Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Curiosity

7 posts

Wannabe Geek


#120906 18-Jun-2013 00:04
Send private message

For my ADSL connection, I'm using the Orcon-provided NetComm NB-14. Single ethernet port, no wi-fi.

Out of curiosity, I decided to look up my current usage. Over the last couple of months, I've used about 50 GB. This is just within my 30 GB/month limit, so that's fine. The catch is that for all but a handful of those days, there hasn't been anything connected to the modem!

I'm in a long, drawn out, house move, so a couple of months ago I packed up all my computer stuff, and have just been directly plugging my laptop in to the modem on the odd few days I'm there. So there's been no wi-fi router, in fact not even anything with an ethernet port (besides the modem), running in the house. Being the lazy guy I am, I just left the modem turned on and plugged in to the phone jack with nothing connected to the ethernet port.

However, over those couple of months there's been about 40 GB of usage clocked up during days when there's been nothing plugged in to the modem. It's varied between 10 MB a day all the way up to 3.5 GB a day. There was a definite peak from the 10th of May until the end of May, where it was averaging a couple of gig a day. On a per-day basis, it's a very consistent download:upload ratio of somewhere between 4.7:1 and 5.0:1, averaging 4.82:1.

I've had a look through the web UI, and there's no port forwards or anything else set up. Also, I would expect a 1:1 ratio of downloads and uploads if someone had hacked my modem and set it to relay traffic. If it was bot-net-ized and pumping out spam I'd expect to see a lot more upload traffic than download traffic.

Has anyone seen anything like this? I've got the modem completely unplugged now as it was getting very close to blowing my data cap this month. From a forensics point of view, does anyone know how to pull the full firmware from the modem? It's currently running "NetComm_NZ(LEM_86)_A01_(21230_3112140)" according to the status page (matching the label on the bottom of the modem), so if I can get the full firmware off my modem and the original firmware I might be able to identify what's been done to it.

Create new topic
freitasm
BDFL - Memuneh
77087 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #838452 18-Jun-2013 01:52
Send private message

Perhaps the router configuration allows DNS to be accessed by outside the network and it is being used in DDoS attacks?

Make sure its firewalll is on as well.




Please support Geekzone by subscribing, or using one of our referral links: Dosh referral: 00001283 | Sharesies | Goodsync | Mighty Ape | Backblaze

 

freitasm on Keybase | My technology disclosure

 

 

 

 

 

 


 
 
 

GoodSync. Easily back up and sync your files with GoodSync. Simple and secure file backup and synchronisation software will ensure that your files are never lost (affiliate link).
Zeon
3894 posts

Uber Geek

Trusted

  #838466 18-Jun-2013 07:09
Send private message

PM your public IP and we can run a porrt scan




Speedtest 2019-10-14


flygirlnz
33 posts

Geek


  #838686 18-Jun-2013 13:28
Send private message

freitasm: Perhaps the router configuration allows DNS to be accessed by outside the network and it is being used in DDoS attacks?

Make sure its firewalll is on as well.


I have tried to look for the router's own firewall, but cannot find it. 



Ragnor
8091 posts

Uber Geek

Trusted

  #839922 19-Jun-2013 22:25
Send private message

Most likely it's exposing dns on the WAN and botnet's are using it in DNS amplification attacks, otherwise less likely but possible it could be compromised by malware too.

Most of the malware target consumer modems can't alter the "saved" config or firmware only the "running" config injecting their own scripts to run.

Use the hardware reset button and make sure it's running the latest firmware update from Netcomm.

MadEngineer
3680 posts

Uber Geek

Trusted

  #841729 22-Jun-2013 21:19
Send private message

Most likely this is due to an accounts issue




You're not on Atlantis anymore, Duncan Idaho.

Sounddude
I fix stuff!
1903 posts

Uber Geek

Trusted
2degrees
Lifetime subscriber

  #841739 22-Jun-2013 21:38
Send private message

MadEngineer: Most likely this is due to an accounts issue


How do you figure that?

freitasm
BDFL - Memuneh
77087 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #841772 22-Jun-2013 22:21
Send private message




Please support Geekzone by subscribing, or using one of our referral links: Dosh referral: 00001283 | Sharesies | Goodsync | Mighty Ape | Backblaze

 

freitasm on Keybase | My technology disclosure

 

 

 

 

 

 




openmedia
3071 posts

Uber Geek

Trusted

  #841889 23-Jun-2013 10:26
Send private message

Had a similar issue about a year ago. Bad firewall rule meant I was getting lots of DNS traffic on my WAN port.




Generally known online as OpenMedia, now working for Red Hat APAC as a Technology Evangelist and Portfolio Architect. Still playing with MythTV and digital media on the side.


johnr
19282 posts

Uber Geek
Inactive user


  #841891 23-Jun-2013 10:39
Send private message

MadEngineer: Most likely this is due to an accounts issue


Huh?

Curiosity

7 posts

Wannabe Geek


  #841902 23-Jun-2013 11:12
Send private message

Quick update:
* Forgot to mention in the first post, but GRC ShieldsUp showed no reply from any of the first ~1K or common ports (might be listening on a higher one - didn't have time to d oa full 64K scan). Flicking off the firewall changed this to RSTs, and poking a port shows up as expected.
* Not DNS amplification - as mentioned in the first post, it's receiving ~5x what it's sending. ThinkBroadband shows no resolver also.
* Firewall is enabled on the modem.
* I had the modem off for the past week (hence no earlier reply). After plugging it in again, it averaged 3 MB/hr downloads Thursday night/Friday morning, but absolutely nothing last night. I was using it later on Friday and most of Saturday, so can't say what it was doing there.

MadEngineer
3680 posts

Uber Geek

Trusted

  #841916 23-Jun-2013 12:25
Send private message

johnr:
MadEngineer: Most likely this is due to an accounts issue


Huh?
a metering issue.

Edit: in light of there being two of these threads with the same router I'm thinking otherwise. Still sounds like an accounting (usage) issue is exasperating the problem.




You're not on Atlantis anymore, Duncan Idaho.

Create new topic





News and reviews »

One New Zealand Extends 3G Switch-off Date
Posted 11-Apr-2024 08:56


Amazon Echo Hub Review
Posted 10-Apr-2024 18:57


Epson Launches New Versatile A4 Desktop Scanners
Posted 10-Apr-2024 15:31


Motorola Mobility Launches New Android Phones in New Zealand
Posted 10-Apr-2024 14:59


Logitech G Unveils the PRO X 60 Gaming Keyboard
Posted 9-Apr-2024 19:01


Logitech Unveils Signature Slim Keyboard and Combo
Posted 9-Apr-2024 13:33


ExpressVPN Launches Aircove Go Portable Router With Built-in VPN
Posted 26-Mar-2024 21:25


Shure MoveMic Review
Posted 25-Mar-2024 12:47


reMarkable 2 Launches at JB Hi-Fi New Zealand
Posted 20-Mar-2024 08:36


Samsung Galaxy S24 Ultra review
Posted 19-Mar-2024 11:37


Google Nest Wifi Pro Review
Posted 16-Mar-2024 11:28


Samsung Galaxy A55 5G and Galaxy A35 5G
Posted 12-Mar-2024 12:41


Cricut EasyPress Mini Zen Blue launches at Spotlight New Zealand
Posted 12-Mar-2024 12:32


Logitech Introduces MX Brio Webcam
Posted 12-Mar-2024 12:24


HP Unveils Broadest Consumer Portfolio of AI-Enhanced Laptops
Posted 3-Mar-2024 18:09









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







GoodSync is the easiest file sync and backup for Windows and Mac