bandwidth notification - very high

[andrue]

(EDIT Sadly though the only rogue it's so far identified on my PC is me, and I don't think the software to control that is commercially available?)

It's called a wife I think. I wouldn't know

[tfw7]

What modem/router do you use? Some of them support something called SNMP (Simple Network Monitoring Protocol)

This software can use that: http://www.paessler.com/bandwidth_monitoring
[/quote]

Dlink modem/router DSL-2740R. Manual says it does support SNMP so I will try out the software you mention

My usage yesterday (according to the networx thingy I installed) was 122MB received and 38.4MB sent. That was for having computer on for about 6 hours. I would say a download at the weekend of around 100-150MB would seem fairly typical for me based on my normal usage.

[Steve]

Not encouraging you to spend but I can monitor the traffic on any device connected Asus RT N66U - it's just a router no modem.

[SimonM_IDNet]

Hi,

Do you have the broadband phone number for the account so I can take a look? Please either Private message the number to me or send it via an email to support@idnet.com and put it regarding this post so I know.

Also we can tell how much bandwidth was used by not what for. So we can see say 2GB of download or 100MB of upload but we cannot tell what device downloaded ir or what that download actually was. The reason for this would be that its called snooping and is frowned upon and I do believe illegal for an ISP to do so. This does make it a bit tricky to figure out the type of issue you are experiencing.

As suggested earlier having bandwidth monitors on your PC/devices can help and of course checking whats logged onto your network is always a good measure. Also sometimes a lot of users who experience this when they call in usually use Youtube/Iplayer and have them set to quite a high quality by default (720p or higher). This does use a large amount of Bandwidth and so is always worth checking if possible.

Kind regards
Simon Mulliss
IDNet support

[tfw7]

thanks Simon - have PMed you.

I haven't used I-player or youtube in that time period; nor any large downloads - in fact I can't think of anything I have done differently that would explain the increase in usage.

Are you able to narrow down the time frame from peak/off peak to specific times? Is of peak still classed as midnight-9am? Whilst the off peak usage showing (I am on the home starter package) is not  that huge for some at approx 3GB this month, I can't think that I have used any internet during those hours, and all devices are switched off then.

[SimonM_IDNet]

Hi,

Yes indeed offpeak is still Midnight to 9am. I took a look and have included some of the time stamps from the data usage to see if this was any usage you may have been aware of. Normally when you just have a router idling with nothing being downloaded I would expect to see 1MB or less Traffic per hour.

    - 2013-05-11 19:09:28:00 - Downloads: 23.75 MB : Uploads: 8.45 MB Rate: PEAK
    - 2013-05-11 20:07:36:00 - Downloads: 20.75 MB : Uploads: 7.23 MB Rate: PEAK
    - 2013-05-11 21:06:48:00 - Downloads: 50.06 MB : Uploads: 14.02 MB Rate: PEAK
    - 2013-05-11 22:08:42:00 - Downloads: 58.57 MB : Uploads: 18.23 MB Rate: PEAK
    - 2013-05-11 23:09:49:00 - Downloads: 21.01 MB : Uploads: 7.02 MB Rate: PEAK
    - 2013-05-12 00:08:03:00 - Downloads: 42.58 MB : Uploads: 14.07 MB Rate: OFF PEAK
    - 2013-05-12 01:07:04:00 - Downloads: 12.26 MB : Uploads: 4.09 MB Rate: OFF PEAK
    - 2013-05-12 02:07:15:00 - Downloads: 4.41 MB : Uploads: 1.22 MB Rate: OFF PEAK

If you have any major concerns I would advise disabling wireless and having a hardwired connection with just 1 PC and having a bandwidth monitor on the PC turned on. Then when the PC is not in use ensure it is turned off. Then simply reply on here with the times you did this test and I can check the logs as long as it was within the last 48hours. This might help shed some light on the matter.

