Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


otherside

9 posts

Wannabe Geek


#154254 22-Oct-2014 13:54
Send private message

Hi Geekzone,

First post and unfortunately it's because I'm completely at a loss with Vodafone's help centre.

We went away on holiday at the start of September, and came home 3 weeks later only to hit our 80gb broadband limit a few days later.

When I checked our usage, I noticed huge amounts of upstream traffic, in the region of 50-300mb an hour. We very rarely (if ever) exceed our limit, so I set about trying to figure out where all this data came from.

After doing isolation tests, changing router and network passwords, disabling all the network features I could think of and doing spyware scans of our iMac, I can't find a single source for this upstream data. I'm not seeding or using any P2P software either, and I've disabled all iCloud/Dropbox/Google Drive synching. I've checked the router's client list, and as far as I can see there are no foreign connections, though my technical knowledge is limited in this area.

Here's where it gets interesting though; we took to shutting off our router and modem at the wall to prevent excess usage charges - the data would immediately start ticking up as soon as they were powered on (with no computers or devices on or connected to the network). Also, I noticed very small amounts of downstream data at odd times (12am - 6am ish) even when the router and modem were turned off.

I've contacted Vodafone's help centre at least three times, and they've promised to look into it, though it's been a long drawn out process with no communication or updates whatsoever over the last month. The line in that Bic Runga song about "listening to the same old tune" is apt.

Is there anything else I could check to make sure this isn't a problem from our end? Or is this something that needs to be looked at by Vodafone? From reading around the forum, I've noticed that there's been some work done to the Cable network, could this possibly be causing the issues?

Any help or perspective would be hugely appreciated, thanks!

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
timmmay
20591 posts

Uber Geek

Trusted
Lifetime subscriber

  #1159993 22-Oct-2014 14:04
Send private message

This rings a bell... something to do all all data aimed at your IP is billed, not just what you initiate. Also check your WiFi and make sure security's on and only devices you recognise are there.

Have a bit of a search through this forum, I'm sure it's come up before. The VF guys on here will no doubt be able to help.



johnr
19282 posts

Uber Geek
Inactive user


  #1159996 22-Oct-2014 14:07
Send private message

Port 53 open @SteveBiddle should be able to add some value here

otherside

9 posts

Wannabe Geek


  #1159998 22-Oct-2014 14:09
Send private message

Hi johnr, I'm not sure if port 53 is open, though it's more help than I've gotten in the last while! How would I be able to check it, and what does it mean if it is?




johnr
19282 posts

Uber Geek
Inactive user


  #1160005 22-Oct-2014 14:17
Send private message

otherside: Hi johnr, I'm not sure if port 53 is open, though it's more help than I've gotten in the last while! How would I be able to check it, and what does it mean if it is?



I just emailed Steve about this thread

sidefx
3714 posts

Uber Geek

Trusted

  #1160013 22-Oct-2014 14:39
Send private message

Run something like: https://www.grc.com/x/ne.dll?bh0bkyd2 to see if port 53 is open?  If open maybe used in DNS amplification?




"I was born not knowing and have had only a little time to change that here and there."         | Octopus Energy | Sharesies
              - Richard Feynman


johnr
19282 posts

Uber Geek
Inactive user


  #1160018 22-Oct-2014 15:02
Send private message

sidefx: Run something like: https://www.grc.com/x/ne.dll?bh0bkyd2 to see if port 53 is open?  If open maybe used in DNS amplification?


Thanks this is what I was trying to think of ' DNS amplification '

sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #1160029 22-Oct-2014 15:05
Send private message

DNS amplification attack because you either have a poorly configured router, or an old one that doesn't have port 53 blocked would be my pick.



 
 
 

Trade NZ and US shares and funds with Sharesies (affiliate link).
freitasm
BDFL - Memuneh
79310 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #1160038 22-Oct-2014 15:24
Send private message

In simple terms: a router with port 53 (DNS) open to outside (not only your own network) or with firewall disabled can be used in amplification attacks.

Basically some Bad Guy (TM) sends out a small DNS request to your router which then responds with a large response. The IP receiving this response is spoofed by the Bad Guy, so your router sends a large response to some computer or network Bad Guy wants down. He sends lots of small requests to thousands of routers who will send those large responses to this poor computer, flooding it. 

Because a small request can cause the router to return a large response, it's called "Amplification attack".

Hard to prove, but if you have some cheap router with low security, old firmware, no firewall...






Please support Geekzone by subscribing, or using one of our referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSync 


otherside

9 posts

Wannabe Geek


  #1160052 22-Oct-2014 15:31
Send private message

Thanks for the support everyone!

I'm afraid I'm unable to check the exact model of my router since I'm at work, but I'm definitely going to check the port settings when I get home. The router was supplied new with our cable connection last year, though I'm afraid that other than configuring the network and password I haven't changed any settings. I'm fairly sure we keep our firewall active though.

Can anyone offer advice on settings I could apply to my router to prevent the attack (if it is as most of you suspect)?




freitasm
BDFL - Memuneh
79310 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #1160054 22-Oct-2014 15:33
Send private message

First follow the link above to check it's actually open or not. Then you can submit the router model and version for more information.





