Fedora suspicious network activity

I have been doing some network traffic monitoring using tcpdump on a Fedora 36 machine. And a list of suspicious activities with (but not limited to) fedoraproject.org has been observed while nothing except the bare minimum OS and GNOME has been running and no network activity is supposed to be found.

The issue has been reproduced for more than once on this specific machine by long-term monitoring using tcpdump tcp. However, I have not found the root cause of it yet. Nor did it come up with anything noticeable in pair.

Only a part of the tcpdump log is attached in below due to the forum post limitation. Any help clarification or method to remove this suspicious behavior is appreciated.

Thanks.

Loc

19:54:14.689792 IP localhost.40852 > proxy-iad01.fedoraproject.org.https: Flags [S], seq 3529269868, win 64240, options [mss 1460,sackOK,TS val 826677246 ecr 0,nop,wscale 7], length 0
19:54:14.745652 IP proxy-iad01.fedoraproject.org.https > localhost.40852: Flags [S.], seq 1210962692, ack 3529269869, win 62636, options [mss 1380,sackOK,TS val 605400370 ecr 826677246,nop,wscale 7], length 0
19:54:14.745699 IP localhost.40852 > proxy-iad01.fedoraproject.org.https: Flags [.], ack 1, win 502, options [nop,nop,TS val 826677302 ecr 605400370], length 0
19:54:14.861434 IP localhost.56978 > proxy-iad01.fedoraproject.org.hostmon: Flags [S], seq 2541406161, win 64240, options [mss 1460,sackOK,TS val 826677418 ecr 0,nop,wscale 7,tfo  cookiereq,nop,nop], length 0

Could be “dnf-makecache.timer” kicking in at times of low activity.

Try

systemctl disable --now dnf-makecache.timer

and check if this makes a difference.

2 Likes

Thanks.

I disabled the service and set metadata_timer_sync=0 in the dnf.conf. The thing that I am still unsure is whether the repo files with metadata_expire still get auto-updated after the period.

I have set up another test and will be running it for a long time. Hopefully I can work it out.

Test confirmed.

I changed the settings as above and the Fedora is not making any outgoing network activity during the 10 hour tracffic monitoring.

Thanks for the solution.

Loc

Now you know what it is, you can decide if you want to enable the timer again, or if you just run dnf check-upgrade --refresh on a regular basis.

Is the --refresh really necessary? I believe that dnf refreshes the metadata once expired.

The dnf-refresh timer keeps the metadata updated, and you disabled that. Without it dnf would need to update the metadata every time it is used or work with stale metadata. Sometimes the update may take quite a while to complete.
The --refresh is not 100% “necessary” but it does do a full sync of the cache with the repo so things are not stale in the cache and the metadata is 100% up to date when it is used. Running “dnf check-update --refresh” is a way of manually doing what the update timer was doing automatically for you.