bandwidth notification - very high

tfw7 · May 20, 2013, 18:28:21

Quote from: psp83 on May 20, 2013, 01:02:44
Just a thought, maybe when you was given a new IP address, it belonged to someone else before that was having the same issue? There's not many IPv4 addresses so its likely someone had your IP before.

I hope not!!

tfw7 · May 21, 2013, 13:02:49

well I connected a different router last night to see if that made a difference - hopefully Simon can produce my hourly stats so I can see if there was traffic when the router was on but the pc was off

cavillas · May 21, 2013, 15:18:22

Have you thought about using OpenDns servers, you might then be able to block lots of attacks.

nowster · May 21, 2013, 15:31:03

Quote from: cavillas on May 21, 2013, 15:18:22
Have you thought about using OpenDns servers, you might then be able to block lots of attacks.

Can you explain how you think that will help?

tfw7 · May 21, 2013, 16:02:26

Ok so last night I had the computer on between about 6.30pm and 8.30 when I was changing between routers - I connected the new router at about 7.25pm, and turned the computer off at about 8.30, but left the new router on until unplugging it at about 9:35.

Here are the logs Simon gave me from yesterday
2013-05-20 19:21:16:00 - Downloads: 33.32 MB : Uploads: 8.16 MB Rate: PEAK
2013-05-20 19:38:23:00 - Downloads: 0.07 MB : Uploads: 0 MB Rate: PEAK
2013-05-20 19:40:10:00 - Downloads: 5.07 MB : Uploads: 0.09 MB Rate: PEAK
2013-05-20 20:42:59:00 - Downloads: 17.59 MB : Uploads: 1.78 MB Rate: PEAK
2013-05-20 21:31:53:00 - Downloads: 1.21 MB : Uploads: 0.01 MB Rate: PEAK

I make that a total of 57MB downloaded which I guess isn't much, but the networx monitor I have installed only showed 38MB by 8.30 when I turned the pc off - so that is a discrepancy still of nearly 20MB.

Unfortunately neither router seems to keep meaningful logs. I did also run wireshark captures a few times (recommended by someone), but am not really sure I understand the results (as you may have noticed I am kinda gettign out of my depth here......)

Will also run alternative AV scan tonight as well

nowster · May 21, 2013, 17:42:20

Wireshark captures are probably only going to be helpful if you put your router into DMZ mode with the "unrecognised" traffic being sent to the IP of the computer running Wireshark.

tfw7 · May 22, 2013, 15:03:58

thanks SimonM for these stats from yesterday
2013-05-21 19:53:26:00 - Downloads: 0.24 MB : Uploads: 0.01 MB Rate: PEAK
2013-05-21 20:08:08:00 - Downloads: 0.25 MB : Uploads: 0 MB Rate: PEAK

I had the replacement router on (but no computers) from about 6.50 to 8.10 - so this is looking much much better.
I will try a bigger scale test tonight to see if it is still looking good.

Long term though I can't carry on using this replacement router as it is old, gets very hot, the LAN ports are dodgy and I'm not sure the wirelss works properly!, so will have to try the proper router again at some point.

I think it was Gary who recommended doing a factory rest of the router and flashing the firmware, so I will need to look into doing that.

Gary · May 22, 2013, 15:30:45

Quote from: tfw7 on May 22, 2013, 15:03:58

I think it was Gary who recommended doing a factory rest of the router and flashing the firmware, so I will need to look into doing that.

I cant remember what router you are using, but normally a reflash and reset is quite easy, some people recommend doing a 30-30-30 reset. If you look that up for your particular router you will see what's needed, or not as the case may be. Reflashing does not take long and a hard reset after makes sure the router is reset with the new firmware properly. Adding your settings back in manually assures no carry over of issues from previous backups.

All will be ok after you have done that.

nowster · May 22, 2013, 23:18:13

Now there's a thought: could the firmware of the original router have been hacked? (It does happen.)

tfw7 · May 23, 2013, 11:44:16

Quote from: nowster on May 22, 2013, 23:18:13
Now there's a thought: could the firmware of the original router have been hacked? (It does happen.)

well that is now the direction I am heading in - since I changed routers there has been no large unexplained traffic at all - hopefully this will continue!

