I provide IT support for a number of home and small business users who are using Voda (formerly Telstra) cable connections for their internet (doh!).

I have a number recently who have been complaining of excessive data usage - one client had around 8G used in one night. That one I had thought traced back to a fault in Microsoft Outlook 2013 mis-behaving with an IMAP connection, changed the settings to POP, and the problem appeared to be resolved.

Now this client is calling saying that they are getting excessive use again, and there are no devices connected to the modem. Not quite true - there is a wireless router attached, and since any in-bound traffic (eg hacker attempts or P2P) would be sent automatically to it and metered. There are absolutely no devices on-line, and no apparent traffic is registered by the router, of course, as it doesn't pass anything through. They are seeing around 1Gb of traffic for every 2 hour period. And there aren't any devices on the network at all!

I had thought that this excessive traffic measurements would only be recorded if the traffic was routed to the specific IP address, and actually passed through the modem, hence my comments above about the router on the back-side of the modem. However, this overuse appears to also be the case with 1 client who has only a PC connected direct to the modem, and this is turned off most of the time (and the LAN connection is not designed to turn on the machine if a packet is received, just in case someone suggests that) - they simply turn it on when they want to get emails, surf, etc. They claim that the messages about overuse come in during the periods that the computer is turned off (and I mean that the emails indicate that the overuse occurs for extended periods of the machine being off, even allowing for the delays in sending the warnings). I cannot verify this, unfortunately.

The common solution for this issue in the past has been to advise the client to 'sleep' their Motorola modem by pressing the button on the top when internet access is not required. Since a recent firmware update, though, this is no longer possible - they have to power off the modem (and remember to power it on again when they want to use the network). For some this OK, as the power switch is reachable, but some people have the power plug down behind a desk, and pulling the power cable from the modem is a) difficult and b) not something I'd recommend as a long term 'solution' in case they break something.

Has anyone else seen this sort of traffic usage occurring on their own or client networks? I have been through all the affected networks with a fine toothcomb, changing wireless passwords (all WPA2 and not simple passwords), checked for malware, viruses, root kits, you name it (apart from removing Microsoft software from the machines, of course!). I have checked both of the networks I have here, and can see nothing like this recently (although I have in the past) - it is almost as though someone is attempting a DOS against an IP address (or a range of IP addresses).

Has anyone any other ideas on how else to approach this issue, apart from the brute force 'turn it off when not in use'?

It is even more difficult when the clients have a mixture of people in the house (and generally not kids running games, P2P, chat, etc) some with computers and others with mobile devices that are expected to be 'always connected'.

Thanks