Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15
2284 posts

Uber Geek
+1 received by user: 375

Trusted
Subscriber

  Reply # 521736 16-Sep-2011 00:32
Send private message

DonGould:
jnawk:   Some routers (the not so dirt cheap ones) will let you SNMP them.  Depends on OP's setup.


$85 - http://www.gowifi.co.nz/ethernet-adsl/mikrotik-routerboard-rb/750.html

SNMP, netflow, ip accounting, user manager.



While this will count most of the traffic it's not going to be much more accurate than installing someting like NetWorx on each PC in the house.

The fact is that sometimes there are delays in the processing of the raw traffic accounting data and data does trickle in eventually. This often happens when an ISP performs maintenance on their accounting systems.

I was also under the impression when there was debate around billing that ISPs gave customers their raw traffic flows on a DVD, leaving the customer to figure out how to even read the mountains of data ;)

176 posts

Master Geek
+1 received by user: 11


  Reply # 521758 16-Sep-2011 07:55
Send private message

Riggleby: We checked our usage last night and were shocked to see we had apparently chewed through 84GB of our 90GB cap in just 11 days. On close inspection of the usage trackers, we've suddenly been uploading and insane amount of data. We rang this morning and were told that the problem was on our end and that someone must be connected to our wireless - only we don't have wireless enabled. It's all wired.

What we've realised tonight is that there are peaks of upload data that cannot possibly be right. Our maximum upload speed is 2Mbit, or roughly 250kb/s, which is a maximum of 878MB of data uploaded in any given hour. Telstra is saying we've uploaded 1.1GB-1.3GB in a single hour on certain days.

To furthur disprove the accuracy of their usage tracker, our modem was unplugged from 9am until 7:30PM today. Somehow, data was still sent and received.

They'll be getting a phonecall in the morning. Something on their end is definitely wrong, and they'll have to accept responsibility eventually.


This is all so familiar. Several years ago, I had them on about the very same thing. I thing, if memory serves, the connection was 4mbit/sec and I was being billed for more like 30mbit/sec (my modem was a Com21 - the one with the 10mbit ethernet interface). They backed off when I pointed out how impossible it was, but what with all the bull pucky about the no usage and then accounting for it all at once, and with the fact that the traffic is accounted for at the other end of their network (where the link can see that kind of traffic), I fear you'll probably have a fight on your hands.

As others have advised - record your calls if you can. At the very least, take full notes. If you are like me, you'll find it hard, but if at least you can give them names of reps, and date and time, then assuming you get the attention of someone beyond 1st level, they may even go through the tapes and review the conversation.

Good Luck

 
 
 
 


176 posts

Master Geek
+1 received by user: 11


  Reply # 521781 16-Sep-2011 08:53
Send private message

insane: I was also under the impression when there was debate around billing that ISPs gave customers their raw traffic flows on a DVD, leaving the customer to figure out how to even read the mountains of data ;)


Challenge accepted.   Of course, it'd be more than a single DVD unless they just captured packet headers.


566 posts

Ultimate Geek
+1 received by user: 2

Trusted
TelstraClear

  Reply # 521803 16-Sep-2011 09:49
Send private message

Riggleby: We checked our usage last night and were shocked to see we had apparently chewed through 84GB of our 90GB cap in just 11 days. On close inspection of the usage trackers, we've suddenly been uploading and insane amount of data. We rang this morning and were told that the problem was on our end and that someone must be connected to our wireless - only we don't have wireless enabled. It's all wired.

What we've realised tonight is that there are peaks of upload data that cannot possibly be right. Our maximum upload speed is 2Mbit, or roughly 250kb/s, which is a maximum of 878MB of data uploaded in any given hour. Telstra is saying we've uploaded 1.1GB-1.3GB in a single hour on certain days.

To furthur disprove the accuracy of their usage tracker, our modem was unplugged from 9am until 7:30PM today. Somehow, data was still sent and received.

They'll be getting a phonecall in the morning. Something on their end is definitely wrong, and they'll have to accept responsibility eventually.


Hi Riggleby, Please PM with your account number and contact details and I'll ask one of the team to look into this for you.

Thanks, Gary

74 posts

Master Geek
+1 received by user: 16


  Reply # 521820 16-Sep-2011 10:24
Send private message

TelstraClear:
Riggleby: We checked our usage last night and were shocked to see we had apparently chewed through 84GB of our 90GB cap in just 11 days. On close inspection of the usage trackers, we've suddenly been uploading and insane amount of data. We rang this morning and were told that the problem was on our end and that someone must be connected to our wireless - only we don't have wireless enabled. It's all wired.

What we've realised tonight is that there are peaks of upload data that cannot possibly be right. Our maximum upload speed is 2Mbit, or roughly 250kb/s, which is a maximum of 878MB of data uploaded in any given hour. Telstra is saying we've uploaded 1.1GB-1.3GB in a single hour on certain days.

