IDNetters Forums

just got an email telling me I have downloaded 6.23Gb in 6 days, and when I check on the website it confirms this.
I am normally a VERY light user, and rarely get to 4Gb (my limit).
Some of the usage is off peak (so it makes 9Gb in total) when I NEVER am online and all connected devices are off.....

do I assume
1) my network has been hacked - have checked and all seems ok
2) the figures are wildly wrong somehow??

My suggestion would be to contact IDNet in the morning, and they can look at the bandwidth usage in more detail.

As Simon has said you need to chat to support it can occasionally be wrong, however if you have WiFi I think it may be wise to change the password and check you've no unprotected guest network on by mistake. Any other householders users who may unwittingly have left something running?

will contact them for sure tomo.
Set up is Wifi network, one wired pc, one wireless connected pc (both off overnight) and 1 phone with occasional wifi use, again off overnight.
Will unplug router in a minute and then contact idnet after work tomo.

thanks for replies

Bear in mind IDNet support closes at 6pm on Fridays.  I doubt that the out of hours service would be able to help with this, as I don't believe they have access to customer accounts.

thanks, will try and get home by 5pm to ring them then!!

well I contacted support yesterday and they could shed no light on it, but just suggested I changed my wifi password etc.
So I have done so, and I guess I will just wait and see, and monitor my usage carefully......

Odd.  I always thought they could give more details, such as when the biggest download(s) occurred.  :dunno:

Well the graphs have gone,however you can still see daily peak and off peak rates.

Quote from: Simon on May 11, 2013, 16:44:24
Odd.  I always thought they could give more details, such as when the biggest download(s) occurred.  :dunno:

yes, that would have been helpful - all they said was "look at the website to see your usage", which of course I had already done

If you feel you've a genuine case for an error in the data be persistent.

Quote from: Steve on May 11, 2013, 17:27:33
If you feel you've a genuine case for an error in the data be persistent.

well that's just it - I can't find a logical explanation - yes my wifi could have been hacked, but my security settings were safely in place - other than somehow the figures being wrong I cannot think of any other reason for what for me is very high usage, and at unusual times

Which Wifi encryption protocol are you using?

it was WPA mode auto - have now changed it to WPA2, and only allowed the MAC addresses of the devices I use to have access

My personal opinion with WPA is that you've not been hijacked,any video streaming possibilities ie iPlayer or Sky box you've missed.

nope, use nothing like that at all. Setup is just 2 desktops only used for email, general surfing; don't download videos/stream etc ,and they don't get left on when not in use (never in use in off peak hours), and 1 smartphone that again is not left connected to wifi.
Am on the starter package with a 4GB limit - I have only gone over this once in the last 6 months, and only 4 times ever in nearly 3 years with Idnet.

If you look at your bandwidth usage on the website, there is a tab where it gives a daily breakdown.  This may have been what Support were referring you too, and might just give you a clue as to whether it was a one off event, or whether it's an ongoing issue.

Quote from: Simon on May 11, 2013, 19:36:52
If you look at your bandwidth usage on the website, there is a tab where it gives a daily breakdown.  This may have been what Support were referring you too, and might just give you a clue as to whether it was a one off event, or whether it's an ongoing issue.

yes have looked at that - it is increased usage every day so far in May (or at least up to the 9th which is as far as it goes) rather than all in one go

Are you able to turn off the wireless for 24hrs?

I did from about 8pm Thurs 9th until 2pm today, the 11th, , thinking I'd then see from the daily breakdown if it showed any usage for the 10th - but so far it is only showing up to the 9th so I can't tell yet

I wonder if something like TCPView, which shows active network connections, would be of any help to identify any open connections.  Also, what anti virus software are you using?  There's a current issue on the BitDefender forums about it holding onto connections after viewing videos, etc, thus eating bandwidth. 

avira anti virus

earlier today I downloaded "who is on my wifi" and that has just shown up my own devices. Also configured router to only allow recognized MAC addresses (and changed password of course)

have just downloaded TCPview but I have to confess I don't really know what I am looking for...

