Can TCL staff help with unusual usage spike?

Forums › One New Zealand (including Vodafone, WxC, Farmside) › Can TCL staff help with unusual usage spike?

Lias

5589 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#141008 26-Feb-2014 22:04

Any vodafone staff able to assist me in tracking down some unusual usage on a connection this afternoon? Normally does 1-2gb a day, did 17gb in 3-4 hours this afternoon and everyone in the house swears there has been minimal usage.

Cable connection with static IP, firewalled, both WAP's are secured with WPA2, all PC's have up to date AV protection etc.

I can see WHEN from the TCL client zone but I can't see where or what the traffic was, any assistance would be appreciated.

I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup.

1 | 2

meow
13240 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#995140 26-Feb-2014 22:18

Somebody is fibbing, or done something to cause this. With Cable getting faster it is easy to do this sort of usage in a few hours.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#995221 27-Feb-2014 07:29

And you definitely don't have NTP or DNS exposed to the outside world? Amplification attacks on both are prolific at present.

Lias

5589 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#995256 27-Feb-2014 08:44

michaelmurfy: Somebody is fibbing, or done something to cause this. With Cable getting faster it is easy to do this sort of usage in a few hours.

Certainly a possibility, one that I can't rule out with the information available to me (Be really nice if the TCL usage facility worked like the old Paradise one of a decade ago and you could drill down and see exactly where your traffic went)

sbiddle: And you definitely don't have NTP or DNS exposed to the outside world? Amplification attacks on both are prolific at present.

I'm aware of the NTP issues at the moment (work was donating it's fairly large connection to the party), but I don't believe that to be the case. The router is a current model, with the latest firmware and no relevant known vulnerabilities, firewall enabled (albeit with 2 pinholes but not for ntp/dns), non default admin credentials etc.

I think I'm going to have to get motivated and build a pfsense box or something so I can get decent information in future.

EckoTango

6 posts

Wannabe Geek

#996882 1-Mar-2014 10:19

Did you find out what was causing this?

I am having the exact same issue.

Everything is secured, but the usage spikes to almost 25GB on some days without me downloading anything significant.

The line moved about 1.4GB during the night last night when I had everything switched off except for the ADSL modem itself.

Vodafone first claimed that they could see that a 2nd modem was using the account details, but then backtracked and changed my password on their system.

RunningMan

8953 posts

Uber Geek

#996902 1-Mar-2014 10:32

EckoTango:
Vodafone first claimed that they could see that a 2nd modem was using the account details, but then backtracked and changed my password on their system.

It's unlikely to be just a claim on Vodafone's part. This is what happens if you sell / give away / lend a Vodafone supplied modem to someone else - they get to download stuff on your account.

EDIT: I see you are in South Africa - could be any one of a number of issues, but Vodafone NZ are very unlikely to be having any impact on this.

EckoTango

6 posts

Wannabe Geek

#996903 1-Mar-2014 10:34

It's unlikely to be just a claim on Vodafone's part. This is what happens if you sell / give away / lend a Vodafone supplied modem to someone else - they get to download stuff on your account.

I never sold a modem before.

I am still using the original one that I got from them when I signed up.

EckoTango

6 posts

Wannabe Geek

#996922 1-Mar-2014 10:52

RunningMan:

EDIT: I see you are in South Africa - could be any one of a number of issues, but Vodafone NZ are very unlikely to be having any impact on this.

Nicely spotted.

I am trying to assist a relative in NZ who is having this problem.

The portals of most SA ISPs display very nicely what the telephone number is of the line(s) connected to the account, so it would have been very easy to find out if the account details have been hacked, and by whom.

You can also see data usage per hour and per session, so that could also have helped in isolating the issue.

I stand corrected, but I don't see this information on Vodafone's Website.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

RunningMan

8953 posts

Uber Geek

#996925 1-Mar-2014 10:56

There are a number of DNS amplification attacks and similar doing the rounds - might pay to make sure your modem is not vulnerable to one of these.

EckoTango

6 posts

Wannabe Geek

#996928 1-Mar-2014 11:06

RunningMan: There are a number of DNS amplification attacks and similar doing the rounds - might pay to make sure your modem is not vulnerable to one of these.

Will do, thanks.

As far as I can tell Vodafone use serial numbers to keep track of which modems are allowed to connect to an account. Is this MAC filtering?

In that case, it shouldn't really be possible to authenticate a modem which doesn't show up on the registered modems list.

EckoTango

6 posts

Wannabe Geek

#1006464 15-Mar-2014 22:19

Still no closer to a solution, and the 150GB allocated for March has come and gone.

I did however notice something very odd with the tally of the online hours indicated by Vodafone's system for this month:

Let's forget the fact that the heading states that it is the online time for March 1st - March 15th, while it is also displaying online time for February.

How can a session be 337 hours long, if it started at 10H28 and finished at 11H30 on the 1st of March?

There are several examples of this miscalculation on other days as well.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1006584 16-Mar-2014 10:08

You haven't yet answered any of the questions above.

Is your router or any device behind it exposing DNS and/or NTP ports? If they are I'd put the chances being 99% + that a DDoS amplification attack is the cause of your problems.

EckoTango

6 posts

Wannabe Geek

#1006623 16-Mar-2014 11:15

I have already checked and eliminated all of the above scenarios.

There are several examples of Vodafone's counter messing up floating around the web, which is why I am concentrating on that.

It happened with a few of their mobile customers as well, so this is not a fixed line-only issue.

The logs also indicate that sessions were actively connected when I had the ADSL modem unplugged for several hours.

Coil

6614 posts

Uber Geek
Inactive user

#1006676 16-Mar-2014 12:33

I am pretty sure the online hours counts how long your PPP session has been active for....
I have never paid attention to that or even worried about such. It has no affect upon your billing.

NZFINEST

202 posts

Master Geek

Trusted

#1006680 16-Mar-2014 12:38

@ EckoTango

can you advise what the router make and model is please and is a static ip add used also is it a adsl or cable connection
also if by chance it was a counting error as such on the fixed line side, mobile customers won't and can't be affected. they are 2 different networks.

Anything I suggest or say is my own thoughts and not provided by anyone else unless stated

ZollyMonsta

3009 posts

Uber Geek

ID Verified

Trusted

#1006681 16-Mar-2014 12:48

I see you are on a cable connection Lias. Are you sure no one is trying to ddos you or similar (see other comments above with questions)? Traffic sent to you will show as traffic used on a cable connection.

Grant

Check out my LPFM Radio Station at www.thecheese.co.nz - Now on iHeart Radio, TuneIn and Radio Garden

As per the usual std disclaimer.. "All thoughts typed here are my own."

1 | 2