Why is my Xtra account showing daily uploads?

Forums › Spark New Zealand (including Skinny and BigPipe) › Why is my Xtra account showing daily uploads?

geekIT

2418 posts

Uber Geek

#138369 1-Jan-2014 09:56

Hi all. Just resumed with Xtra as an ISP after a four-year trouble-free break with XNet (don't ask, maybe I'm masochistic), and I've suddenly discovered I can check my daily download usage. I'm gobsmacked to find that, over the first month, my download figures correspond with the files I've downloaded, but I've somehow UPLOADED nearly four gigs!

Now, I don't use Torrent, or file sharing, so nobody has access to my secure LAN, so WTF is going on here?

Xtra's helpdesk has no answer, except that 'Well, every time you click a link on Google, or TradeMe etc, it sends a request, and that constitutes an upload'. Say what!

Ok, I can accept that there may be a tiny amount of data in a link request, but my daily UPLOADS vary from a low of 25.77MB to a whopping 621.77MB!

That's crazy. Anyone able to comment?

'Those who can make you believe absurdities can make you commit atrocities.' Voltaire

'A patriot must always be ready to defend his country against his government.' Edward Abbey

1 | 2 | 3

1948 posts

Uber Geek
Inactive user

#959812 1-Jan-2014 10:00

Virus.. malware or some programme being untoward.

Unplug each machine from your network starting with switching off your router and see if it continues.

Could also be if you are using a non telecom supplied router then it could be that it has been hijacked with a dns redirect or being used as a spambot.

freitasm

BDFL - Memuneh
79254 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#959817 1-Jan-2014 10:11

What router are you using? Is the firewall in that router turned on? The router could have been used in a DNS amplification attack (where an attacker uses the DNS on your router to respond to fake requests sending the responses to another IP address to overload it).

RunningMan

8953 posts

Uber Geek

#959818 1-Jan-2014 10:17

Apple iCloud syncing?

geekIT

2418 posts

Uber Geek

#960186 2-Jan-2014 09:08

Guys, thanks for your responses.

The modem is a new Technicolor TG582N (software 8.4.4.1) and was supplied by Telecom as part of the package when we moved house in November 2013.

Security? Yes, it's turned on and the WPA-PSK code is reasonably complex.

Modem firewall: Nope, it's not turned on.

Apple iCloud syncing? No, I don't do any form of data syncing, or online backups, or Skype, or Torrent file sharing

Before we go any further, could we just confirm my thoughts on uploads? I'm an IT guy, who's spent the last 15 years building and repairing computers, but I've only ever got into the coding and programming side of computing when and as necessary. In other words, I've always taken a lot of stuff for granted.

One of these givens is that, unless I choose to SEND stuff via emails, there's virtually nothing that goes UP from my machine. Is this correct?

Something that could be enlightening: How about those of you who have Telecom accounts, checking your own accounts (via My Telecom) to see if there is any unexpected upward data traffic. I mean, I've been using the internet for pretty much as long as it's been available in NZ, and in all that time, most of which has been with Xtra, I've never thought to check that my monthly data traffic included any uploads.

So, to find that my new 30GB Telecom package (which to my simplistic way of thinking means 30GB of downloads) has been 'short-changed' to the tune of 10% is disturbing. In other words, I was expecting to have 30GB of download traffic available, but only ended up with 26GB, because the monthly UPLOADS totaled around 4GB.

Perplexed.........

'Those who can make you believe absurdities can make you commit atrocities.' Voltaire

'A patriot must always be ready to defend his country against his government.' Edward Abbey

freitasm

BDFL - Memuneh
79254 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#960187 2-Jan-2014 09:17

geekIT: Modem firewall: Nope, it's not turned on.

This is the first and most important thing to do it. Right now.

geekIT: Before we go any further, could we just confirm my thoughts on uploads? I'm an IT guy, who's spent the last 15 years building and repairing computers, but I've only ever got into the coding and programming side of computing when and as necessary. In other words, I've always taken a lot of stuff for granted.

