Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




7 posts

Wannabe Geek
+1 received by user: 1


Topic # 136666 4-Dec-2013 22:58
Send private message

I provide IT support for a number of home and small business users who are using Voda (formerly Telstra) cable connections for their internet (doh!).

I have a number recently who have been complaining of excessive data usage - one client had around 8G used in one night. That one I had thought traced back to a fault in Microsoft Outlook 2013 mis-behaving with an IMAP connection, changed the settings to POP, and the problem appeared to be resolved.

Now this client is calling saying that they are getting excessive use again, and there are no devices connected to the modem. Not quite true - there is a wireless router attached, and since any in-bound traffic (eg hacker attempts or P2P) would be sent automatically to it and metered. There are absolutely no devices on-line, and no apparent traffic is registered by the router, of course, as it doesn't pass anything through. They are seeing around 1Gb of traffic for every 2 hour period. And there aren't any devices on the network at all!

I had thought that this excessive traffic measurements would only be recorded if the traffic was routed to the specific IP address, and actually passed through the modem, hence my comments above about the router on the back-side of the modem. However, this overuse appears to also be the case with 1 client who has only a PC connected direct to the modem, and this is turned off most of the time (and the LAN connection is not designed to turn on the machine if a packet is received, just in case someone suggests that) - they simply turn it on when they want to get emails, surf, etc. They claim that the messages about overuse come in during the periods that the computer is turned off (and I mean that the emails indicate that the overuse occurs for extended periods of the machine being off, even allowing for the delays in sending the warnings). I cannot verify this, unfortunately.

The common solution for this issue in the past has been to advise the client to 'sleep' their Motorola modem by pressing the button on the top when internet access is not required. Since a recent firmware update, though, this is no longer possible - they have to power off the modem (and remember to power it on again when they want to use the network). For some this OK, as the power switch is reachable, but some people have the power plug down behind a desk, and pulling the power cable from the modem is a) difficult and b) not something I'd recommend as a long term 'solution' in case they break something.

Has anyone else seen this sort of traffic usage occurring on their own or client networks? I have been through all the affected networks with a fine toothcomb, changing wireless passwords (all WPA2 and not simple passwords), checked for malware, viruses, root kits, you name it (apart from removing Microsoft software from the machines, of course!). I have checked both of the networks I have here, and can see nothing like this recently (although I have in the past) - it is almost as though someone is attempting a DOS against an IP address (or a range of IP addresses).

Has anyone any other ideas on how else to approach this issue, apart from the brute force 'turn it off when not in use'?

It is even more difficult when the clients have a mixture of people in the house (and generally not kids running games, P2P, chat, etc) some with computers and others with mobile devices that are expected to be 'always connected'.

Thanks

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
27673 posts

Uber Geek
+1 received by user: 7156

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 945824 5-Dec-2013 07:31
Send private message

Is the DNS wide open? This is by far the most common cause of such issues.

If the issue was a DDoS against the IP turning the modem off isn't going to do anything as traffic is already metered before it enters the CMTS.


 



7 posts

Wannabe Geek
+1 received by user: 1


  Reply # 945848 5-Dec-2013 08:32
Send private message

Thanks, sbiddle, for your quick response.
I hope that coming up to Christmas I am not going to seem a turkey (even roasted) for asking this, but could you please explain your comment re DNS being wide open?
I am familiar with this in terms of MS servers on a network, but not in such a case - where there is "simply" the Voda modem, a wireless router, and (maybe) a user PC at the back end.
Sorry if this is a dumb question, and thanks for your comment also re metering - we are always learning.
R

 
 
 
 


755 posts

Ultimate Geek
+1 received by user: 342

Trusted

  Reply # 945854 5-Dec-2013 08:36
Send private message

Hi Ray

I'm sure this is the sort of thing you would have already ruled out, but are there any gamers in the house at all? Right now there's the combination of the Steam sale, new Xbox and new PlayStation, all at once. :)

Dylan



7 posts

Wannabe Geek
+1 received by user: 1


  Reply # 945859 5-Dec-2013 08:46
Send private message

Thanks, Dylan, but this was one of the earlier things I looked for - in most cases, there are no people who know much more than even turning on the PC, let alone using anything as "clever" as this (in their terms, not mine). And Ive also ruled out hijacking of the wireless networks.

