Unusually High Outbound Traffice

aarontyler said 1 year ago:

Hi,

I’ve recently setup a single Windows Server in the GoDaddy cloud. I’ve set it up as a domain controller, web server, and dns server. I’ve opened up HTTP traffic, RDP traffic, and enabled VPN in the GoDaddy interface.

On the 10th of May, there was an unusually high level of outbound traffic. 700MB of outbound traffic in one day, when usually I’m seeing only a couple of MBs.

I have checked IIS logs and can only see requests from robots and my test workstation’s IP, and one request from Morfeus Scanner (a scanner that looks for PHP vulnerabilities). I’ve installed Microsoft Network Monitor and currently can’t see any unusual traffic. The outbound traffic does not seem high right now either.

I can’t see what has caused this 700MB of outbound. Are there any legitimate reasons (such as something related to the cloud infrastructure) that would cause this amount of outbound traffic?

If not, does any one have any ideas on how I can prevent/monitor this issue.

Appreciate any assistance that anyone could provide.

Gary A said 1 year ago:

@aarontyler

Outbound traffic only includes data that is leaving your account. Data transfer between servers in your network does not count towards bandwidth and we do not have any applications that would affect your outbound bandwidth. If you have any automated applications, that could have caused the spike. Also, if you used RDP for an extended session, perhaps leaving a session open for an extended period of time, that might have added to the bandwidth usage for that period of time. Otherwise, you may want to continue monitoring traffic to your your network to see if you are able to detect any usual traffic in the future.

-Gary

aarontyler said 1 year ago:

Hi Gary,

I fully understand how the outbound traffic is counted and that internal server communication does not count. I don’t believe I have any automated applications that can account for the bandwidth usage.

It is however possible that an RDP connection was left open for a long period, however doing the calculations this does not seem as though it could have exceeded around 100MB of bandwidth for a 24-hour period. I have setup monitoring on the server now, and will continue monitoring to see if the issue occurs again.

I am not particularly concerned about the bandwidth usage itself, but more about the security of the server. I will post any additional information regarding the issue here.

One other question that may be related, if a user is connected to my VPN and accesses the internet through the VPN, does that internet traffic count as outbound traffic on the account? I presume it does, but would like to clarify.

Thanks for your help Gary.

Cheers,
Aaron

MikeD said 1 year ago:

Hi Aaron,

You’re right, any traffic generated by a VPN connection that goes out to the Internet does count as outbound traffic.

I agree, too, that an open RDP connection probably wouldn’t have generated that much traffic, either, especially if the connection was mostly idle.

So I assume the outbound bandwidth utilization has dropped back down to the normal level now? We do keep some historical record of traffic, but it probably wouldn’t be enough to determine exactly what happened. Let me see what I can find out by doing a little digging.

Mike