Strange internet connectivity issue

[Ogdentechguy]

First, let me explain how we have things set up. We have a Comcast business internet connection for our location with 5 static IP addresses. This serves not only our DirectAdmin server but also our private network. There are 2 Ethernet cables running from the cable modem - one to a switch which serves our Vonnage routers and our DirectAdmin server as well as two internet-facing Windows servers. The other cable leads to our wireless router which in turn splits off into two switches which serve our computers.

The issue we're having is that occasionally (as in, multiple times per day) we will lose internet connectivity, and whether we wait or do it immediately, rebooting the DirectAdmin server will immediately cause the connectivity to return; as the server goes down for reboot, the internet connectivity will return. Power cycling the cable modem works too, but it takes longer for the cable modem to come back up than it does for the DirectAdmin server to do so. While the connectivity is lost, I can still access the DirectAdmin server via the private IP address (it has a NIC connected to the private network served by the wireless router) but can't access any sites. We have the server-status thing set up in Apache but it doesn't show any significant traffic. I can access the DirectAdmin configuration page to see logs and such, but I'm not sure what to look for. My guess is heavy outgoing traffic from the DirectAdmin server flooding the upstream bandwidth making it impossible for any other upstream traffic to get through (if it was downstream traffic, the problem wouldn't disappear as quickly as it does).

Any ideas what to check, and how to do so? Thanks in advance.

 

[nobaloney]

It most likely has nothing to do with DirectAdmin, or even your server, but if you have a very small upstream connection I suppose it's possible.

I'd start sniffing your local network. And check your DirectAdmin server's outgoing bandwidht (real bandwidth, not what DirectAdmin calls bandwidth); I use this python script, called NetRate.

Also start traceroutes to various places on and off your local network(s) to see if you can find a failure point.

I've moved the thread; on the DirectAdmin forum it's off-topic.

Jeff

 

[Ogdentechguy]

In the time since I last posted we've done a lot of troubleshooting; we've traced the issue to a flood of outgoing UDP packets from high port numbers. I think I've blocked the majority of the flood with the CentOS built-in firewall configuration tool by blocking all UDP above port 30k, and the problem went away for about 2 days then returned this morning.

A couple questions.
1) What would cause the server to send out such a flood? The root account password isn't compromised and I don't think much could be done with it even if it was. I can't be as certain about the admin password since it's not as secure, but I would think that they'd do more damage if it was.
2) As a stopgap measure until we find the root cause, what UDP ports do we need to leave open, so we can close the others? This server does FTP, HTTP, IMAP, POP, SMTP, DNS, SSH on an altered port (we just set this up yesterday) and the standard port is blocked, HTTPS (though I don't think we have a certificate so I don't know what good that does us), and pretty much any other DirectAdmin function, but no others.

Any help/advice/etc would be helpful, and please phrase it for a linux noob. I'd rather you assume I didn't know how to do something than assume I did and make me ask how Though I will say that I can get to a terminal and I know some basic commands.