I also have to confess, neither do I, but I guess there shouldn't be any unidentified connections when all browser windows are closed.  My thinking was that perhaps something might be constantly attempting to update?

You could set this up on your computers:

http://www.thinkbroadband.com/tbbmeter.html

Sadly there isn't a way to have it monitor at the router but it will tell you if your computers are downloading while they are running. What modem/router do you use? Some of them support something called SNMP (Simple Network Monitoring Protocol)

This software can use that:

http://www.paessler.com/bandwidth_monitoring

Again it only works as the individual PC level but I use Netlimiter (free full use for 7 days trial, which I think allows blocking of individual programs which might help to test the suspected rogue if you can identify it - but monitoring function still works with the limited functionality thereafter). It takes the bandwidth monitoring down to the individual programme level, as well as the aggregate for the device on which it's loaded. (v2 if still available may be easier to set up than the more complicated UI of v3 - but I've managed to set up both on different devices over the time I've been using it for a couple of years). My Android smartphone (using ics/JB) has the same function by default, I think.

(EDIT :slap: Sadly though the only rogue it's so far identified on my PC is me, and I don't think the software to control that is commercially available?)

Quote from: mervl on May 12, 2013, 08:30:11(EDIT :slap: Sadly though the only rogue it's so far identified on my PC is me, and I don't think the software to control that is commercially available?)

It's called a wife I think. I wouldn't know :D

What modem/router do you use? Some of them support something called SNMP (Simple Network Monitoring Protocol)

This software can use that: http://www.paessler.com/bandwidth_monitoring
[/quote]

Dlink modem/router DSL-2740R. Manual says it does support SNMP so I will try out the software you mention

My usage yesterday (according to the networx thingy I installed) was 122MB received and 38.4MB sent. That was for having computer on for about 6 hours. I would say a download at the weekend of around 100-150MB would seem fairly typical for me based on my normal usage.

Not encouraging you to spend but I can monitor the traffic on any device connected Asus RT N66U - it's just a router no modem.

Hi,

Do you have the broadband phone number for the account so I can take a look? Please either Private message the number to me or send it via an email to support@idnet.com and put it regarding this post so I know.

Also we can tell how much bandwidth was used by not what for. So we can see say 2GB of download or 100MB of upload but we cannot tell what device downloaded ir or what that download actually was. The reason for this would be that its called snooping and is frowned upon and I do believe illegal for an ISP to do so. This does make it a bit tricky to figure out the type of issue you are experiencing.

As suggested earlier having bandwidth monitors on your PC/devices can help and of course checking whats logged onto your network is always a good measure. Also sometimes a lot of users who experience this when they call in usually use Youtube/Iplayer and have them set to quite a high quality by default (720p or higher). This does use a large amount of Bandwidth and so is always worth checking if possible.

Kind regards
Simon Mulliss
IDNet support

thanks Simon - have PMed you.

I haven't used I-player or youtube in that time period; nor any large downloads - in fact I can't think of anything I have done differently that would explain the increase in usage.

Are you able to narrow down the time frame from peak/off peak to specific times? Is of peak still classed as midnight-9am? Whilst the off peak usage showing (I am on the home starter package) is not  that huge for some at approx 3GB this month, I can't think that I have used any internet during those hours, and all devices are switched off then.

Hi,

Yes indeed offpeak is still Midnight to 9am. I took a look and have included some of the time stamps from the data usage to see if this was any usage you may have been aware of. Normally when you just have a router idling with nothing being downloaded I would expect to see 1MB or less Traffic per hour.