Please support Geekzone by subscribing, or using one of our referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSync 


otherside

9 posts

Wannabe Geek


  #1160137 22-Oct-2014 17:11
Send private message

Hi folks, used the tool linked here. Nothing came up for port 53 (wasn't listed on the results), however it found that port 21 was open. Is this something that might enable a DNS amplification attack?

For reference, here's the text summary:

 

GRC Port Authority Report created on UTC: 2014-10-22 at 04:05:38

 

 

Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,

 

119, 135, 139, 143, 389, 443, 445,

 

1002, 1024-1030, 1720, 5000

 

 

1 Ports Open

 

24 Ports Closed

 

1 Ports Stealth

 

---------------------

 

26 Ports Tested

 

 

The port found to be OPEN was: 21

 

 

The port found to be STEALTH was: 80

 

 

Other than what is listed above, all ports are CLOSED.

 

 

TruStealth: FAILED - NOT all tested ports were STEALTH,

 

- NO unsolicited packets were received,

 

- A PING REPLY (ICMP Echo) WAS RECEIVED.

 

Router is a Netcomm NP805N 11n Wireless Gigabit Router.

Any suggestions?

EDIT:

I've just checked the router's log to see what's going on and I noticed a DoS type attack in the log: 

*******************************
Wed, 22 Oct 2014 14:16:16 +1000
*******************************
Oct 22 13:56:43 kernel: klogd started: BusyBox v1.3.2 (2013-04-25 11:00:35 CST)
Oct 22 13:56:47 commander: NETWORK Initialization finished. Result: 0
Oct 22 13:56:48 syslog: Failure parsing line 12 of /etc/udhcpd.conf
Oct 22 13:56:48 syslog: server_config.pool_check = 1
Oct 22 13:56:48 syslog: start = 192.168.20, end = 192.168.20, lan_ip = 192.168.20, interface=br0, ifindex=0
Oct 22 13:56:48 udhcpd[1244]: udhcpd (v0.9.9-pre) started
Oct 22 13:56:48 commander: SPAP!
Oct 22 13:56:48 commander: DDNS!
Oct 22 13:56:48 commander: SNMP!
Oct 22 13:56:48 commander: COLIN SNMP_Customer_id=1
Oct 22 13:56:48 commander: ROUTING!
Oct 22 13:56:49 commander: disable Daylight saving...
Oct 22 13:56:49 commander: TIME!
Oct 22 13:56:52 nat: Using the packet filter which support IP range
Oct 22 13:56:56 init: Starting pid 2088, console /dev/ttyS1: '/bin/ash'
Oct 22 13:56:57 commander: START WANTYPE Static IP Address
Oct 22 13:57:00 commander: handl_nat:nat restart
Oct 22 13:57:01 nat: Using the packet filter which support IP range
Oct 22 13:57:21 commander: Synchronization Time Success.
Oct 22 14:03:28 kernel: Blocked DoS Attack type :Synflood. , from 00:24:14:60:CF:F7
Oct 22 14:04:07 kernel: Blocked DoS Attack type :Synflood. , from 00:24:14:60:CF:F7

So I'm guessing there's something going on here, but this is rapidly venturing out of my area of knowledge. Would really appreciate someone translating.





Aredwood
3885 posts

Uber Geek


  #1160342 22-Oct-2014 22:13

Goto http://www.thinkbroadband.com/tools/dnscheck.html as well to check if your DNS is exposed. The above grc.com test only only tests for open ports that accept TCP packets. But still good that you ran it. As port 21 means that you are exposing a File Transfer Protocol server. See if you have a setting enabled called remote file access or similar. As people will try to hack your router via that port. DNS works via UDP, so you will need to run the above DNScheck to see if it is open. Which it will be as johnr has already found it to be open.





sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #1160392 23-Oct-2014 07:15
Send private message

If you're obnly seeing upstream traffic only when your router/pc is turned on then there almost certainly has to be something in your setup that is insecure.



freitasm
BDFL - Memuneh
79310 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #1160401 23-Oct-2014 07:54
Send private message

That "DDoS" attack blocked is an incoming connection, not outgoing.

Could you please PM your IP address to me?






Please support Geekzone by subscribing, or using one of our referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSync 


xpd

xpd
Geek @ Coastguard NZ
13769 posts

Uber Geek

Retired Mod
ID Verified
Trusted
Lifetime subscriber

  #1160416 23-Oct-2014 08:49
Send private message

FTP is quite often open internally on older cheap routers - logged into a friends router one day and emailed him his own config telling him to turn it off.
So check your router settings for anything to do with Port 21/FTP and turn it off.




       Gavin / xpd / FastRaccoon / Geek of Coastguard New Zealand

 

                      LinkTree

 

 

 


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00


eero Pro 7 Review
Posted 23-Jul-2025 12:07


BeeStation Plus Review
Posted 21-Jul-2025 14:21


eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01


WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32


RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26


Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24


Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05


Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01


Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01


Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22


Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46


Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42


D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34


Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.