One of these givens is that, unless I choose to SEND stuff via emails, there's virtually nothing that goes UP from my machine. Is this correct?

Upload is ANY traffic coming out of the modem port into the Internet. One would assume the traffic would come from computers connected to the LAN, but the modem itself can send traffic out.

One of this traffic out is when your firewall is not enabled and the DNS service in the modem responds to requests from inside and OUTSIDE of your LAN. Robots will find it and use the open DNS to act as part of a DDoS called Smurf Attack for example.

Basically Attacker A wants to take down Victim B. One computer is not enough but Attacker A knows better. It broadcasts DNS requests to a network hosting Unsecure Routers. Those requests are fake because they have the Victim B's IP address spoofed. This cause all those Unsecure Routers to respond to Victim B's computer.

With one request Attacker A can send thousands of packets to Victim B. If Attacker A uses another botnet to send out a few thousands requests to thousands of Unsecure Routers then Victim B ends up receiving millions of requests, crippling its servers. And YOU owner of Unsecure Router pays the upload bill for your participation in the attack.

Turn that firewall ON now.

Talkiet

4792 posts

Uber Geek

Trusted

#960188 2-Jan-2014 09:23

With Telecom (and most providers I believe) the traffic accounting has always counted in both directions.

In general, even if you don't actively upload things, every single packet (well, there are exceptions, but basically this is right) has to be acknowledged so for every large packet you receive, there's a small packet that your computer sends out. For a typical user, 26GB of downloads could easily be 4GB of uploads, even without running a torrent program or uploading lots of photos.

If those numbers (26 and 4GB) are your actual numbers, and the usage is reasonably even and in line with when the download usage happened - I'd suggest there's nothing wrong with the traffic counting.

If you only have one machine, there's a relatively simple way to check this... Graph or record your network card usage and watch in realtime how much traffic goes in each direction. I suggest grabbing and installing something like Netmeter

http://www.metal-machine.de/readerror/index.php?action=tpmod;dl=item23

and seeing what happens when you do various things on the Internet.

Cheers - N

Please note all comments are from my own brain and don't necessarily represent the position or opinions of my employer, previous employers, colleagues, friends or pets.

SteveON

1916 posts

Uber Geek

#960190 2-Jan-2014 09:30

Talkiet: With Telecom (and most providers I believe) the traffic accounting has always counted in both directions.

In general, even if you don't actively upload things, every single packet (well, there are exceptions, but basically this is right) has to be acknowledged so for every large packet you receive, there's a small packet that your computer sends out. For a typical user, 26GB of downloads could easily be 4GB of uploads, even without running a torrent program or uploading lots of photos.

If those numbers (26 and 4GB) are your actual numbers, and the usage is reasonably even and in line with when the download usage happened - I'd suggest there's nothing wrong with the traffic counting.

If you only have one machine, there's a relatively simple way to check this... Graph or record your network card usage and watch in realtime how much traffic goes in each direction. I suggest grabbing and installing something like Netmeter

http://www.metal-machine.de/readerror/index.php?action=tpmod;dl=item23

and seeing what happens when you do various things on the Internet.

Cheers - N

This was my initial thought. Data cant download without a request (upload.)

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

freitasm

BDFL - Memuneh
79254 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#960192 2-Jan-2014 09:36

And on TCP every downloaded packet requires an uploaded pack with a confirmation.

That's why

a) Downloading something also requires some uploading (smaller of course)
b) Upload speeds can impact in download speeds

timmmay

20575 posts

Uber Geek

Trusted

Lifetime subscriber

#960194 2-Jan-2014 09:44

I just checked my stats for the past two days, which included emails but no torrents or uploads, but does include dropbox uploading - though not very much. Uploads constituted 3% of my data usage. That suggests with 24GB of downloads you should have around 720MB of uploads, though half or double that wouldn't surprise me.