    - 2013-05-11 19:09:28:00 - Downloads: 23.75 MB : Uploads: 8.45 MB Rate: PEAK
    - 2013-05-11 20:07:36:00 - Downloads: 20.75 MB : Uploads: 7.23 MB Rate: PEAK
    - 2013-05-11 21:06:48:00 - Downloads: 50.06 MB : Uploads: 14.02 MB Rate: PEAK
    - 2013-05-11 22:08:42:00 - Downloads: 58.57 MB : Uploads: 18.23 MB Rate: PEAK
    - 2013-05-11 23:09:49:00 - Downloads: 21.01 MB : Uploads: 7.02 MB Rate: PEAK
    - 2013-05-12 00:08:03:00 - Downloads: 42.58 MB : Uploads: 14.07 MB Rate: OFF PEAK
    - 2013-05-12 01:07:04:00 - Downloads: 12.26 MB : Uploads: 4.09 MB Rate: OFF PEAK
    - 2013-05-12 02:07:15:00 - Downloads: 4.41 MB : Uploads: 1.22 MB Rate: OFF PEAK

If you have any major concerns I would advise disabling wireless and having a hardwired connection with just 1 PC and having a bandwidth monitor on the PC turned on. Then when the PC is not in use ensure it is turned off. Then simply reply on here with the times you did this test and I can check the logs as long as it was within the last 48hours. This might help shed some light on the matter.

Kind regards
Simon Mulliss
IDNet support

thanks Simon
    - 2013-05-11 22:08:42:00 - Downloads: 58.57 MB : Uploads: 18.23 MB Rate: PEAK
    - 2013-05-11 23:09:49:00 - Downloads: 21.01 MB : Uploads: 7.02 MB Rate: PEAK
    - 2013-05-12 00:08:03:00 - Downloads: 42.58 MB : Uploads: 14.07 MB Rate: OFF PEAK
    - 2013-05-12 01:07:04:00 - Downloads: 12.26 MB : Uploads: 4.09 MB Rate: OFF PEAK
    - 2013-05-12 02:07:15:00 - Downloads: 4.41 MB : Uploads: 1.22 MB Rate: OFF PEAK

These ones are suspicious to me - all devices were definitely turned off and not connected to the internet at these times, although the wireless router was on.

Question to Simon are the uploads appropiate for the download usage or is there some P2P running?

Hi,

Hard to say Steve, those could be genuine file uploads/data transfer or p2p but we unfortunately cannot find out what that data was for or aimed at. For example, saying a device was on the router at that particular time. It could easily have been doing some peer to peer traffic as upload is more commonly used for that. If you are say just streaming a video normally you see a small amount of upload and the download is rather large in comparison. But again we cannot verify what it was as we are unable to look into the data this much for snooping reasons.

Since the only culprit seems to be the wireless being on if I read that right then I would suggest doing what I said in my earlier post then letting me know the times of that test. At least then we can try and narrow down the possible culprit in all of this.

Kind regards
Simon Mulliss
IDNet support

I've just come across another network monitor:

http://www.softperfect.com/products/networx/

I have to stress, I have never used this software, but found the link on a security software vendor's forum.  It appears to be Freeware.  One of the features claimed is: "Includes network information & testing tools with advanced netstat that displays applications using your Internet connection." 

Could be worth a try?

many thanks for all the suggestions guys

Have now disabled wireless from the router home page (and have just checked from my phone that I am not able to connect now wirelessly to my network). So the only device now connected to the router is this hard wired pc.

After I finish up here in a minute I will disconnect and turn off this computer.
There should then be no usage at all from say 7pm tonight until at least 6pm tomorrow night when I get home from work and turn the computer back on. It will be interesting to see what the logs at idnet's end then show.

Once again, thanks for all the help.

Unless you've got a router running some download software it will be zero.

Hi,

So I took a look at the usage and its very strange. Considering it was just the router on from 7pm last night this does make for worrying reading. I did a port check on the exchange equipment and thats reporting in OK. I would suggest testing an alternate router at this point to rule out the router as the cause of any extra bandwidth usage. This would be very rare that it is the router but we need to ensure we've ruled it out. I would also suggest checking the router logs and see if it is receiving unusually large amounts of traffic.