my logs for last night for instance were:
2013-05-21 19:53:26:00 - Downloads: 0.24 MB : Uploads: 0.01 MB Rate: PEAK
2013-05-21 20:08:08:00 - Downloads: 0.25 MB : Uploads: 0 MB Rate: PEAK
2013-05-22 20:10:45:00 - Downloads: 7.31 MB : Uploads: 0.28 MB Rate: PEAK
2013-05-22 21:13:39:00 - Downloads: 0.52 MB : Uploads: 0.06 MB Rate: PEAK
2013-05-22 22:11:29:00 - Downloads: 0.32 MB : Uploads: 0.02 MB Rate: PEAK
2013-05-22 23:11:13:00 - Downloads: 0.42 MB : Uploads: 0.01 MB Rate: PEAK
2013-05-23 00:12:18:00 - Downloads: 0.44 MB : Uploads: 0.01 MB Rate: OFF PEAK
2013-05-23 01:10:05:00 - Downloads: 0.37 MB : Uploads: 0.01 MB Rate: OFF PEAK
2013-05-23 02:11:07:00 - Downloads: 0.51 MB : Uploads: 0.01 MB Rate: OFF PEAK
2013-05-23 03:11:21:00 - Downloads: 0.1 MB : Uploads: 0.01 MB Rate: OFF PEAK
2013-05-23 04:13:08:00 - Downloads: 0.03 MB : Uploads: 0.01 MB Rate: OFF PEAK
2013-05-23 05:10:44:00 - Downloads: 0.04 MB : Uploads: 0.01 MB Rate: OFF PEAK
2013-05-23 05:33:37:00 - Downloads: 0.01 MB : Uploads: 0 MB Rate: OFF PEAK

The computer was on running AV scans from about 6.30pm; router was connected to interent at about 7pm; computer turned off about 10pm; router turned off at 5.30am this morning.
So I am presuming all the "0." ones are okay ( I think SimonM said earlier that a router idling with computers off would generate less than 1MB per hour traffic)

So that does seem to suggest that the router I was using was causing the problem.

Lance · May 23, 2013, 13:03:49

Maybe you router was calling home to grab updates and then getting caught in a loop?

Technical Ben · May 26, 2013, 09:33:24

Yeah. Some of the errors can just be pcs/devices stuck in a loop. It's a computer, it runs until something gives in.

tfw7 · May 26, 2013, 14:18:05

well I've tested the connections through the alternative router for a couple of days now and there doesn't seems to be any unexplained usage. And I have thoroughly AV/malware scanned the computers.
So now I am setting up the wireless again to allow the 2nd pc internet access, and if that all seems to go okay then I will try going back to the original router (can't use the alternative one long term as it is pretty knackered); resetting it/flashing firmware etc and see how that goes.
It just is a little frustrating not knowing what caused it in the first place, but at the moment it does seem to be router related.

And I am extremely grateful to everyone on here for all their help and suggestions!

tfw7 · May 28, 2013, 14:32:39

well have just spent 4 hours trying to update the firmware of the original router but with no success. Have done reset etc, tried it in IE, FF, redownloaded and unzipped update file, etc etc
Keep getting error message "failure to update due to ...The uploaded file was not accepted by the router"

So am now seeing how it goes with the original router and hoping now it has been reset all might be okay.........

tfw7 · May 29, 2013, 10:26:33

lots of unknown traffic yesterday whilst original router was connected. Will get SimonM to check the overnight stats.

However have finally managed to upgrade the firmware this morning!!!

So will check stats again later to see if that has made a difference...if not, I guess the only option will be buying a new router!!

Simon · May 29, 2013, 13:10:57

Just a thought, but could there be a security setting in the 'good' router, which isn't enabled, or even an option, on the 'bad' one?

tfw7 · May 29, 2013, 16:37:34

possibly, yes. Neither router seems very configurable, but the temporary/older/good one seems to have a few more options than the original/newer/bad one.

Bad news is updating the firmware hasn't worked (I am now back connected with the temporary one) - after I updated it I left it running for 3 hours earlier today, and the stats Idnet have just sent me how that in that period (just router on, pc off, wireless off) there was about 100MB downloaded and 30MB uploaded.

So that firmware update doesn't seem to have helped - I think the only option left to me now seems to be to buy a new router - preferably one that is a little more advanced so I can use more monitoring/configuring tools. Hmmmph!

Gary · May 30, 2013, 10:59:26

Routers generally look for updates when you login, reflashing and doing a hard reset should have fixed any issues. It does not make a huge amount of sense that one router is allowing these connections and another isn't. Has this router got any cloud services its uploading to? Very odd.

Steve · May 30, 2013, 11:19:24

However I did find this interesting that attacks being targeted at older routers, not necessarily the case here but it just shows sometimes why not all routers are the same.

http://status.aa.net.uk/posts.cgi?itype=Broadband&oseverity=2

Quoted direct-

It seems that some customers have been suffering with severe problems, notably around 8pm to 11pm last night.

This looks to be customers with older zyxel routers. We are still shipping zyxel P660's as PPPoE bridges and that configuration is not affected. However, some years ago, we sold the ZyXELs simply as broadband routers.

Over the last few months these have been the target (well, intermediatory) for DNS amplification attacks resulting in some customers having high usage (and in some cases bills).

