Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




3807 posts

Uber Geek

Trusted
Lifetime subscriber

# 141008 26-Feb-2014 22:04
Send private message

Any vodafone staff able to assist me in tracking down some unusual usage on a connection this afternoon? Normally does 1-2gb a day, did 17gb in 3-4 hours this afternoon and everyone in the house swears there has been minimal usage. 

Cable connection with static IP, firewalled, both WAP's are secured with WPA2, all PC's have up to date AV protection etc.

I can see WHEN from the TCL client zone but I can't see where or what the traffic was, any assistance would be appreciated.






Information wants to be free. The Net interprets censorship as damage and routes around it.


Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
Mr Snotty
8764 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  # 995140 26-Feb-2014 22:18
2 people support this post
Send private message

Somebody is fibbing, or done something to cause this. With Cable getting faster it is easy to do this sort of usage in a few hours.




28128 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 995221 27-Feb-2014 07:29
Send private message

And you definitely don't have NTP or DNS exposed to the outside world? Amplification attacks on both are prolific at present.


 
 
 
 




3807 posts

Uber Geek

Trusted
Lifetime subscriber

  # 995256 27-Feb-2014 08:44
Send private message

michaelmurfy: Somebody is fibbing, or done something to cause this. With Cable getting faster it is easy to do this sort of usage in a few hours.


Certainly a possibility, one that I can't rule out with the information available to me (Be really nice if the TCL usage facility worked like the old Paradise one of a decade ago and you could drill down and see exactly where your traffic went)

sbiddle: And you definitely don't have NTP or DNS exposed to the outside world? Amplification attacks on both are prolific at present.


 

I'm aware of the NTP issues at the moment (work was donating it's fairly large connection to the party), but I don't believe that to be the case. The router is a current model, with the latest firmware and no relevant known vulnerabilities, firewall enabled (albeit with 2 pinholes but not for ntp/dns), non default admin credentials etc.

I think I'm going to have to get motivated and build a pfsense box or something so I can get decent information in future.





Information wants to be free. The Net interprets censorship as damage and routes around it.


6 posts

Wannabe Geek


  # 996882 1-Mar-2014 10:19
Send private message

Did you find out what was causing this?

I am having the exact same issue.

Everything is secured, but the usage spikes to almost 25GB on some days without me downloading anything significant.

The line moved about 1.4GB during the night last night when I had everything switched off except for the ADSL modem itself.

Vodafone first claimed that they could see that a 2nd modem was using the account details, but then backtracked and changed my password on their system.



5529 posts

Uber Geek


  # 996902 1-Mar-2014 10:32
Send private message

EckoTango:
Vodafone first claimed that they could see that a 2nd modem was using the account details, but then backtracked and changed my password on their system.




It's unlikely to be just a claim on Vodafone's part. This is what happens if you sell / give away / lend a Vodafone supplied modem to someone else - they get to download stuff on your account.

EDIT: I see you are in South Africa - could be any one of a number of issues, but Vodafone NZ are very unlikely to be having any impact on this.

6 posts

Wannabe Geek


  # 996903 1-Mar-2014 10:34
Send private message




It's unlikely to be just a claim on Vodafone's part. This is what happens if you sell / give away / lend a Vodafone supplied modem to someone else - they get to download stuff on your account.


I never sold a modem before. 

I am still using the original one that I got from them when I signed up.

6 posts

Wannabe Geek


  # 996922 1-Mar-2014 10:52
Send private message

RunningMan: 

EDIT: I see you are in South Africa - could be any one of a number of issues, but Vodafone NZ are very unlikely to be having any impact on this.


Nicely spotted. 

I am trying to assist a relative in NZ who is having this problem.

The portals of most SA ISPs display very nicely what the telephone number is of the line(s) connected to the account, so it would have been very easy to find out if the account details have been hacked, and by whom.

You can also see data usage per hour and per session, so that could also have helped in isolating the issue.

I stand corrected, but I don't see this information on Vodafone's Website.

 
 
 
 


5529 posts

Uber Geek


  # 996925 1-Mar-2014 10:56
One person supports this post
Send private message

There are a number of DNS amplification attacks and similar doing the rounds - might pay to make sure your modem is not vulnerable to one of these.