To furthur disprove the accuracy of their usage tracker, our modem was unplugged from 9am until 7:30PM today. Somehow, data was still sent and received.

They'll be getting a phonecall in the morning. Something on their end is definitely wrong, and they'll have to accept responsibility eventually.


Hi Riggleby, Please PM with your account number and contact details and I'll ask one of the team to look into this for you.

Thanks, Gary
I'm relatively new to the forums so I'm guessing PM'ing is clicking the Email link on the profile. If so, PM sent.

3889 posts

Uber Geek
+1 received by user: 164


  Reply # 521829 16-Sep-2011 10:50
Send private message

Oh look :)!!!!  Gary got his PM link back.

Now can someone do me a quick spreadsheet on the amount of data that you can use in an hour again?

I'm sure I read one of you said it was ~800mb.

Can I spike 1.1GB in an hour?

And what's really throwing that much data at me at that time of day, I'm a sleep?







Promote New Zealand - Get yourself a .kiwi.nz domain name!!!

Check out mine - i.am.a.can.do.kiwi.nz - don@i.am.a.can.do.kiwi.nz


176 posts

Master Geek
+1 received by user: 11


  Reply # 521853 16-Sep-2011 11:11
Send private message

DonGould: Oh look :)!!!!  Gary got his PM link back.

Now can someone do me a quick spreadsheet on the amount of data that you can use in an hour again?

I'm sure I read one of you said it was ~800mb.

Can I spike 1.1GB in an hour?

And what's really throwing that much data at me at that time of day, I'm a sleep?





Down @ 15mbps = 6.6GB.  Up at 2mbps = 900mb.

3889 posts

Uber Geek
+1 received by user: 164


  Reply # 521868 16-Sep-2011 11:43
Send private message

jnawk: Down @ 15mbps = 6.6GB.  Up at 2mbps = 900mb.


Cool thanks... so I can pull that data in an hour...  but at 6am in the morning?  Where's that coming from?

BiDi's really got me wondering now...

I'm now paying for $30 dollars more for 60Gb than I was before... so that's $360 more a year.  That's quite a bit of beer really isn't it.

I wonder how many other people have big blips that they just don't notice?









Promote New Zealand - Get yourself a .kiwi.nz domain name!!!

Check out mine - i.am.a.can.do.kiwi.nz - don@i.am.a.can.do.kiwi.nz


176 posts

Master Geek
+1 received by user: 11


  Reply # 521885 16-Sep-2011 12:05
Send private message

DonGould: Cool thanks... so I can pull that data in an hour...? but at 6am in the morning?? Where's that coming from?


I presume you don't run any kind of servers on your connection? For me, that kind of tom-foolery was stuff like twats trying to break into my SIP server, etc.

3889 posts

Uber Geek
+1 received by user: 164


  Reply # 521890 16-Sep-2011 12:14
Send private message

jnawk: I presume you don't run any kind of servers on your connection? For me, that kind of tom-foolery was stuff like twats trying to break into my SIP server, etc.


ya I've got all sorts of junk everywhere.  Don't have a SIP server at present...  but yes, it's getting time that I started to pay just a little more attention and see where this junk is coming from as it's starting to get a bit out of hand.

The problem is how do you stop them?  I can't even get sense out of the helpdesk on a good day when there is a really obvious fault at their end..


.


What chance to you think I've got of trying to get them to take action against a rogue hacking attempt?

How do I even put alarms on it to notify myself?

Do I need to set up a netflow collector and then use something to spot the traffic spikes and dynamically update my firewall rules?

But would firewall rules help me anyway?  Would they just keep attacking and causing traffic at me?








Promote New Zealand - Get yourself a .kiwi.nz domain name!!!

Check out mine - i.am.a.can.do.kiwi.nz - don@i.am.a.can.do.kiwi.nz


176 posts

Master Geek
+1 received by user: 11


  Reply # 521939 16-Sep-2011 13:32
Send private message

I've had relative success with things such as DenyHosts (for blocking SSH attacks by putting attacker's IP addresses / hostnames in /etc/hosts.deny - it can sync with a server globally so you can benefit from other user's being a target), and Fail2Ban (which I use for updating iptables rules to drop SIP packets from hosts who are trying to brute force my server).

You can also use Fail2Ban for SSH, but you don't get the global database, but to get the same effect, you could configure a post-Deny action that updated iptables.

For SSH, blocking the packets would reduce the attack stream to SYN packets only (less than 100 bytes), while for SIP, it just makes you less of an attractive target (the attack - 500 or so byte UDP packets) eventually dries up. As for getting Telstra to do anything about it? Well, you're probably not going to get anywhere short of turning your cable modem off and then whining at them that your cable modem was off and that you couldn't possibly have consumed the traffic being billed for. See post #1 of this thread :-)



For me, one guy at the help desk offered to set up a firewall rule at their end, and promised that I would not have to pay for the attack traffic. Of course, I never had a recording, but I did write down the time of the call. The firewall rule was not put in place (surprise surprise), and I was charged for the traffic.

