Undesired traffic - port 41144

[cyril333]

Hello,

I have a problem with my TS 3 server. When I connect to my server, there is an inbound and outbound traffic on the port 41144, around 20-25 ko/s (and I'm not speaking neither doing anything on the server). I see this traffic with my firewall.

I don't know why my client sends and receives these data but I noticed a strange thing. I will try to explain :
- client version : 3.0.0-rc1 [Build: 14345] on Ubuntu 10.04 LTS
- server version : 3.0.0-beta30 [Build: 12998] on Linux
- server IP : 1.2.3.4 (host = ts3.mydomain.tld) on port 9987
- my website : 5.6.7.8 (host = mydomain.tld) (note : it is on a different server)

• When I connect to my TS3 server with "1.2.3.4:9987" : it's all right, there isn't any undesired traffic.
  
  
• When I connect to my TS3 server with "ts3.mydomain.tld:9987" : I see an inbound and outbound traffic (25 ko/s) on the port 41144 to the IP : 5.6.7.8. Why is my TS client sharing data with my website ?
  
  
• Third test : I changed the DNS of my website
  Code:

  mydomain.tld IN A 5.6.7.8 --> mydomain.tld IN A 1.2.3.4

  When I connect to my TS server with "ts3.mydomain.tld:9987", it's all right, no strange traffic.
  (note : I waited the update the DNS of my ISP)

Can somebody explain me why my TS client sends and receives data to my website "mydomain.tld" when I connect to my server using a sub-domain "ts3.mydomain.tld" ? And how can I stop it ?


I thank you in advance for yours answers.


Cyril


PS : Excuse me for my mistakes but English isn't my native language. I've tried to do my best

[Screech]

This is part of the rc1 and newer client's support for the TSDNS system. The TSDNS system is/will be included with server rc1 and later.


The only way to stop it is to use the IP when connecting as you already know. TSDNS is a good thing. Say a host at teamspeak.com is running TSDNS. They could add public.teamspeak.com=194.97.114.2:9987 and test.teamspeak.com=194.97.114.2:9988 and people would not need to remember the port numbers for either server, just the address in plain English, or native language.

[cyril333]

Hello Screech and thank you for answering me

I suspected TSDNS to be the problem. I'm agree with you that TSDNS is a good thing. But at this moment, the bandwidth it takes disturb my internet connection (all my upload bandwith is used).

Is it possible to disable it ? Or to limit the bandwidth used ?

[Screech]

I do not know of anyway to disable it. Just using IPs so it ignores that feature.

[fiberjoe]

This is it!

This morning I got firewall banned from my webserver at my webhosting company. My IP was banned for one hour auto ban because I was port scanning the webserver.

After mail contact with the admins behind the server I saw the logs and went, hey, thats about the same time I was on my ts3 server. I was connecting and disconnecting in a short time to the ts server.

For now I just blocked 41144 on my outbound traffic on my router/firewall.

Just my two cents; TDNS should not be forced on the clients using ts3.

In RC2+ perhaps button/switch to disable this feature?

[Screech]

It should be forced due to fact that if users have the option hosters would always have to provide 2 addresses (tsdns address and classic address:port) or just not use tsdsn which was made to make life easier on the users in the long run.

Now that rc1 is public released I've updated all my links to my servers to use the tsdns address, if you block 41144 you can't connect to the addresses I provide.

[cyril333]

The developers should just fix this bug with the traffic generated on port 41144 when the DNS of the server "ts3.mydomain.tld" has a different IP of the DNS of the website "mydomain.tld".

It isn't necessary to disable this feature, TSDNS is a great improvement

[Peter]

The developers should just fix this bug with the traffic generated on port 41144 when the DNS of the server "ts3.mydomain.tld" has a different IP of the DNS of the website "mydomain.tld".

It isn't necessary to disable this feature, TSDNS is a great improvement

When you connect to "ts3.mydomain.tld" we try and contact the TSDNS servers on (1) ts3.mydomain.tld (2) mydomain.tld and (3) tld [usually the third doesn't happen due to blacklisting of tlds]. This is intended behaviour and all that happens is we do a "connect()" tcp socket call...no data is exchanged...so I don't see this causing any significant traffic (maybe a few hundred bytes per client connecting?).

To quote the documentation:

Whenever a TeamSpeak Client tries to connect to a server using a hostname,
it will try to connect to up to three possible TSDNS servers to try and
retrieve a (IP, Port) pair using the hostname as string that the TSDNS server
is queried with.

Illustration:
hostname=voice.teamspeak.com
TSDNS Server asked queried are:
- voice.teamspeak.com (with query = voice.teamspeak.com)
- teamspeak.com (with query = voice.teamspeak.com)
- com (with query = voice.teamspeak.com)

Second Example (with longer hostname)
hostname=i.will.roxx.your.soxs.myclan.com
- soxs.myclan.com (with query = i.will.roxx.your.soxs.myclan.com)
- myclan.com (with query = i.will.roxx.your.soxs.myclan.com)
- com (with query = i.will.roxx.your.soxs.myclan.com)

Third Example (with short hostname)
hostname=myclanrocks.net
- myclanrocks.net (with query = myclanrocks.net)
- net (with query = myclanrocks.net)

If any of these succeed to retrieve an answer from a TSDNS server the one to
answer first is used to connect. If all of the above TSDNS server queries fail
(usually due to no TSDNS servers running on the (up to) three hosts), the
TeamSpeak Client will fall back to a regular DNS resolve of the hostname.