6 posts

Wannabe Geek


  # 996928 1-Mar-2014 11:06
Send private message

RunningMan: There are a number of DNS amplification attacks and similar doing the rounds - might pay to make sure your modem is not vulnerable to one of these.


Will do, thanks.

As far as I can tell Vodafone use serial numbers to keep track of which modems are allowed to connect to an account. Is this MAC filtering?

In that case, it shouldn't really be possible to authenticate a modem which doesn't show up on the registered modems list.

6 posts

Wannabe Geek


  # 1006464 15-Mar-2014 22:19
Send private message

Still no closer to a solution, and the 150GB allocated for March has come and gone.

I did however notice something very odd with the tally of the online hours indicated by Vodafone's system for this month:



Let's forget the fact that the heading states that it is the online time for March 1st - March 15th, while it is also displaying online time for February.

How can a session be 337 hours long, if it started at 10H28 and finished at 11H30 on the 1st of March?

There are several examples of this miscalculation on other days as well.



28128 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 1006584 16-Mar-2014 10:08
One person supports this post
Send private message

You haven't yet answered any of the questions above.

Is your router or any device behind it exposing DNS and/or NTP ports? If they are I'd put the chances being 99% + that a DDoS amplification attack is the cause of your problems.

6 posts

Wannabe Geek


  # 1006623 16-Mar-2014 11:15
Send private message

I have already checked and eliminated all of the above scenarios.

There are several examples of Vodafone's counter messing up floating around the web, which is why I am concentrating on that.

It happened with a few of their mobile customers as well, so this is not a fixed line-only issue.

The logs also indicate that sessions were actively connected when I had the ADSL modem unplugged for several hours.

6615 posts

Uber Geek
Inactive user


  # 1006676 16-Mar-2014 12:33
Send private message


I am pretty sure the online hours counts how long your PPP session has been active for....
I have never paid attention to that or even worried about such. It has no affect upon your billing.

194 posts

Master Geek

Trusted

  # 1006680 16-Mar-2014 12:38
Send private message

@ EckoTango

can you advise what the router make and model is please and is a static ip add used also is it a adsl or cable connection
also if by chance it was a counting error as such on the fixed line side,  mobile customers won't and can't be affected. they are 2 different networks.

 

 




Anything I suggest or say is my own thoughts and not provided by anyone else unless stated

2753 posts

Uber Geek

Trusted
Subscriber

  # 1006681 16-Mar-2014 12:48
Send private message

I see you are on a cable connection Lias. Are you sure no one is trying to ddos you or similar (see other comments above with questions)? Traffic sent to you will show as traffic used on a cable connection.

Grant




Check out my LPFM Radio Station at www.thecheese.co.nz cool


 1 | 2
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Intel expands 10th Gen Intel Core Mobile processor family
Posted 23-Aug-2019 10:22


Digital innovation drives new investment provider
Posted 23-Aug-2019 08:29


Catalyst Cloud becomes a Kubernetes Certified Service Provider (KCSP)
Posted 23-Aug-2019 08:21


New AI legaltech product launched in New Zealand
Posted 21-Aug-2019 17:01


Yubico launches first Lightning-compatible security key, the YubiKey 5Ci
Posted 21-Aug-2019 16:46


Disney+ streaming service confirmed launch in New Zealand
Posted 20-Aug-2019 09:29


Industry plan could create a billion dollar interactive games sector
Posted 19-Aug-2019 20:41


Personal cyber insurance a New Zealand first
Posted 19-Aug-2019 20:26


University of Waikato launches space for esports
Posted 19-Aug-2019 20:20


D-Link ANZ expands mydlink ecosystem with new mydlink Mini Wi-Fi Smart Plug
Posted 19-Aug-2019 20:14


Kiwi workers still falling victim to old cyber tricks
Posted 12-Aug-2019 20:47


Lightning Lab GovTech launches 2019 programme
Posted 12-Aug-2019 20:41


Epson launches portable laser projector
Posted 12-Aug-2019 20:27


Huawei launches new distributed HarmonyOS
Posted 12-Aug-2019 20:20


Lenovo introduces single-socket servers for edge and data-intensive workloads
Posted 9-Aug-2019 21:26



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.