Kind regards
Simon Mulliss
IDNet support

[tfw7]

thanks Simon
    - 2013-05-11 22:08:42:00 - Downloads: 58.57 MB : Uploads: 18.23 MB Rate: PEAK
    - 2013-05-11 23:09:49:00 - Downloads: 21.01 MB : Uploads: 7.02 MB Rate: PEAK
    - 2013-05-12 00:08:03:00 - Downloads: 42.58 MB : Uploads: 14.07 MB Rate: OFF PEAK
    - 2013-05-12 01:07:04:00 - Downloads: 12.26 MB : Uploads: 4.09 MB Rate: OFF PEAK
    - 2013-05-12 02:07:15:00 - Downloads: 4.41 MB : Uploads: 1.22 MB Rate: OFF PEAK

These ones are suspicious to me - all devices were definitely turned off and not connected to the internet at these times, although the wireless router was on.

[Steve]

Question to Simon are the uploads appropiate for the download usage or is there some P2P running?

[SimonM_IDNet]

Hi,

Hard to say Steve, those could be genuine file uploads/data transfer or p2p but we unfortunately cannot find out what that data was for or aimed at. For example, saying a device was on the router at that particular time. It could easily have been doing some peer to peer traffic as upload is more commonly used for that. If you are say just streaming a video normally you see a small amount of upload and the download is rather large in comparison. But again we cannot verify what it was as we are unable to look into the data this much for snooping reasons.

Since the only culprit seems to be the wireless being on if I read that right then I would suggest doing what I said in my earlier post then letting me know the times of that test. At least then we can try and narrow down the possible culprit in all of this.

Kind regards
Simon Mulliss
IDNet support

[Simon]

I've just come across another network monitor:

http://www.softperfect.com/products/networx/

I have to stress, I have never used this software, but found the link on a security software vendor's forum.  It appears to be Freeware.  One of the features claimed is: "Includes network information & testing tools with advanced netstat that displays applications using your Internet connection." 

Could be worth a try?

[tfw7]

many thanks for all the suggestions guys

Have now disabled wireless from the router home page (and have just checked from my phone that I am not able to connect now wirelessly to my network). So the only device now connected to the router is this hard wired pc.

After I finish up here in a minute I will disconnect and turn off this computer.
There should then be no usage at all from say 7pm tonight until at least 6pm tomorrow night when I get home from work and turn the computer back on. It will be interesting to see what the logs at idnet's end then show.

Once again, thanks for all the help.

[Steve]

Unless you've got a router running some download software it will be zero.

[SimonM_IDNet]

Hi,

So I took a look at the usage and its very strange. Considering it was just the router on from 7pm last night this does make for worrying reading. I did a port check on the exchange equipment and thats reporting in OK. I would suggest testing an alternate router at this point to rule out the router as the cause of any extra bandwidth usage. This would be very rare that it is the router but we need to ensure we've ruled it out. I would also suggest checking the router logs and see if it is receiving unusually large amounts of traffic.

- 2013-05-13 19:09:06:00 - Downloads: 7.21 MB : Uploads: 1.73 MB Rate: PEAK
- 2013-05-13 20:08:24:00 - Downloads: 35.37 MB : Uploads: 8.09 MB Rate: PEAK
- 2013-05-13 21:08:43:00 - Downloads: 74.35 MB : Uploads: 26.64 MB Rate: PEAK
- 2013-05-13 22:07:36:00 - Downloads: 102.78 MB : Uploads: 28.59 MB Rate: PEAK
- 2013-05-13 23:08:36:00 - Downloads: 114.3 MB : Uploads: 29.65 MB Rate: PEAK
- 2013-05-14 00:10:45:00 - Downloads: 70.5 MB : Uploads: 28.62 MB Rate: OFF PEAK
- 2013-05-14 01:09:48:00 - Downloads: 120.65 MB : Uploads: 29.13 MB Rate: OFF PEAK
- 2013-05-14 02:06:46:00 - Downloads: 87.91 MB : Uploads: 25.58 MB Rate: OFF PEAK
- 2013-05-14 03:06:53:00 - Downloads: 72.8 MB : Uploads: 25.46 MB Rate: OFF PEAK
- 2013-05-14 03:26:14:00 - Downloads: 34.05 MB : Uploads: 8.64 MB Rate: OFF PEAK
- 2013-05-14 04:36:49:00 - Downloads: 95.18 MB : Uploads: 27.63 MB Rate: OFF PEAK
- 2013-05-14 05:36:17:00 - Downloads: 71.17 MB : Uploads: 24.06 MB Rate: OFF PEAK
- 2013-05-14 06:35:31:00 - Downloads: 90.02 MB : Uploads: 25.98 MB Rate: OFF PEAK
- 2013-05-14 07:35:57:00 - Downloads: 30.16 MB : Uploads: 10.67 MB Rate: OFF PEAK
- 2013-05-14 08:37:03:00 - Downloads: 6.78 MB : Uploads: 2 MB Rate: OFF PEAK

