Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


7 posts

Wannabe Geek
+1 received by user: 1


Topic # 120906 18-Jun-2013 00:04
Send private message

For my ADSL connection, I'm using the Orcon-provided NetComm NB-14. Single ethernet port, no wi-fi.

Out of curiosity, I decided to look up my current usage. Over the last couple of months, I've used about 50 GB. This is just within my 30 GB/month limit, so that's fine. The catch is that for all but a handful of those days, there hasn't been anything connected to the modem!

I'm in a long, drawn out, house move, so a couple of months ago I packed up all my computer stuff, and have just been directly plugging my laptop in to the modem on the odd few days I'm there. So there's been no wi-fi router, in fact not even anything with an ethernet port (besides the modem), running in the house. Being the lazy guy I am, I just left the modem turned on and plugged in to the phone jack with nothing connected to the ethernet port.

However, over those couple of months there's been about 40 GB of usage clocked up during days when there's been nothing plugged in to the modem. It's varied between 10 MB a day all the way up to 3.5 GB a day. There was a definite peak from the 10th of May until the end of May, where it was averaging a couple of gig a day. On a per-day basis, it's a very consistent download:upload ratio of somewhere between 4.7:1 and 5.0:1, averaging 4.82:1.

I've had a look through the web UI, and there's no port forwards or anything else set up. Also, I would expect a 1:1 ratio of downloads and uploads if someone had hacked my modem and set it to relay traffic. If it was bot-net-ized and pumping out spam I'd expect to see a lot more upload traffic than download traffic.

Has anyone seen anything like this? I've got the modem completely unplugged now as it was getting very close to blowing my data cap this month. From a forensics point of view, does anyone know how to pull the full firmware from the modem? It's currently running "NetComm_NZ(LEM_86)_A01_(21230_3112140)" according to the status page (matching the label on the bottom of the modem), so if I can get the full firmware off my modem and the original firmware I might be able to identify what's been done to it.

Create new topic
BDFL - Memuneh
61319 posts

Uber Geek
+1 received by user: 12063

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 838452 18-Jun-2013 01:52
Send private message

Perhaps the router configuration allows DNS to be accessed by outside the network and it is being used in DDoS attacks?

Make sure its firewalll is on as well.




3409 posts

Uber Geek
+1 received by user: 404

Trusted

  Reply # 838466 18-Jun-2013 07:09
Send private message

PM your public IP and we can run a porrt scan





33 posts

Geek
+1 received by user: 4


  Reply # 838686 18-Jun-2013 13:28
Send private message

freitasm: Perhaps the router configuration allows DNS to be accessed by outside the network and it is being used in DDoS attacks?

Make sure its firewalll is on as well.


I have tried to look for the router's own firewall, but cannot find it. 

8027 posts

Uber Geek
+1 received by user: 387

Trusted
Subscriber

  Reply # 839922 19-Jun-2013 22:25
One person supports this post
Send private message

Most likely it's exposing dns on the WAN and botnet's are using it in DNS amplification attacks, otherwise less likely but possible it could be compromised by malware too.

Most of the malware target consumer modems can't alter the "saved" config or firmware only the "running" config injecting their own scripts to run.

Use the hardware reset button and make sure it's running the latest firmware update from Netcomm.

1617 posts

Uber Geek
+1 received by user: 414


  Reply # 841729 22-Jun-2013 21:19
Send private message

Most likely this is due to an accounts issue

I fix stuff!
1693 posts

Uber Geek
+1 received by user: 363

Trusted
Vocus
Subscriber

  Reply # 841739 22-Jun-2013 21:38
Send private message

MadEngineer: Most likely this is due to an accounts issue


How do you figure that?

2016 posts

Uber Geek
+1 received by user: 165

Trusted

  Reply # 841889 23-Jun-2013 10:26
Send private message

Had a similar issue about a year ago. Bad firewall rule meant I was getting lots of DNS traffic on my WAN port.




Generally known online as OpenMedia, now working for Red Hat New Zealand as a Solution Architect for all things Linux, Virtual and of course Cloud. Still playing with MythTV and digital media on the side.

19282 posts

Uber Geek
+1 received by user: 2600
Inactive user


  Reply # 841891 23-Jun-2013 10:39
Send private message

MadEngineer: Most likely this is due to an accounts issue


Huh?



7 posts

Wannabe Geek
+1 received by user: 1


  Reply # 841902 23-Jun-2013 11:12
Send private message

Quick update:
* Forgot to mention in the first post, but GRC ShieldsUp showed no reply from any of the first ~1K or common ports (might be listening on a higher one - didn't have time to d oa full 64K scan). Flicking off the firewall changed this to RSTs, and poking a port shows up as expected.
* Not DNS amplification - as mentioned in the first post, it's receiving ~5x what it's sending. ThinkBroadband shows no resolver also.
* Firewall is enabled on the modem.
* I had the modem off for the past week (hence no earlier reply). After plugging it in again, it averaged 3 MB/hr downloads Thursday night/Friday morning, but absolutely nothing last night. I was using it later on Friday and most of Saturday, so can't say what it was doing there.

1617 posts

Uber Geek
+1 received by user: 414


  Reply # 841916 23-Jun-2013 12:25
Send private message

johnr:
MadEngineer: Most likely this is due to an accounts issue


Huh?
a metering issue.

Edit: in light of there being two of these threads with the same router I'm thinking otherwise. Still sounds like an accounting (usage) issue is exasperating the problem.

Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.