TC users can get a detailed accounting of their usage as a csv file through the customer portal.

SteveON

1916 posts

Uber Geek

#960200 2-Jan-2014 10:10

timmmay: I just checked my stats for the past two days, which included emails but no torrents or uploads, but does include dropbox uploading - though not very much. Uploads constituted 3% of my data usage. That suggests with 24GB of downloads you should have around 720MB of uploads, though half or double that wouldn't surprise me.

TC users can get a detailed accounting of their usage as a csv file through the customer portal.

Upload data depends on protocol, service, errors e.t.c.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#960203 2-Jan-2014 10:17

The first thing to do is turn your firewall on, I'm not sure why you have this disabled but I'm pretty sure these Technicolor's respond to external DNS requests when this is disabled so the most likely cause right now would be a DNS amplification attack because of this.

plambrechtsen

1948 posts

Uber Geek
Inactive user

#960227 2-Jan-2014 10:57

sbiddle: The first thing to do is turn your firewall on, I'm not sure why you have this disabled but I'm pretty sure these Technicolor's respond to external DNS requests when this is disabled so the most likely cause right now would be a DNS amplification attack because of this.

Do a factory reset on the router and it should go back to firewall on and be in a more secure state.

morrisk

364 posts

Ultimate Geek

Lifetime subscriber

#960243 2-Jan-2014 12:19

I have noticed this same behaviour and noted that it began to happen on two computers that I had upgraded to OSX Mavericks. The two computers are in differed places 600km apart on separate accounts (Telecom). I use iCloud and drop box. But I was using these before the Mavericks upgrade and did not see this uploading happening - it was several GBs a day.
I have not had time to do much yet in the way of investigation but have managed the problem by turning off the computers when not using them. I was in the habit of leaving them on 24/7

geekIT

2418 posts

Uber Geek

#960513 3-Jan-2014 08:36

Again, thanks guys.

Freitasm: In all the time I've been on the net, I've never used a modem firewall. A close friend is Ops Manager for a big coms company and he always said it was less complicated, but just as effective, to use a firewall within Windows. So that's what I've always done. Zone Alarm has been my firewall of choice for 20 years and it seem to be pretty effective, plus it has a good feedback interface. Like' "Do you want to allow 'X' to access the internet?" and so on.

Having said that, I've had Zone Alarm switched off for the last week or so (well, uninstalled, actually - you can't effectively switch it off), because of another new issue involving slow downloads, but that's another story. Suffice to say that Zone Alarm is now back on and working. But the gratuitous UPLOADS still continue.

Talkiet: So you think 4GB out of 30GB is par for the course? Interesting. I wonder what umpteen thousand other Telecom users would think if they knew that around 13% of their plan was being frittered away on some sort of unseen, but unavoidable overhead? Anyway, I've taken your advice and installed Netmeter, though I'm not quite sure what I'm supposed to be watching...

Timmmay: 3% for you? Sounds much more reasonable than 13%, doesn't it?

sbiddle: See above for notes on modem firewall and Zone Alarm.

plambrechtsen: Over the years, my routers have always been either Dynalink or Netcomm. This latest Technicolor is a departure, for me. However, no modem model I've ever used has had the firewall switched on by default.

In case anyone's interested, here's Telecom's traffic report for Nov\Dec.

'Those who can make you believe absurdities can make you commit atrocities.' Voltaire

'A patriot must always be ready to defend his country against his government.' Edward Abbey

timmmay

20575 posts

Uber Geek

Trusted

Lifetime subscriber

#960524 3-Jan-2014 09:02

Very knowledgeable people have suggested you turn on the modem firewall, along with good reasons. I suggest you follow their advice, at least for a trial run, rather than 20 year old advice from a friend.

There's really no drawback in having the firewall in your modem turned on. If you need to forward a port, that's easy. Two levels of protection are better than one.

1 | 2 | 3