Kind regards
Simon Mulliss
IDNet support

[nowster]

That level of traffic looks perfectly consistent with a port scan which the router is responding to with ICMP "host/port unknown" packets.

SimonM, I'd suggest the same remedy as you performed for my parents' problem.

Do iDNet not have the ability to sniff their own internal network? Something like netflow perhaps on your L2TPNS?

[SimonM_IDNet]

Hi,

We monitor traffic on the hosting side of the network as for the ISP side we do not snoop on our customers traffic. Other ISPs do this mainly for traffic shaping (p2p throttling etc).

As for this issue I would strongly suggest checking the router logs for these time periods and see what the router is seeing on the network.

If you have any worries regarding the router being attacked I can change the IP address as a precaution, you may require a reconfigure of the router if you set it up to use a specific IP address to login with.

Kind regards
Simon Mulliss
IDNet support

[nowster]

We monitor traffic on the hosting side of the network as for the ISP side we do not snoop on our customers traffic. Other ISPs do this mainly for traffic shaping (p2p throttling etc).

It could be useful to have this ability on the ISP side so that, with your customer's permission, you could see what was happening for diagnostics purposes. Doing it for any other purpose (and without permission) could, of course, put you in breach of RIPA.

EDIT: One thing you could try (which wouldn't need you to delve into the internal network) would be to ask the customer to switch off their modem, then get one of your own routers to use their login. Then (assuming your router allows you to do so -- you could use a DMZ setting) you can see what incoming traffic there is.

[Simon]

I think that's a whole new can of worms, isn't it?

[Steve]

A question, if this is the second case in a week (that we are aware of here) of a customers connection being invaded unknowingly where does the responsibility lie? Customers who do not check their usage on a regular basis could potentially be left with an expensive bill at the end of the month,although the warning email should alert them to a potential problem.

[Simon]

A question, if this is the second case in a week (that we are aware of here) of a customers connection being invaded unknowingly where does the responsibility lie? Customers who do not check their usage on a regular basis could potentially be left with an expensive bill at the end of the month,although the warning email should alert them to a potential problem.

I wondered that myself, Steve, but I also have a question, which is, would setting a router to 'Block Ping' help to prevent this sort of occurrence, if it is indeed, a connection 'invasion'?

[Steve]

Not necessarily Simon a DDOS doesn't necessarily want a response from the attacked router. Hiding away may deter the casual hacker but anything thing else will find you wan ping blocked or not .

[tfw7]

Hi,

So I took a look at the usage and its very strange. Considering it was just the router on from 7pm last night this does make for worrying reading. I did a port check on the exchange equipment and thats reporting in OK. I would suggest testing an alternate router at this point to rule out the router as the cause of any extra bandwidth usage. This would be very rare that it is the router but we need to ensure we've ruled it out. I would also suggest checking the router logs and see if it is receiving unusually large amounts of traffic.

