100% CPU - Limit P2P UDP connections

hytanium · February 23, 2010, 4:57am

We are having some problems with clients opening upwords of 300 UDP connections… looks like P2P. I’m wondering if anyone has attempted to limit the total number of UDP connections on MT. This has been putting a strain on our AP and BH links.

I’ve tried a bunch of different settings, but have been unable to limit this.

Any suggestions are appreciated.

rmichael · February 23, 2010, 6:32am

Size and rate of packets matter not the number of connections (unless it’s DoSS attack). So, are you sure that number of connections is the problem? Do client’s with large number of connections use disproportionately more bandwidth?

hytanium · February 23, 2010, 2:33pm

The clients with this many connections are using their full bandwidth queue… I know that the number of connections are effecting cpu, because when I dissconnect them from the ap… cpu levels start moving down.

SurferTim · February 23, 2010, 2:51pm

Try to find where the packets are going.
/tool sniffer
start
(wait a few seconds)
stop
/tool sniffer packet print

hytanium · February 23, 2010, 3:00pm

0 4294… wlan1-… 79.119.123.127:3… 172.16.129.3:60913 udp 1466
1 4294… wlan1-… 79.119.123.127:3… 172.16.47.222:60913 udp 1466
2 4294… wlan1-… 118.94.9.240:24389 172.16.47.222:60913 udp 77
3 4294… wlan1-… 83.253.108.164:5… 172.16.47.222:60913 udp 51
4 4294… wlan1-… 79.119.123.127:3… 172.16.129.3:60913 udp 1466
5 4294… wlan1-… 118.94.9.240:24389 172.16.129.3:60913 udp 77
6 4294… wlan1-… 83.253.108.164:5… 172.16.129.3:60913 udp 51
7 4294… wlan1-… 79.119.123.127:3… 172.16.129.3:60913 udp 1466
8 4294… wlan1-… 118.94.9.240:24389 172.16.129.3:60913 udp 77
9 4294… wlan1-… 83.253.108.164:5… 172.16.129.3:60913 udp 51
10 4294… ether1 172.16.129.3:60679 66.177.118.140:2… tcp 50
11 4294… ether1 172.16.129.3:60913 95.10.227.104:20775 udp 51
12 4294… ether1 172.16.129.3:60679 66.177.118.140:2… tcp 40
13 4294… ether1 172.16.129.3:60913 95.10.227.104:20775 udp 51
14 4294… ether1 172.16.129.3:60679 66.177.118.140:2… tcp 40
15 4294… ether1 172.16.129.3:60913 95.10.227.104:20775 udp 51
16 4294… wlan1-… 172.16.129.3:60679 66.177.118.140:2… tcp 40
17 4294… wlan1-… 172.16.47.222:60679 66.177.118.140:2… tcp 40
18 4294… wlan1-… 172.16.129.3:60913 95.10.227.104:20775 udp 51
19 4294… wlan1-… 172.16.47.222:60913 95.10.227.104:20775 udp 51
20 4294… ether1 79.119.123.127:3… 172.16.129.3:60913 udp 1466

SurferTim · February 23, 2010, 3:09pm

The ports being used suggest either a gamer, or a netbot/spybot virus on the requesting ip computer. Drop just those udp ports in your firewall, and see who complains about what. But that is just me…

UDP port 1466 is licensed to Ocean Software.
http://en.wikipedia.org/wiki/Ocean_Software

hytanium · February 23, 2010, 5:43pm

Thanks for the info. I think I may just upgrade my BH to a 411AH board. Most of the boards on this tower are 532’s… they are over 3 years old and taxed.