default.28000 。
问题解决
-
我的解决思路是 dig 出 ip ,使用 iptables 防火墙 ban 掉 ip 很不幸,使用内外网的 dns 解析都显示域名不存在,失败了。。。
-
在问题出现的当天便已经发送了 tk 给商家 24 小时并无问题解决方法,只说在调查问题。 也没有解决。。。
tcpdump 的部分日志
11:05:32.771620 IP ptr.default.28000 > default.google.com.36150: Flags [P.], seq 45622:46668, ack 17815, win 501, options [nop,nop,TS val 1712976733 ecr 2823061016], length 1046
11:05:32.772517 IP ptr.default.28000 > default.google.com.36150: Flags [P.], seq 46668:47711, ack 18203, win 501, options [nop,nop,TS val 1712976735 ecr 2823061018], length 1043
11:05:32.773231 IP ptr.default.28000 > default.google.com.36150: Flags [P.], seq 47711:48755, ack 18590, win 501, options [nop,nop,TS val 1712976736 ecr 2823061018], length 1044
11:05:32.774101 IP ptr.default.28000 > default.google.com.36158: Flags [P.], seq 42326:43365, ack 16270, win 7547, options [nop,nop,TS val 1712976736 ecr 2823061019], length 1039
11:05:32.774950 IP ptr.default.28000 > default.google.com.36158: Flags [P.], seq 43365:44406, ack 16656, win 7547, options [nop,nop,TS val 1712976737 ecr 2823061019], length 1041
11:05:32.775811 IP ptr.default.28000 > default.google.com.36150: Flags [P.], seq 48755:49803, ack 18977, win 501, options [nop,nop,TS val 1712976738 ecr 2823061020], length 1048
11:05:32.776449 IP ptr.default.28000 > default.google.com.36150: Flags [P.], seq 49803:50846, ack 19364, win 501, options [nop,nop,TS val 1712976738 ecr 2823061021], length 1043
11:05:32.777032 IP ptr.default.28000 > default.google.com.36158: Flags [P.], seq 44406:45458, ack 17044, win 7547, options [nop,nop,TS val 1712976738 ecr 2823061021], length 1052
11:05:32.777922 IP ptr.default.28000 > default.google.com.36150: Flags [P.], seq 50846:51903, ack 19754, win 501, options [nop,nop,TS val 1712976739 ecr 2823061021], length 1057
11:05:32.778756 IP ptr.default.28000 > default.google.com.36158: Flags [P.], seq 45458:46504, ack 17432, win 7547, options [nop,nop,TS val 1712976739 ecr 2823061022], length 1046
11:05:32.779504 IP ptr.default.28000 > default.google.com.36158: Flags [P.], seq 46504:47552, ack 17819, win 7547, options [nop,nop,TS val 1712976740 ecr 2823061023], length 1048
11:05:32.780342 IP ptr.default.28000 > default.google.com.36150: Flags [P.], seq 51903:52916, ack 20142, win 501, options [nop,nop,TS val 1712976741 ecr 2823061023], length 1013
11:05:32.781149 IP ptr.default.28000 > default.google.com.36150: Flags [P.], seq 52916:53961, ack 20530, win 501, options [nop,nop,TS val 1712976742 ecr 2823061025], length 1045
11:05:32.781585 IP ptr.default.28000 > default.google.com.36158: Flags [P.], seq 48596:49643, ack 18595, win 7547, options [nop,nop,TS val 1712976743 ecr 2823061026], length 1047
11:05:32.782663 IP ptr.default.28000 > default.google.com.36150: Flags [P.], seq 53961:55000, ack 20917, win 501, options [nop,nop,TS val 1712976743 ecr 2823061026], length 1039
11:05:32.783590 IP ptr.default.28000 > default.google.com.36150: Flags [P.], seq 55000:56016, ack 21303, win 501, options [nop,nop,TS val 1712976744 ecr 2823061026], length 1016
11:05:32.784358 IP ptr.default.28000 > default.google.com.36158: Flags [P.], seq 49643:49978, ack 18982, win 7547, options [nop,nop,TS val 1712976745 ecr 2823061027], length 335
11:05:32.785206 IP ptr.default.28000 > default.google.com.36158: Flags [P.], seq 49978:51010, ack 19370, win 7547, options [nop,nop,TS val 1712976746 ecr 2823061029], length 1032
11:05:32.785853 IP ptr.default.28000 > default.google.com.36158: Flags [P.], seq 51010:52043, ack 19757, win 7547, options [nop,nop,TS val 1712976747 ecr 2823061029], length 1033
11:05:32.786593 IP ptr.default.28000 > default.google.com.36150: Flags [P.], seq 56016:57054, ack 21690, win 501, options [nop,nop,TS val 1712976748 ecr 2823061030], length 1038
11:05:32.787329 IP ptr.default.28000 > default.google.com.36150: Flags [P.], seq 57054:58093, ack 22077, win 501, options [nop,nop,TS val 1712976748 ecr 2823061031], length 1039