- 2013-05-13 19:09:06:00 - Downloads: 7.21 MB : Uploads: 1.73 MB Rate: PEAK
- 2013-05-13 20:08:24:00 - Downloads: 35.37 MB : Uploads: 8.09 MB Rate: PEAK
- 2013-05-13 21:08:43:00 - Downloads: 74.35 MB : Uploads: 26.64 MB Rate: PEAK
- 2013-05-13 22:07:36:00 - Downloads: 102.78 MB : Uploads: 28.59 MB Rate: PEAK
- 2013-05-13 23:08:36:00 - Downloads: 114.3 MB : Uploads: 29.65 MB Rate: PEAK
- 2013-05-14 00:10:45:00 - Downloads: 70.5 MB : Uploads: 28.62 MB Rate: OFF PEAK
- 2013-05-14 01:09:48:00 - Downloads: 120.65 MB : Uploads: 29.13 MB Rate: OFF PEAK
- 2013-05-14 02:06:46:00 - Downloads: 87.91 MB : Uploads: 25.58 MB Rate: OFF PEAK
- 2013-05-14 03:06:53:00 - Downloads: 72.8 MB : Uploads: 25.46 MB Rate: OFF PEAK
- 2013-05-14 03:26:14:00 - Downloads: 34.05 MB : Uploads: 8.64 MB Rate: OFF PEAK
- 2013-05-14 04:36:49:00 - Downloads: 95.18 MB : Uploads: 27.63 MB Rate: OFF PEAK
- 2013-05-14 05:36:17:00 - Downloads: 71.17 MB : Uploads: 24.06 MB Rate: OFF PEAK
- 2013-05-14 06:35:31:00 - Downloads: 90.02 MB : Uploads: 25.98 MB Rate: OFF PEAK
- 2013-05-14 07:35:57:00 - Downloads: 30.16 MB : Uploads: 10.67 MB Rate: OFF PEAK
- 2013-05-14 08:37:03:00 - Downloads: 6.78 MB : Uploads: 2 MB Rate: OFF PEAK

Kind regards
Simon Mulliss
IDNet support

Hi Simon -thanks for checking this. Wireless and all devices were switched off at 7pm last night and are still off now (I am at work at the moment) - so there is no usage being caused by me, nor anyone accessing my network. So like Steve said, usage should be zero (or close to it)
This is worrying indeed!
When I get home tonight I will see if I have a different router to use - don't think I do, but may have an old one lying around.

[tfw7]

That level of traffic looks perfectly consistent with a port scan which the router is responding to with ICMP "host/port unknown" packets.

SimonM, I'd suggest the same remedy as you performed for my parents' problem.

Do iDNet not have the ability to sniff their own internal network? Something like netflow perhaps on your L2TPNS?

nowster - I did read your post about your parents' stiuation and think could mine be connected (but don't know much about DoS attacks, so wasn't sure)

[Steve]

I think the offer of an IP address change should solve the problem.

[tfw7]

Hi,

We monitor traffic on the hosting side of the network as for the ISP side we do not snoop on our customers traffic. Other ISPs do this mainly for traffic shaping (p2p throttling etc).

As for this issue I would strongly suggest checking the router logs for these time periods and see what the router is seeing on the network.

If you have any worries regarding the router being attacked I can change the IP address as a precaution, you may require a reconfigure of the router if you set it up to use a specific IP address to login with.

Kind regards
Simon Mulliss
IDNet support

Will check router logs tonight and see what they say.

Can't remember how I set up IP address - think I just went with whatever the default option was at the time. Changing this sounds a good strategy.

[tfw7]

A question, if this is the second case in a week (that we are aware of here) of a customers connection being invaded unknowingly where does the responsibility lie? Customers who do not check their usage on a regular basis could potentially be left with an expensive bill at the end of the month,although the warning email should alert them to a potential problem.

Indeed - thankfully the email alerted me early in the month - I think already I am on 10GB with a 4GB peak limit - so that's a £6 charge. But as the problem seems to be continuing, that charge is rising by the day.
But as I say, thank goodness the email alerted me!