ntopng edge: very high traffic UDP detected

[sciolto]

Environment:

• OS name: Ubuntu
• OS version: 20.04
• Architecture: amd64
• ntopng version/revision: ntopng edge 6.2.250117

What happened:
ntopng Edge detects an unreasonable amount of UDP traffic between 2 local and 2 remote hosts:

It is detected as IPSEC tunnel traffic on port 4500.

How did you reproduce it?

It is not always reproducible. When restarting ntopng edge, it works as expected. After a while the traffic starts to grow, and it keeps on growing.

Debug Information:

[sciolto]

Hi @cardigliano !

Here's some logs that may help:

30/Jan/2025 15:08:10 [NetworkInterface.cpp:2524] WARNING If TSO/GRO is enabled, please disable it for best accuracy
30/Jan/2025 15:08:10 [NetworkInterface.cpp:2518] Packets exceeding the expected max size have been received [nf:0][len: 4648][max len: 1522].
30/Jan/2025 15:02:40 [nedge_pinger.lua:27] [nf_config.lua:1892] Gateways status changed, reloading...
30/Jan/2025 15:02:30 [nedge_pinger.lua:27] [nf_config.lua:1892] Gateways status changed, reloading...
30/Jan/2025 14:54:40 [nedge_pinger.lua:27] [nf_config.lua:1892] Gateways status changed, reloading...
30/Jan/2025 14:53:05 [NetworkInterface.cpp:3820] Started packet polling on interface 'nf:0' [id: 0]...
30/Jan/2025 14:53:05 [FlowChecksLoader.cpp:297] WARNING Unable to find flow check 'host_policy': skipping it
30/Jan/2025 14:53:05 [FlowChecksLoader.cpp:297] WARNING Unable to find flow check 'access_control_list': skipping it
30/Jan/2025 14:53:05 [startup.lua:253] Completed startup.lua
30/Jan/2025 14:53:04 [startup.lua:210] Importing ClickHouse dumps...
30/Jan/2025 14:53:04 [startup.lua:152] Initializing timeseries...
30/Jan/2025 14:53:04 [startup.lua:143] Initializing alerts...
30/Jan/2025 14:53:04 [startup.lua:127] Initializing device polices...
30/Jan/2025 14:53:04 [startup.lua:123] [lists_utils.lua:700] Loaded Category Lists (22553 hosts, 40261 IPs) loaded in 0 sec
30/Jan/2025 14:53:04 [startup.lua:123] [lists_utils.lua:594] Loaded dshield 7 days: 29 rules
30/Jan/2025 14:53:04 [startup.lua:123] [lists_utils.lua:594] Loaded ThreatFox: 21834 rules
30/Jan/2025 14:53:04 [startup.lua:123] [lists_utils.lua:594] Loaded Stratosphere Lab: 12124 rules
30/Jan/2025 14:53:04 [startup.lua:123] [lists_utils.lua:598] List 'SSLBL Botnet C2 IP Blacklist' has 0 rules. Please report this to https://github.com/ntop/ntopng
30/Jan/2025 14:53:04 [startup.lua:123] [lists_utils.lua:594] Loaded SSLBL Botnet C2 IP Blacklist: 0 rules
30/Jan/2025 14:53:04 [startup.lua:123] [lists_utils.lua:594] Loaded NoCoin Filter List: 409 rules
30/Jan/2025 14:53:04 [startup.lua:123] [lists_utils.lua:594] Loaded IPsum Threat Intelligence Feed: 26709 rules
30/Jan/2025 14:53:04 [startup.lua:123] [lists_utils.lua:594] Loaded Emerging Threats: 1399 rules
30/Jan/2025 14:53:04 [startup.lua:123] [lists_utils.lua:594] Loaded Abuse.ch URLhaus: 310 rules
30/Jan/2025 14:53:04 [startup.lua:123] [lists_utils.lua:803] Refreshing category lists...
30/Jan/2025 14:53:04 [startup.lua:41] [asset_inventory_db.lua:23] [Asset Inventory DB] Initialization completed
30/Jan/2025 14:53:04 [startup.lua:41] [asset_inventory.lua:49] [Asset Inventory] Initalization...
30/Jan/2025 14:53:04 [startup.lua:41] [clickhouse_retention.lua:96] Clickhouse cleanup completed
30/Jan/2025 14:53:04 [startup.lua:41] [clickhouse_retention.lua:69] Performing Clickhouse cleanup
30/Jan/2025 14:53:04 [startup.lua:37] Processing startup.lua: please hold on...
30/Jan/2025 14:53:04 [PeriodicActivities.cpp:122] Started periodic activities loop...
30/Jan/2025 14:53:04 [MySQLDB.cpp:949] Successfully connected to ClickHouse [[email protected]:9004][dbname: ] for interface __system__
30/Jan/2025 14:53:04 [FlowRiskAlerts.cpp:276] [!] nDPI risk 56/Obfuscated Traffic has not been defined in ntopng

Thanks

[simmoor]

Hi there,

the problem did not occur again after installation of v6.2.250204, where you applied a bugfix! 👍
Traffic now looks very reasonable even for the UDP/VPN related protocols.

Thanks a lot and kind regards from Antarctica, Neumayer Station!

[cardigliano]

@simmoor thank you for the update. Greetings from the warmer Italy :-)