PS: I have no clue what "ko/s" unit is supposed to be.
PPS: I just checked exactly how much data my operating system (Linux 2.6.38) sends when I try a tcp connect to a server that is not answering (firewalled port). Including the entire Ethernet, Frame (containing the Ethernet header, the IP header, the TCP header and the data) 74 bytes are sent as connecting packet. The packet is (re)sent 6 times...yielding a total of 444 bytes (over the course of ~103 seconds).

[cyril333]

Hello Peter,

Thank you for your explanations. "ko/s" = kB/s (kiloBytes per second) (I'm sorry, this is the french unit, I forgot to translate it).

I'm very confused... I wanted to record a video showing what happens on my computer (to show you the traffic) and... no more traffic generated. All is functioning correctly. My firewall don't show any traffic on 41144 port anymore.

I don't understand. I didn't changed anything. Yet this is not the full moon...

So, I'll hide me in a mouse hole and I'll only go out (with a video) if it happens again. I'm sorry for the inconvenience and thank you for answering me so quickly



Cyril.

[cyril333]

Sorry to disturb you again but the problem appears again. And this time, I made a video to show you what's happening.

Some details that may help you :
- TS 3 server : host = serv1.caducee.fr (IP = 213.251.165.59)
- My website : host = caducee.fr (IP = 213.186.33.17)
- IP of my computer : 192.168.1.5

Here is the link to the video (I wrote all my notes inside) : http://www.youtube.com/watch?v=Fu2BlW57NSQ

• 0:00 to 0:10 : you can see no inbound / outbound traffic and the firewall don't show anything connected.
• 0:10 to 0:20 : I'm connecting to my TS3 server at serv1.caducee.fr
• 0:20 to 0:50 : you can see that the bandwidth is used with inbound and outbound traffic to the IP : 213.186.33.17 via port 41144. And the traffic is constantly growing.
• 0:50 to 1:10 : Now I disconnect from my server (but I keep the TS3 client open). You can see that the traffic don't stop, my computer send and receive data from my website on port 41144
• 1:10 to 1:30 : Now I close the TS3 client. This time, the traffic is stopped.
• 1:30 to the end : I relaunch the client, connect again and it happens again...

Hope this will help you to understand this strange problem (I hope this is not my computer that has a problem)

[alphawolf50]

Why does it still use TSDNS when the user supplies a port? There is no reason it should do this. Please change the code so that if a user supplies a port by connecting with ts3.mydomain.tld:xxxx it does not try to use TSDNS.

Why would I not want to use TSDNS? I run a secure server. Call it "security by obscurity" if you want, but I change port numbers so random script kiddies don't know which services I run. Port scans quickly result in bans. That's actual security. If I have to leave port 41144 open, then I let the script kiddies know I'm running a TS3 server. I'd rather not let them know that. I also have no need for TSDNS, since everyone who has authorization to connect to the server also has the correct port number. Disabling services that are not needed is Security 101.

Please fix this behavior. Thanks.

[tandyuk]

I have to agree entirely with alphawolf50,

Also I feel the whole TSDNS is an complete waste of time, and that the teamspeak developers should have used a SRV dns record, which would have exactly the same effect.

For example, consider the following DNS Records, for a fictitious teamspeak server "example.com".

_ts3._udp.example.com. $TTL IN SRV 10 0 9987 ts3.server.hostname

Why re-invent the wheel?
SRV records are designed to facilitate high availablity hosting.
Consider the following SRV records, which would create a cluster of 3 hosts, with load being balanced roughly 60/20/20 between the 3 hosts, with teamspeak listening on server1:1234, server2:2345, server3:5678, with a fourth backup host, which would only be used if the cluster was down listening on port 9987

_ts3._udp.example.com. $TTL IN SRV 10 60 1234 tsserver1.host.name
_ts3._udp.example.com. $TTL IN SRV 10 20 2345 tsserver2.host.name
_ts3._udp.example.com. $TTL IN SRV 10 20 5678 tsserver3.host.name
_ts3._udp.example.com. $TTL IN SRV 20 0 9987 backup.tsserver.host.name


This would also need to be done for the query port and file transfer port.

If only TS3 did a SRV lookup when given address "example.com" these records would actually work, without needing any additional processes on any server, nor another piece of software for the teamspeak team to code.

[SilentStorm]

How about taking the time to search and / or read the more recent Threads before going Necromancer and reviving this years old thread...

Doing a Search and / or reading the more recent Threads would've shown you That this is already whats going to be done and that There is a huge thread dedicated to SRV Records

[tandyuk]

Thank you for adding direct links to the specific information to the page ranked #1 in google on the issue.

[SilentStorm]

Weird, just did a Google Search and the #1 Result was the Discussion Thread I linked with a Sublink being to the 3.0.8 Announcement I linked above as well.