Unknown Continuous Upload

I’m having an issues with my FreePBX that has been running for about a year now with no problems. I noticed the audio was choppy and when I looked at the network traffic I noticed the FreePBX box was uploading a continuous 8mb stream. When I restart the machine it stops and starts working normally but over the next hour or two the upload starts to climb again till it maxes out my upload connection. Is there anywhere in the webGUI that I can look and see what’s going on or any other suggestions?

Thanks in advanced,

I had the same issue here except that the traffic had exceeded 20mb/s. About 1/3 of it managed to pass through the firewall and onto the internet. It was affecting regular LAN network traffic. Extensions and sip trunks couldn’t stay registered. In looking at the firewall logs - it almost appeared as if it was a flood of time sync requests (NTP). Rebooting the box would quiet it down for a while but the traffic would again climb and within an hour it was back up past 20 mb/s again. I couldn’t figure out how to find the source and kill it so I ended up building a new box with a fresh install. No problems now. I would love to hear about what actually happened here.

I did a packet sniff yesterday and yes, it looks like the same thing. A lot of traffic on port 123.

quick fix from bash

echo “disable monitor” >> /etc/ntp.conf

As much as I wish, this did not fix the issues. Thank you though.

I can add this has been an issue since I upgrade all modules this past weekend.

the monlist will need to expire for the traffic to abate.

I did restart the server after I added it. Am I correct in saying that would do it? If so, it started climbing again after the restart.

Google as ever can supply the answer, at least the methodology to provide your answer

General consensus is to update your ntpd server, but I don’t think "non-"Centos RPM’s are yet available.

Thenoize - Did you notice the OP provided the type of traffic? That was why he was able to be assisted. There is no way we can know what is going on without more info. Take a sniff of the outbound traffic and see what it is.

If you don’t know how to do it capture with tcpdump and view with Wireshark.

UDP 123 is NTP. The OP was victim to the recent NTP amplification attacks. I can’t think of an earthly reason why you would have NTP exposed to the Internet. The world has plenty of free atomic clock servers, we don’t need your .05 piezo crystal.

This worked for me.