11:05:32.788048 IP ptr.default.28000 > default.google.com.36158: Flags [P.], seq 52043:53098, ack 20145, win 7547, options [nop,nop,TS val 1712976749 ecr 2823061031], length 1055
11:05:32.788848 IP ptr.default.28000 > default.google.com.36158: Flags [P.], seq 53098:54157, ack 20536, win 7547, options [nop,nop,TS val 1712976749 ecr 2823061032], length 1059
完整日志
11 条回复 • 2025-02-02 01:41:00 +08:00
 |
1
iBugOne 6 小时 43 分钟前 via Android  1
有没有可能,你只需要 tcpdump -n 就可以看到 ptr.default 的真实 IP 了,少绕一大个弯呢🐶
|
 |
2
ysc3839 6 小时 41 分钟前 via Android
@iBugOne +1
这也是我不喜欢命令行直接用 tcpdump 的原因,ssh 能直连的情况下我都会用 Wireshark 的 sshdump 。 |
 |
3
kleos OP @iBugOne 谢谢,刚刚试了一下,出现了一个更奇怪的问题,在一个 ipv6-only 的机器里,出现了两个 ipv4 地址。
12:08:16.926740 IP 5.180.253.215.28000 > 37.114.49.176.60364: Flags [P.], seq 2861263:2862303, ack 1110587, win 501, options [nop,nop,TS val 1716740894 ecr 2826825176], length 1040 12:08:16.927246 IP 5.180.253.215.28000 > 37.114.49.176.60376: Flags [P.], seq 2081745:2082793, ack 810334, win 6343, options [nop,nop,TS val 1716740896 ecr 2826825178], length 1048 12:08:16.927660 IP 5.180.253.215.28000 > 37.114.49.176.60364: Flags [P.], seq 2862303:2863341, ack 1110973, win 501, options [nop,nop,TS val 1716740894 ecr 2826825177], length 1038 12:08:16.928192 IP 5.180.253.215.28000 > 37.114.49.176.60376: Flags [P.], seq 2082793:2083128, ack 810721, win 6343, options [nop,nop,TS val 1716740897 ecr 2826825179], length 335 12:08:16.928319 IP 5.180.253.215.28000 > 37.114.49.176.60364: Flags [P.], seq 2863341:2864372, ack 1111361, win 501, options [nop,nop,TS val 1716740896 ecr 2826825178], length 1031 12:08:16.928959 IP 5.180.253.215.28000 > 37.114.49.176.60364: Flags [P.], seq 2864372:2865406, ack 1111745, win 501, options [nop,nop,TS val 1716740896 ecr 2826825179], length 1034 12:08:16.929946 IP 5.180.253.215.28000 > 37.114.49.176.60376: Flags [P.], seq 2083128:2083793, ack 811108, win 6343, options [nop,nop,TS val 1716740899 ecr 2826825181], length 665 12:08:16.930827 IP 5.180.253.215.28000 > 37.114.49.176.60376: Flags [P.], seq 2083793:2084458, ack 811495, win 6343, options [nop,nop,TS val 1716740900 ecr 2826825182], length 665 |
 |
4
wolfworks 6 小时 29 分钟前
盲猜是不是主机商没做好隔离啊 隔壁的机器在乱广播数据包
|
 |
5
guanzhangzhang 6 小时 15 分钟前
你这看着是人家主机厂商给你的不是专有 vpc ,你机器和别人机器在同一个 vpc 内的,别人在扫你,你 ping 下看看 ttl 数值是不是很近
|
|
6
kleos OP @guanzhangzhang ipv6 机器在未分配 ipv4 地址情况下无法 ping 通
|
 |
7
jinliming2 3 小时 41 分钟前
看着貌似 5.180.253.215 的端口一直是 28000 不变,而 37.114.49.176 的端口一直在变。
sudo lsof -Pi | grep 28000 看看呢?看看本地是不是有这么个进程? |
|
8
ysc3839 2 小时 50 分钟前 via Android
直接 Wireshark sshdump 抓包吧,看发送端的 MAC 地址
|
 |
9
xqzr 2 小时 5 分钟前
tcpdump -en
|
|
10
kleos OP @xqzr
01:36:48.950161 4e:65:07:71:90:97 > 4e:65:07:8b:78:01, ethertype IPv4 (0x0800), length 1115: 5.180.253.215.28000 > 37.114.49.176.35648: Flags [P.], seq 1190591:1191640, ack 446458, win 6711, options [nop,nop,TS val 1740052918 ecr 2850137200], length 1049 01:36:48.950775 4e:65:07:71:90:97 > 4e:65:07:8b:78:01, ethertype IPv4 (0x0800), length 1113: 5.180.253.215.28000 > 37.114.49.176.35618: Flags [P.], seq 1201817:1202864, ack 447604, win 7250, options [nop,nop,TS val 1740052919 ecr 2850137201], length 1047 01:36:48.951174 4e:65:07:71:90:97 > 4e:65:07:8b:78:01, ethertype IPv4 (0x0800), length 1113: 5.180.253.215.28000 > 37.114.49.176.35648: Flags [P.], seq 1191640:1192687, ack 446846, win 6711, options [nop,nop,TS val 1740052919 ecr 2850137202], length 1047 01:36:48.951724 4e:65:07:71:90:97 > 4e:65:07:8b:78:01, ethertype IPv4 (0x0800), length 1106: 5.180.253.215.28000 > 37.114.49.176.35618: Flags [P.], seq 1202864:1203904, ack 447991, win 7250, options [nop,nop,TS val 1740052920 ecr 2850137203], length 1040 01:36:48.952181 4e:65:07:71:90:97 > 4e:65:07:8b:78:01, ethertype IPv4 (0x0800), length 1114: 5.180.253.215.28000 > 37.114.49.176.35648: Flags [P.], seq 1192687:1193735, ack 447235, win 6711, options [nop,nop,TS val 1740052920 ecr 2850137202], length 1048 |
|
11
kleos OP @jinliming2 奇怪的是,并没有程序使用 28000 端口。
|
Select Language