bandwidth notification - very high

nowster · May 17, 2013, 07:30:24

If you have a 20Mbps connection for instance, a particularly nasty attack could eat up 7GB per hour. Go away for a bank holiday weekend whilst it's happening and that's 500 GB gone.

(2 × 60 × 60 × 24 x 3) ÷ 1024 = 506.25

psp83 · May 17, 2013, 08:31:29

So if you have a 80 Mbps or FTTP 300 Mbps connection, your screwed

mervl · May 17, 2013, 09:24:16

Is it so impossible for IDNet to offer a dynamic IP option? Anyone concerned could then say turn their router off say when not in use, say overnight, to force an IP change and limit the potential "damage". Those that need static IPs - who I suggest are usually more knowledgeable users - can decide whether to take, and may be better placed to manage, the risks.

Traditionally I've "kept" my maximum use to below 50% of my allowance to allow for this sort of risk - which is not an option for those on the basic packages.

andrue · May 17, 2013, 09:25:06

Quote from: psp83 on May 17, 2013, 08:31:29
So if you have a 80 Mbps or FTTP 300 Mbps connection, your screwed

Yup. If I didn't notice a full-on DOS attack it'd cost over £360 a month.

To be honest I doubt that's likely. a) I'd notice it and b) I think it unlikely as it would require some serious kit or that I be the target of a bot farm. Technically quite possible but not likely.

I think it would be good if IDNet offered the option of throttling or even disconnecting a connection if it goes beyond a certain level. Not as an alternative to the current system but as a further stage. A credit limit so there was only a certain amount you could exceed your allowance by.

Lance · May 17, 2013, 10:33:23

Even with a dynamic IP address the risk still exists. It just makes it easier to resolve.

Going_Digital · May 17, 2013, 10:44:16

In my case it started on the 10th and took 5 days to notice and in that time it had used 20GB

I don't think people are going to check their bandwidth usage every day, and yes I appreciate it isn't IDNets fault as much as it isn't mine. But at the end of the day it makes it an unacceptable risk as it means that if it happens two or 3 times a year my broadband could end up costing me a small fortune. I doubt very much that it costs anywhere near £1 per GB to provide the bandwidth so IDNet are getting an unexpected windfall from their customers when their customers are targeted. If it does cost cost £1 per GB then IDNet have done very well out of me over the last 2 years having used on average only £1.50 worth of bandwidth, they have been £13.50 up every month. I just expected some understanding from them and perhaps offer to average the usage over a couple of months considering my extremely light use.

I just can't afford the risk or the inconvenience of having to check usage every day, and now you can get unlimited packages cheaply from a number of providers it seems to make sense to take one of those options for a stress free life. The problem for IDnet is that the more people that get hit with unexpected charges the more are going to do the same. Not because they particularly dislike IDNet but purely for peace of mind.

nowster · May 17, 2013, 10:54:17

I'm sure if iDNet could get a more favourable wholesale contract, they would.

SimonM_IDNet · May 17, 2013, 11:54:13

Hi,

In any case such as this, the best advice we can give would be if you suspect that you are being attacked etc would be to turn off the router and call us directly. We can then issue out a new IP address to resolve the issue. Being on a static IP does make this slightly more difficult to resolve than being on dynamic as you need us to change the IP manually.

As stated by earlier posters all usage is chargeable should it go over the limit. Unfortunate as this is we will strive to ensure we resolve the issue and give our customers the best advice we can. Due to the nature of these issues, since they come from off our network the only thing to do is report the offending IP to their own host to investigate. We do of course send out emails to alert customers to unusually high usage so at least we can try and nip these sort of things in the bud.

Kind regards
Simon Mulliss
IDNet support

andrue · May 17, 2013, 11:58:53

Quote from: Going_Digital on May 17, 2013, 10:44:16IDNet have done very well out of me over the last 2 years having used on average only £1.50 worth of bandwidth, they have been £13.50 up every month.