Yesterday at around 00:36 we saw an attack start, which is why we did emergency upgrades on our infrastructure over night. It now seems that the attack is either directed at, or co-incidentally affecting, these older ZyXEL routers and causing them to reboot.

The attack is hitting lots of ISPs and appers to be happening in busrts, sometimes lasting many hours.

In the long run the solution to both issues may be customers updating to newer routers. This will have the side effect of also getting customers on to IPv6.

If we find a work around in the mean time, I'll post more details.

View this post only >>
Update
26 May 19:31:47
The attack started again at 6pm Sunday.

Update
26 May 19:56:33
The attack appears to be broken TCP port 80 packets. It may be that a config change on affected routers will avoid this specific issue. If we find more details we'll post them.

Update
27 May 10:03:41
Using the web interface on the ZyXEL P660, Advanced>Remote MGMT, set all to LAN only.

nowster · May 30, 2013, 11:52:32

"DNS amplification" means that the affected routers were not discriminating as to where the DNS lookup was coming from, so allowed traffic coming from the external interface to use the router as a DNS forwarder.

The way the attack works is that the DNS lookup is sent to the router using a forged "victim" sender IP address. The "victim" then gets deluged with response traffic from all over the world which, because DNS responses are normal and expected traffic, is very difficult to block.

https://www.us-cert.gov/ncas/alerts/TA13-088A

Steve · May 30, 2013, 14:22:33

Thanks!

tfw7 · May 31, 2013, 14:13:22

Ok - so new router purchased, installed and up and running - I also took the precaution of requesting a new IP address as well - thought that would give me a fresh start.
So, hopefully!!!!, all will now be well again...

Simon · May 31, 2013, 14:20:43

Good luck!

nowster · May 31, 2013, 23:08:17

Quote from: tfw7 on May 31, 2013, 14:13:22
Ok - so new router purchased, installed and up and running - I also took the precaution of requesting a new IP address as well - thought that would give me a fresh start.

And you have a new month (quota reset) as well!

karvala · Jun 01, 2013, 13:36:01

Quote from: andrue on May 17, 2013, 09:25:06
Yup. If I didn't notice a full-on DOS attack it'd cost over £360 a month.

To be honest I doubt that's likely. a) I'd notice it and b) I think it unlikely as it would require some serious kit or that I be the target of a bot farm. Technically quite possible but not likely.

I think it would be good if IDNet offered the option of throttling or even disconnecting a connection if it goes beyond a certain level. Not as an alternative to the current system but as a further stage. A credit limit so there was only a certain amount you could exceed your allowance by.

Quote from: SimonM_IDNet on May 17, 2013, 11:54:13
Hi,

In any case such as this, the best advice we can give would be if you suspect that you are being attacked etc would be to turn off the router and call us directly. We can then issue out a new IP address to resolve the issue. Being on a static IP does make this slightly more difficult to resolve than being on dynamic as you need us to change the IP manually.

As stated by earlier posters all usage is chargeable should it go over the limit. Unfortunate as this is we will strive to ensure we resolve the issue and give our customers the best advice we can. Due to the nature of these issues, since they come from off our network the only thing to do is report the offending IP to their own host to investigate. We do of course send out emails to alert customers to unusually high usage so at least we can try and nip these sort of things in the bud.

Kind regards
Simon Mulliss
IDNet support

Things like this almost make me want to return to my legal days; barristers these days really seem to lack imagination. I think it would be easily arguably that the customer is not liable for this usage. Two arguments can be made, with analogies that would work in front of a typical county court judge:-

(1) The argument "we can't tell the difference between DDoS traffic and genuine usage because we don't traffic shape" isn't valid. This amounts to arguing that you didn't see the activity because you chose not to look; hardly a valid defence. Do you think you think if you opted to close your eyes while driving, and subsequently hit something, you could argue that you had no reasonable way of knowing there was something there because you had your eyes closed? The customer is not in a position to monitor this traffic, but the ISP is; if the ISP chooses not to do so then they implicitly accept liability for the consequences.

(2) The customer can argue that they are only responsible for solicited traffic, i.e. traffic that was requested by a device under their control. If someone fakes my IP address in a DNS request such that the results are sent to my router, that has not been requested by me, so I am not liable for the carriage charges. It is rather like someone phoning a pizza place pretending to be you and sending a pizza round to your house. Do you think you would be liable to pay because the pizza company brought it to your door under the false belief that you had requested it, when in fact you had not done so?

I'd say if you were faced with a sizable bill that would be well worth a punt. People so often don't realise that just because a company says (often in a standard terms contract) that they're not liable for something, it doesn't actually make them not liable for it. Standard terms contracts are more of a company wish list than a legal reality in most cases.