Continuous router traffic?

Started by duncan, Mar 31, 2008, 21:09:29

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

duncan

Today my broadband connection reduced to almost a stop.  A reboot has more or less fixed it (still slow)but the router and PC is behaving oddly (Speedtouch 546).  Both show continuous traffic (flashing LEDs) even when nothing is supposed to be happening.  I suspected some malware but can't find anything (task manager and netstat both draw a blank).   The really bizarre thing is that the modem/router is busy sending/receiving data even when the computer is powered off and disconnected.

Any ideas?  Have IDnet or BT implemented some form of continuous handshaking or something?

Duncan
(512K fixed)

Lance

Are you using wireless, or at least have it enabled? If it is enabled, is it a secure network (protected by WPA)? My first thought is that someone else is using the connection, especially as it seems to have activity even when your machine is off.
Lance
_____

This post reflects my own views, opinions and experience, not those of IDNet.

Sebby

I'm inclined to agree with Lance. Could you try disabling the wireless and connecting the PC with a network cable to see if that makes a difference, or easier, change the wireless key. If there's no security, switch it on. ;)

duncan

I use a separate wireless access point (the modem/router doesn't have wireless).  It is secured by MAC address so no problems there.  And anyway the 'data' still flows when the router is unplugged from everything except the ADSL socket.   I am becoming convinced it must be under some kind of attack from the internet but how to stop it I don't know.  I've tried turning the router off for an hour but as soon as it reconnects and my fixed IP address becomes 'live' the traffic resumes (no LAN connected).  All the router's low numbered ports are hidden.   I use a few high numbered ports for ssh, VNC etc but no Web server.

I guess that's one disadvantage of having a fixed IP address:-(


Lance

is there anything in the router logs suggesting the firewall is blocking any attacks? I'd also suggest checking that icmp echo requests are turned off so the outside world can't ping your router.
Lance
_____

This post reflects my own views, opinions and experience, not those of IDNet.

Rik

Quote from: duncan on Mar 31, 2008, 22:37:07
It is secured by MAC address so no problems there.

It's possibly worth pointing out that it's fairly easy to spoof a MAC address, so the security of this method is questionable.
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Dangerjunkie

Quote from: Rik on Apr 01, 2008, 08:34:39
It's possibly worth pointing out that it's fairly easy to spoof a MAC address, so the security of this method is questionable.

Rik is right. If the only security you have on is MAC address filtering then you basically have no security. If there is no encryption then your packets are all visible to anyone who wants to listen and they can trivially find the MAC address of your card. On Linux it's a single command to change the MAC address of a wireless card to match yours and I could then connect. I believe there are programs to do the same on Windows and anyone who wants to hack wireless could easily get them.

BTW is the light on your wireless access point or the light on your router for the port the AP is connected to flashing?

Cheers,
Paul.

duncan

That's interesting to know about the MAC address.  However I use encription as well so presumably not a problem? 
My original point was that the issue persists with nothing connected to the ADSL modem.  It only has wired ethernet and all those connections are unplugged.  The only connection is to BT.  So if there is data traffic it is presumably inbound from the internet.
There is nothing in the logs (mind you they are pretty sparse on the Speedtouch).  I have ping echo turned off and I have now hidden all the ports (and checked them as invisible via www.grc.com).  Still the activity continues.  It's a shame I can't get the router to tell me what it is doing (at least via the GUI).  I can only guess it is some bizarre attack (why throw data at hidden ports?)  Or perhaps BT is doing something strange like sending QOS packets.
Maybe I should try changing IP address?  Does anyone know if IDnet charges for this?

Sebby

The best thing to do is give them a call, Duncan; I'm sure they can sort something out with regards to your IP address.

Although your computers may be invisible to the outside world, packets will still arrive at the router all the time. It could simple be that.

Simon

Have you actually run a spyware scan with something like Super AntiSpyware?  Of course, this may not be incoming traffic, but something going out.
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

Rik

Hi Duncan

I'm a little puzzled that you see this activity both on the computer and the router. The former suggests malware or some background task, the latter routine background network traffic.

As Simon says, the first thing to do is a malware sweep. If that's clear, then check with support, and they will be able to look at your line from their end. If you can borrow an alternative router, it would be a useful diagnostic.
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

duncan

In case anyone is still watching this topic...after a few days the problem has gradually abated.  Looks like it was an attack that's given up and moved on.  Ho hum.

Duncan

Rik

We're still watching - thanks for letting us know. :)
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Sebby

Quote from: duncan on Apr 05, 2008, 17:21:28
In case anyone is still watching this topic...after a few days the problem has gradually abated.  Looks like it was an attack that's given up and moved on.  Ho hum.

We're always watching. ;)

I'm glad the problem has gone. :)

Lance

Lets hope it doesn't happen again!  :)
Lance
_____

This post reflects my own views, opinions and experience, not those of IDNet.