Yup, that's right. Light users typically help to subsidise heavy users. That's what makes flat rate pricing viable and is why 'heavy users' should be frowned upon. Unfortunately the only alternative is metered usage and no-one wants that back. So what ISPs do is set things up to be profitable but in a typical billing period only the very heaviest users of a package are getting best value.

The reason it looks so expensive is because you have moved outside of your package and that means you are seeing the full price without that subsidy from light users. On the plus side (little consolation) it means that this month you've had the best value from your subscription than you've ever had before. You are probably one of the 'elite' group of IDNet customer's that the rest of mugs have been helping to pay for. Up to a point

If all this sounds 'wrong' then consider that it's pretty much the way every aspect of human society works. There's always someone at the top gaining benefit from those at the bottom. This is just another form of the way things have been for thousands of years. Deal with it

Going_Digital · May 17, 2013, 12:19:03

Oh well just waiting for my MAC now, so I won't have to worry about it any more.

mervl · May 17, 2013, 14:35:19

Andrue, I don't think it's as bad as you make out. Subscriptions include both OpenReach's charge for the use of the local loop (£10pm or so) which aren't bandwidth-related, and IDNet's network costs (capital + maintenance as well as support), in addition to the use-based network charges.

As others have pointed out every ISP has this problem, and you just have to make a judgement on the IDNet "tight" caps, against their QoS benefits - though I think the latter are unnecessary for "average" domestic connections. (The rest of the world have improved, for those of us that recall how bad some of them were - the past tense is the important point here). If your business is skint though then you may have other problems too.

As you say the TBBQM monitoring latency, combined with the IDNet specific use widget linking (though the data is one day in arrear) to IDNet's download bandwidth recording (which goes red if your allowance is likely to be exceeded, by proportioning your use) are good monitoring tools. When I (deliberately) ranked up my usage over a couple of days earlier this month the IDNet e-mail was fairly prompt in letting me know (what I already know though) within 2 working days of starting.

Going_Digital · May 17, 2013, 16:03:49

This was my secondary FTTC line anyway, as my main connection with another provider is an unlimited package @ £20 a month has not gone down at all since it was installed. I decided rather than get stuck with a contract with another provider I'd just cancel it and wait a couple of months until someone offers FTTP On Demand.

tfw7 · May 19, 2013, 09:36:28

Ok so here is the bad news... I seem to have been hit again. I had my suspicions yesterday, so unplugged the router last night as a precaution. On checking my usage on the idnet website this morning, it shows 1.1GB off peak usage for the 18th when again I know no devices were on.
So for this to happen to me twice in such a short time am I exceedingly unlucky, or are idnet's IP addresses being targeted somehow??
Help!!

Simon · May 19, 2013, 11:45:23

I guess it's possible that an IP range could be being targeted, but I don't know. The only thing I can suggest is that you disconnect your router again and call IDNet first thing in the morning.

psp83 · May 19, 2013, 12:55:33

Just a thought and I've not read the whole thread so I'm sorry if this has been asked.

Have you done a malware/virus scan? Just saying this as it could be broadcasting your IP somewhere and if it is and not removed then it doesn't matter how many IPs you get given it will keep happening.

tfw7 · May 19, 2013, 13:02:40

Yes have done virus and malware scans - last ones I did were last night. Router is off, and have now had to resort to using phone to post here. Not a happy bunny

andrue · May 19, 2013, 15:57:29

Quote from: tfw7 on May 19, 2013, 13:02:40
Yes have done virus and malware scans - last ones I did were last night. Router is off, and have now had to resort to using phone to post here. Not a happy bunny

I think I'd second psp83's comments. It's very unusual and for it to happen twice seems like too much of a coincidence. I have a static IP address and run a mail server. It gets continuous spam (never reaches my inbox though

) and goes through periods where someone tries to log in to it for a week or so. So I'm living life with my head 'above the parapet' but have never had any kind of DOS related issue.

Unless of course having a mail server on my address means there's more value in them taking it over rather than squashing it

Gary · May 19, 2013, 18:42:23

Quote from: tfw7 on May 19, 2013, 09:36:28
Ok so here is the bad news... I seem to have been hit again. I had my suspicions yesterday, so unplugged the router last night as a precaution. On checking my usage on the idnet website this morning, it shows 1.1GB off peak usage for the 18th when again I know no devices were on.
So for this to happen to me twice in such a short time am I exceedingly unlucky, or are idnet's IP addresses being targeted somehow??
Help!!