3344 posts

Uber Geek
+1 received by user: 1089

Trusted
Vocus

  Reply # 945866 5-Dec-2013 08:55
Send private message

raycj: Thanks, sbiddle, for your quick response.
I hope that coming up to Christmas I am not going to seem a turkey (even roasted) for asking this, but could you please explain your comment re DNS being wide open?
I am familiar with this in terms of MS servers on a network, but not in such a case - where there is "simply" the Voda modem, a wireless router, and (maybe) a user PC at the back end.
Sorry if this is a dumb question, and thanks for your comment also re metering - we are always learning.
R


Have any firewall features been disabled on said router?  Some routers, when they have the firewall disabled, listen for DNS queries on WAN interfaces.  That's enough to open them up for use in DNS amplification attacks.

More information and a test is here: http://dns.measurement-factory.com/surveys/openresolvers.html

Hope that helps.


1477 posts

Uber Geek
+1 received by user: 524

Trusted

  Reply # 945913 5-Dec-2013 09:44

Hey there,

 The usage meter in the Customer Zone shows the traffic stats per connection down to the time of day, & divides it into upstream & downstream - is this showing consistently as one or the other? The notification emails are generated once every six hours (from memory), to avoid spamming customers, although the usage meter itself does update more frequently.

Would recommend having your clients log faults with the team on 0508 888 800 for residential, 0508 555 500 for business, or authorising you to do so on their behalf. Their connections can be monitored for unusual traffic spikes to see if there's anything out of the ordinary, and more detailed usage information can be retrieved if requested.

I haven't heard reports of anything similar being widespread on this end, but it sounds like you've done a really thorough job going through the potential end-user causes. As someone who used to do that with cable customers over the phone, consider it much appreciated. :)

 - Nik




Product Manager @ PB Tech

https://pbtech.co.nz/smartphones




7 posts

Wannabe Geek
+1 received by user: 1


  Reply # 946147 5-Dec-2013 17:09
One person supports this post
Send private message

Thanks Ubergeeknz for your comment - I am pretty sure that disabling firewall would not have been done - certainly not by the ultra-paranoid me, when I set these up. I don't believe that the clients would understand how to get into the settings (apart from the klutz who held in the reset button when it didn't work properly - and funnily enough, it still didn't work after this!).
I will, however, check the settings next time I visit one of these people. I have a scheduled call this weekend sometime, so will re-post if I find something there.
Meantime, thanks for your comments - I have learnt something new today with the link you sent through.

And thanks, NikT for your thoughts - I will certainly take this route (calling on the techos) - up until now it has been pretty rushed - quick fix territory. I will place a call on their behalf next time I am on-site (as above); Ive checked on the usage log for one of the clients, but others profess no knowledge of their passwords, and didn't want me to contact Voda on their behalf (cheap=ish).

Appreciate the assistance from all who responded - nice to know that there is a resource available like this.

R

27673 posts

Uber Geek
+1 received by user: 7156

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 946200 5-Dec-2013 19:57
Send private message

There is no need to test for DNS while onsite - you can just run a nslookup from anywhere if you know their IP address.

BDFL - Memuneh
63051 posts

Uber Geek
+1 received by user: 13628

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 946208 5-Dec-2013 20:14
One person supports this post
Send private message

On any PC open a command prompt, and execute:

>NSLOOKUP
Default server: [your server]

>www.geekzone.co.nz [client's IP address]

If the response is "DNS request timed out" then it's being blocked. If the response is "Name: geekzone.co.nz Addressess: ...." then it's responding to DNS requests from the Internet.




3 posts

Wannabe Geek
+1 received by user: 2


  Reply # 951551 13-Dec-2013 12:27
Send private message

Hi there

I've been experiencing a similar issue on Vodafone naked ADSL in central Auckland for the past three weeks or so. The Vodafone traffic counter significantly over-reports our data usage.

Our router has its own traffic meter functionality. Compared to this, the Vodafone traffic counter is over-reporting by 2-3 times. For example, yesterday's usage according to the router was 1351MB, while Vodafone reports 4534MB. 

