We help IT Professionals succeed at work.

New install of SBS 2008 continuously downloads 2.5GB per day (WSUS disabled)

Hi All, My first EE post. So be gentle.

I installed my first SBS 2008 server a few weeks ago, and since the install the server has been downloading approx 2.5GB per day (100MB per hour). My first thought was WSUS so I disabled the WSUS Download Service - but the downloading continued.

I have no idea what is doing it and why. It is chewing through my monthly download limit and I am hitting my 35GB cap half way through the month. I purchased a 20GB data block to buy me some more time to figure out what the heck was going on, but just hit that too. 55GB of downloads this month and climbing.

Weird thing is, the data is not being written to anywhere. I.e. my hard drives are not filling up at all.

So I installed wireshark and noticed continual traffic of a similar sort throughout every hour of every day. But I am not clever enough to figure out exactly what it is, where it is coming from, or more importantly how to stop it.

Below is a series of 6 packets which is 2 groups of a series of 3 packets that Wireshark is capturing over and over and over again:

I will type in the column headings, the may not line up, but you should be able to figure it out...

Size | Time | Source | Destination | Protocol | Information | Number
======================================================
54 | 57.169983 | 192.168.1.2 | 150.101.98.79 | TCP | 56403 > http [ACK] Seq=1 Ack=3481993 Win=16685 Len=0 | 3999
======================================================
1466 | 57.174653 | 150.101.98.79 | 192.168.1.2 | HTTP | Continuation or non-HTTP traffic | 4000
======================================================
1466 | 57.179092 | 150.101.98.79 | 192.168.1.2 | HTTP | Continuation or non-HTTP traffic | 4001
======================================================
54 | 57.179107 | 192.168.1.2 | 150.101.98.79 | TCP | 56403 > http [ACK] Seq=1 Ack=3484817 Win=16685 Len=0 | 4002
======================================================
1466 | 57.174653 | 150.101.98.79 | 192.168.1.2 | HTTP | Continuation or non-HTTP traffic | 4003
======================================================
1466 | 57.179092 | 150.101.98.79 | 192.168.1.2 | HTTP | Continuation or non-HTTP traffic | 4004

I did a lookup on the 150.101.98.79 address and it seems to be some sort of Proxy for the Akamai network of servers.

That is about all the info I can think of for now. If you have any questions, please ask and I will respond as soon as possible.

Thanks in advance!

Mark
Comment
Watch Question

Commented:
do you have a physical firewall? If so check the rules in the firewall the only way your server would be receiving the data unsolicited is if there is a port forward. If you don't have a port forward in the firewall then the only way your server is getting the data is if it first opens up a connection, which then establishes a NAT session in the firewall.

Try issuing netstat -an in a dos window and see if there are any connections open to that address
A lot of software updates from akami.  Look at your AV, and your logs.  See what updates coincide with the same times as the usage.

Author

Commented:
Hi Saku99, the firewall is just a basic router at this stage running as a packet filter. But there are port forwards in place. Should I try removing them?

The netstsat command you asked me to run produced pages and pages of information such as this:

  UDP    0.0.0.0:56403          *:*
  UDP    0.0.0.0:56404          *:*
  UDP    0.0.0.0:56405          *:*
  UDP    0.0.0.0:56406          *:*
  UDP    0.0.0.0:56407          *:*
  UDP    0.0.0.0:56408          *:*
  UDP    0.0.0.0:56409          *:*
  UDP    0.0.0.0:56410          *:*
  UDP    0.0.0.0:56411          *:*

None of the entries listed that 150.101.98.79 IP address at all.
http://www.vistax64.com/sbs-server/273849-sbs-2008-using-excessive-bandwidth.html

You may want to check forefront updates and turn them off.  Make sure also that there aren't failing updates that continuously re-try.

Commented:
well the first one in the list matches one you listed above. Those forwards state that they will be accepted from any source address. If you don't know what they are for I would probably remove them. The question would be why they are there in the first place.

If I had to guess I would almost think this is a file sharing thing, some peer 2 peer and that it was maybe used on the other server that you replaced.

Commented:
also if you've always looked after this router, and never defined these port forwards, I'd immediately remove them and change the router password.

Author

Commented:
dmarinenko - you are spot on!!

When I ping the forefront download host name (forefrontdl.microsoft.com) from this internet connection it resolves to the same IP address I am having problems with.

Pinging a249.ms.akamai.net [150.101.98.79] with 32 bytes of data:
Reply from 150.101.98.79: bytes=32 time=28ms TTL=61
Reply from 150.101.98.79: bytes=32 time=61ms TTL=61
Reply from 150.101.98.79: bytes=32 time=53ms TTL=61
Reply from 150.101.98.79: bytes=32 time=59ms TTL=61

Forefront it is... Same IP address. Now to stop it...

Author

Commented:
I have disabled the scheduled updates in Forefront Server Security Manager and I will update this thread in an hour or so to let you know if it has stopped downloading.

If there is a rogue update caught in some sort of retry loop, I may need some assistance in stopping that.
http://technet.microsoft.com/en-us/library/cc995320.aspx
Or you may just be able to type forefront in the search bar.
Glad to hear it resolves out.  It should work for you.  You may want to look in the event logs to catch any rogue updates.
Top Expert 2013

Commented:
Unless you have purchased a Forefront server license, you just have the demo that came with the earlier SBS CD sets. You may want to un-install it. If doing so first stop the service in the services control panel first.

Author

Commented:
Pointed me in the right direction.