Sorry not read the entire thread, have you tried to do a factory reset of your router then reflash its firmware? If so then put whatever DNS you are using in manually. I mention this after reading that 13 routers being tested have critical vulnerabilities which might mean more have although this is probably not the case, but it does no harm to reflash and enter the settings back in by hand not from a restore. http://news.softpedia.com/news/Critical-Vulnerabilities-Found-in-13-SOHO-Routers-Many-Can-Be-Exploited-Remotely-346536.shtml

Also there seems to be a backdoor into some tp-link routers as well. Once again I'm sure the chances are rare but I guess its worth noting. http://tech.slashdot.org/story/13/03/15/1234217/backdoor-found-in-tp-link-routers

Gary · May 19, 2013, 20:05:02

Might be also a good idea to try a different AV use a 30 day test of one, like Bitdefender, or Kaspersky as its possible that your AV could be missing something, also maybe use Malwarebytes I'm sure people will have other suggestions. If you can monitor outward and inbound connections and see if anything unusual is showing up with a software firewall that would help too.

Going_Digital · May 19, 2013, 21:51:01

In my case I am 100% sure no malware as I had one linux firewall machine connected direct to the openreach modem as it was a backup connection it was largely unused but lots of requests being sent to it caused the huge spike in data use. It would seem IDNet customers are being targeted by someone as there is another thread on here about it as well. For me the solution was to unplug the modem and order a cancellation for the service but not everyone is going to have that luxury.

Gary · May 19, 2013, 22:42:22

Quote from: Going_Digital on May 19, 2013, 21:51:01
In my case I am 100% sure no malware as I had one linux firewall machine connected direct to the openreach modem as it was a backup connection it was largely unused but lots of requests being sent to it caused the huge spike in data use. It would seem IDNet customers are being targeted by someone as there is another thread on here about it as well. For me the solution was to unplug the modem and order a cancellation for the service but not everyone is going to have that luxury.

the other user said he had similar but tbh it could have been many things as I'm not aware he trouble shooter like you. I hope if IDNet was being targeted we would see more posts about it. Time will tell though. Personally I have had no issues but that's does not mean it could not start. $:-\$ I can't see the pint in attacking idnet tbh it's not like they are a big target for this kind of thing really is it. Nothing to gain really compared with other targets. Although anythings possible. Maybe idnet should be taking a look into this.

Going_Digital · May 19, 2013, 23:59:36

I doubt IDNet is being targeted specifically, more likely that it is a random attack and we have just been fortunate that IDNet IPs have not seen any significant volume of attempts before now. The bulk of the traffic I saw was trying to exploit a problem with apache causing it to stop responding, so general net vandalism really.

I guess it could be only IP addresses that have been scanned and found something to respond that have been subsequently targeted.

psp83 · May 20, 2013, 01:02:44

Just a thought, maybe when you was given a new IP address, it belonged to someone else before that was having the same issue? There's not many IPv4 addresses so its likely someone had your IP before.

tfw7 · May 20, 2013, 11:36:34

thanks for all the advice above.
I have nothing unusual on my set up at all - it's just a very basic home network. Not running any web servers or anything.
I have done AV and malware (Malwarebytes) scans, and the only things that showed up were connected to things I installed after posting first on here - the PRTG thingy in particular.
My router (basic DLink DSL 2740R) doesn't seem to keep a log of anything meaningful at all unfortunately.
I have an old router (and a very old modem) that I think still work, so I shall change my existing router tonight and reconnect to the internet with the same (second) IP address to see if that does the trick.

Technical Ben · May 20, 2013, 16:45:23

I always thought silencing the ports and ignoring requests at the router helped this. But in all honesty, if someone (even accidentally) targets a connection, there is little to be done except changing phone numbers/IPs (phone numbers for calling nuisances, like wrong fax number adverts!

).