- 2013-05-13 19:09:06:00 - Downloads: 7.21 MB : Uploads: 1.73 MB Rate: PEAK
- 2013-05-13 20:08:24:00 - Downloads: 35.37 MB : Uploads: 8.09 MB Rate: PEAK
- 2013-05-13 21:08:43:00 - Downloads: 74.35 MB : Uploads: 26.64 MB Rate: PEAK
- 2013-05-13 22:07:36:00 - Downloads: 102.78 MB : Uploads: 28.59 MB Rate: PEAK
- 2013-05-13 23:08:36:00 - Downloads: 114.3 MB : Uploads: 29.65 MB Rate: PEAK
- 2013-05-14 00:10:45:00 - Downloads: 70.5 MB : Uploads: 28.62 MB Rate: OFF PEAK
- 2013-05-14 01:09:48:00 - Downloads: 120.65 MB : Uploads: 29.13 MB Rate: OFF PEAK
- 2013-05-14 02:06:46:00 - Downloads: 87.91 MB : Uploads: 25.58 MB Rate: OFF PEAK
- 2013-05-14 03:06:53:00 - Downloads: 72.8 MB : Uploads: 25.46 MB Rate: OFF PEAK
- 2013-05-14 03:26:14:00 - Downloads: 34.05 MB : Uploads: 8.64 MB Rate: OFF PEAK
- 2013-05-14 04:36:49:00 - Downloads: 95.18 MB : Uploads: 27.63 MB Rate: OFF PEAK
- 2013-05-14 05:36:17:00 - Downloads: 71.17 MB : Uploads: 24.06 MB Rate: OFF PEAK
- 2013-05-14 06:35:31:00 - Downloads: 90.02 MB : Uploads: 25.98 MB Rate: OFF PEAK
- 2013-05-14 07:35:57:00 - Downloads: 30.16 MB : Uploads: 10.67 MB Rate: OFF PEAK
- 2013-05-14 08:37:03:00 - Downloads: 6.78 MB : Uploads: 2 MB Rate: OFF PEAK

Kind regards
Simon Mulliss
IDNet support

That level of traffic looks perfectly consistent with a port scan which the router is responding to with ICMP "host/port unknown" packets.

SimonM, I'd suggest the same remedy as you performed for my parents' problem.

Do iDNet not have the ability to sniff their own internal network? Something like netflow perhaps on your L2TPNS?

Hi,

We monitor traffic on the hosting side of the network as for the ISP side we do not snoop on our customers traffic. Other ISPs do this mainly for traffic shaping (p2p throttling etc).

As for this issue I would strongly suggest checking the router logs for these time periods and see what the router is seeing on the network.

If you have any worries regarding the router being attacked I can change the IP address as a precaution, you may require a reconfigure of the router if you set it up to use a specific IP address to login with.

Kind regards
Simon Mulliss
IDNet support

Quote from: SimonM_IDNet on May 14, 2013, 12:05:59
We monitor traffic on the hosting side of the network as for the ISP side we do not snoop on our customers traffic. Other ISPs do this mainly for traffic shaping (p2p throttling etc).

It could be useful to have this ability on the ISP side so that, with your customer's permission, you could see what was happening for diagnostics purposes. Doing it for any other purpose (and without permission) could, of course, put you in breach of RIPA.

EDIT: One thing you could try (which wouldn't need you to delve into the internal network) would be to ask the customer to switch off their modem, then get one of your own routers to use their login. Then (assuming your router allows you to do so -- you could use a DMZ setting) you can see what incoming traffic there is.

I think that's a whole new can of worms, isn't it?

A question, if this is the second case in a week (that we are aware of here) of a customers connection being invaded unknowingly where does the responsibility lie? Customers who do not check their usage on a regular basis could potentially be left with an expensive bill at the end of the month,although the warning email should alert them to a potential problem.

Quote from: Steve on May 14, 2013, 12:43:51
A question, if this is the second case in a week (that we are aware of here) of a customers connection being invaded unknowingly where does the responsibility lie? Customers who do not check their usage on a regular basis could potentially be left with an expensive bill at the end of the month,although the warning email should alert them to a potential problem.