When I asked about the firewall rule, I was told that they don't do that, and that I should never have been promised it. My view on that is that if a legitimate representative of a company offers to do X (in good faith, of course), regardless of whether or not they actually have authority to make such an offer, the company should be bound to abide by that offer. Clearly, big business doesn't see it that way, and would rather to be able to say "oh, sorry, our representative was out of line, too bad for you, pay up".

I went as far as removing credit card authority and paying only the undisputed amount. I was calling the helpdesk at least weekly to see where the matter was, and each time it was like going back to square one. Eventually, the attack traffic just disappeared from my usage, and my bill went down, as if I had paid the disputed amount. All very cloak and daggers, really. No one ever bothered to contact me to inform me of the outcome, but since I appear to have had the attack expunged from my bill, I was happy enough to just stop.

The only other potentially useful thing they suggested was they could change my IP address. I don't know if the helpdesk had the wit to understand that would have been like cutting my nose off to spite my face, given the fact that I would have had to update DNS entries left right and centre, and within 30 seconds (ok, 86400 seconds) of doing so, the attacking would start all over again.



In summary, the best advice I can give is make sure your servers are not vulnerable, and that you have intrusion detection systems (as above) in place that respond in as close to real time as possible, and prey someone doesn't actually send a stream of packets at your IP address with the point of simply consuming bandwidth, as you'll be liable for it. You could try involving the police, but you'd need your modem on to collect data about the IP addresses, and if they are coming from overseas, well, that's just too bad.



Wow, I must be getting pretty jaded!



62 posts

Master Geek
+1 received by user: 2


  Reply # 521941 16-Sep-2011 13:34
Send private message

Here's one day's usage that really stands out:

A bad day for traffic!

This is before we started to turn off the modem, but no one was on the computers between 11 and midnight.

You cannot see it clearly, but there is other traffic, the vertical scale is just swamped by the 4 GB peak that occurred in the last hour. 

It seems obvious that this does not reflect our usage as a function of time. But even if this 4 GB was aggregated over the whole day, I have trouble believing that we really downloaded so much.
 

176 posts

Master Geek
+1 received by user: 11


  Reply # 521953 16-Sep-2011 14:00
Send private message

I'd have suggested downloading the usage data, but of course, it is just a CSV version of the graph. You cannot drill down by IP address and protocol, which is the kind of data you need in order to make a complaint.

TC need to up their game in this regard. Also, I can accept that the usage meter may be 4 hours behind, but can't they timestamp their accounting records so that the data doesn't all show up in the hour that the records arrive at the server that processes the data?



62 posts

Master Geek
+1 received by user: 2


  Reply # 521960 16-Sep-2011 14:12
Send private message

jnawk:TC need to up their game in this regard. Also, I can accept that the usage meter may be 4 hours behind, but can't they timestamp their accounting records so that the data doesn't all show up in the hour that the records arrive at the server that processes the data?


Exactly!  

Without an accurate time axis, the usage report is less than useless: it is misleading. (Some might say worse. Ask my daughter, she got blamed for too much frivolous internet use when we first noticed!)



3889 posts

Uber Geek
+1 received by user: 164


  Reply # 521971 16-Sep-2011 14:22
Send private message

jnawk: I'd have suggested downloading the usage data, but of course, it is just a CSV version of the graph. You cannot drill down by IP address and protocol, which is the kind of data you need in order to make a complaint.


ClearNet did used to do this, but they stopped doing it because of the storage cost as I understand it.

Do you know how much storage space is involved to track NetFlow data?

jnawk: TC need to up their game in this regard. Also, I can accept that the usage meter may be 4 hours behind, but can't they timestamp their accounting records so that the data doesn't all show up in the hour that the records arrive at the server that processes the data?


It's not possible given the way they're tracking the usage.

ERX counters are polled by the Accounting system every period and the information stored in the RADIUS server as I understand it.

What goes wrong is that the accounting system stops polling the ERX.  The ERX counters keep counting the VLAN interface (which is why you can cause traffic on it even when the modem is turned off) but it's just an interface counter like you have in IPTables.  It doesn't have time stamping in the ERX.

This is one of the reasons they updated the platform to fix these sorts of problems.  However clearly the vendor hasn't got it right yet.

Anyway that's my understanding and I am happy to be corrected on technical details here.  I am not an ERX expert... I've never even see a photo of one.






Promote New Zealand - Get yourself a .kiwi.nz domain name!!!

Check out mine - i.am.a.can.do.kiwi.nz - don@i.am.a.can.do.kiwi.nz


1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.