According to Vodafone, we are on track to use about 150GB this month. We normally use 40-50GBs.

The router is the only device configured to connect to our Vodafone account. 

I've logged a support call with the Vodafone service desk.

19282 posts

Uber Geek
+1 received by user: 2600
Inactive user


  Reply # 951567 13-Dec-2013 12:50
Send private message

akojev: Hi there

I've been experiencing a similar issue on Vodafone naked ADSL in central Auckland for the past three weeks or so. The Vodafone traffic counter significantly over-reports our data usage.

Our router has its own traffic meter functionality. Compared to this, the Vodafone traffic counter is over-reporting by 2-3 times. For example, yesterday's usage according to the router was 1351MB, while Vodafone reports 4534MB. 

According to Vodafone, we are on track to use about 150GB this month. We normally use 40-50GBs.

The router is the only device configured to connect to our Vodafone account. 

I've logged a support call with the Vodafone service desk.


What basic fault checking have you done across the PCs connected to the network?

14651 posts

Uber Geek
+1 received by user: 2725

Trusted
Subscriber

  Reply # 951570 13-Dec-2013 12:55
Send private message

Why would you fault check the PCs when the router traffic meter and Vodafone traffic meter don't agree?

My assumption is there's a bunch of traffic hitting the modem for some reason that isn't getting to the router, but I'm not any kind of a networking expert.

1356 posts

Uber Geek
+1 received by user: 317


  Reply # 951581 13-Dec-2013 13:06
Send private message

Maybe you sold your modem to someone else who also uses Vodafone broadband and their data usage is accruing to your account.

19282 posts

Uber Geek
+1 received by user: 2600
Inactive user


  Reply # 951585 13-Dec-2013 13:15
Send private message

timmmay: Why would you fault check the PCs when the router traffic meter and Vodafone traffic meter don't agree?

My assumption is there's a bunch of traffic hitting the modem for some reason that isn't getting to the router, but I'm not any kind of a networking expert.


You would check them for a virus / malware to make sure this is not causing extra traffic

14651 posts

Uber Geek
+1 received by user: 2725

Trusted
Subscriber

  Reply # 951586 13-Dec-2013 13:17
Send private message

johnr:
timmmay: Why would you fault check the PCs when the router traffic meter and Vodafone traffic meter don't agree?

My assumption is there's a bunch of traffic hitting the modem for some reason that isn't getting to the router, but I'm not any kind of a networking expert.


You would check them for a virus / malware to make sure this is not causing extra traffic


How would this traffic get counted on the Vodafone usage checker without being counted by the routers usage counter?

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

NZ and France seek to end use of social media for acts of terrorism
Posted 24-Apr-2019 12:13


Intel introduces the 9th Gen Intel Core mobile processors
Posted 24-Apr-2019 12:03


Spark partners with OPPO to bring new AX5s smartphone to New Zealand
Posted 24-Apr-2019 09:54


Orcon announces new always-on internet service for Small Business
Posted 18-Apr-2019 10:19


Spark Sport prices for Rugby World Cup 2019 announced
Posted 16-Apr-2019 07:58


2degrees launches new unlimited mobile plan
Posted 15-Apr-2019 09:35


Redgate brings together major industry speakers for SQL in the City Summits
Posted 13-Apr-2019 12:35


Exported honey authenticated on Blockchain
Posted 10-Apr-2019 21:19


HPE and Nutanix partner to deliver hybrid cloud as a service
Posted 10-Apr-2019 21:12


Southern Cross and ASN sign contract for Southern Cross NEXT
Posted 10-Apr-2019 21:09


Data security top New Zealand consumer priority when choosing a bank
Posted 10-Apr-2019 21:07


Samsung announces first 8K screens to hit New Zealand
Posted 10-Apr-2019 21:03


New cyber-protection and insurance product for businesses launched in APAC
Posted 10-Apr-2019 20:59


Kiwis ensure streaming is never interrupted by opting for uncapped broadband plans
Posted 7-Apr-2019 09:05


DHL Express introduces new MyDHL+ online portal to make shipping easier
Posted 7-Apr-2019 08:51



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.