I wondered that myself, Steve, but I also have a question, which is, would setting a router to 'Block Ping' help to prevent this sort of occurrence, if it is indeed, a connection 'invasion'?

Not necessarily Simon a DDOS doesn't necessarily want a response from the attacked router. Hiding away may deter the casual hacker but anything thing else will find you wan ping blocked or not .

Quote from: SimonM_IDNet on May 14, 2013, 09:49:10
Hi,

So I took a look at the usage and its very strange. Considering it was just the router on from 7pm last night this does make for worrying reading. I did a port check on the exchange equipment and thats reporting in OK. I would suggest testing an alternate router at this point to rule out the router as the cause of any extra bandwidth usage. This would be very rare that it is the router but we need to ensure we've ruled it out. I would also suggest checking the router logs and see if it is receiving unusually large amounts of traffic.

- 2013-05-13 19:09:06:00 - Downloads: 7.21 MB : Uploads: 1.73 MB Rate: PEAK
- 2013-05-13 20:08:24:00 - Downloads: 35.37 MB : Uploads: 8.09 MB Rate: PEAK
- 2013-05-13 21:08:43:00 - Downloads: 74.35 MB : Uploads: 26.64 MB Rate: PEAK
- 2013-05-13 22:07:36:00 - Downloads: 102.78 MB : Uploads: 28.59 MB Rate: PEAK
- 2013-05-13 23:08:36:00 - Downloads: 114.3 MB : Uploads: 29.65 MB Rate: PEAK
- 2013-05-14 00:10:45:00 - Downloads: 70.5 MB : Uploads: 28.62 MB Rate: OFF PEAK
- 2013-05-14 01:09:48:00 - Downloads: 120.65 MB : Uploads: 29.13 MB Rate: OFF PEAK
- 2013-05-14 02:06:46:00 - Downloads: 87.91 MB : Uploads: 25.58 MB Rate: OFF PEAK
- 2013-05-14 03:06:53:00 - Downloads: 72.8 MB : Uploads: 25.46 MB Rate: OFF PEAK
- 2013-05-14 03:26:14:00 - Downloads: 34.05 MB : Uploads: 8.64 MB Rate: OFF PEAK
- 2013-05-14 04:36:49:00 - Downloads: 95.18 MB : Uploads: 27.63 MB Rate: OFF PEAK
- 2013-05-14 05:36:17:00 - Downloads: 71.17 MB : Uploads: 24.06 MB Rate: OFF PEAK
- 2013-05-14 06:35:31:00 - Downloads: 90.02 MB : Uploads: 25.98 MB Rate: OFF PEAK
- 2013-05-14 07:35:57:00 - Downloads: 30.16 MB : Uploads: 10.67 MB Rate: OFF PEAK
- 2013-05-14 08:37:03:00 - Downloads: 6.78 MB : Uploads: 2 MB Rate: OFF PEAK

Kind regards
Simon Mulliss
IDNet support

Hi Simon -thanks for checking this. Wireless and all devices were switched off at 7pm last night and are still off now (I am at work at the moment) - so there is no usage being caused by me, nor anyone accessing my network. So like Steve said, usage should be zero (or close to it)
This is worrying indeed!
When I get home tonight I will see if I have a different router to use - don't think I do, but may have an old one lying around.

Quote from: nowster on May 14, 2013, 11:17:50
That level of traffic looks perfectly consistent with a port scan which the router is responding to with ICMP "host/port unknown" packets.

SimonM, I'd suggest the same remedy as you performed for my parents' problem.

Do iDNet not have the ability to sniff their own internal network? Something like netflow perhaps on your L2TPNS?

nowster - I did read your post about your parents' stiuation and think could mine be connected (but don't know much about DoS attacks, so wasn't sure)

I think the offer of an IP address change should solve the problem.

Quote from: SimonM_IDNet on May 14, 2013, 12:05:59
Hi,

We monitor traffic on the hosting side of the network as for the ISP side we do not snoop on our customers traffic. Other ISPs do this mainly for traffic shaping (p2p throttling etc).

As for this issue I would strongly suggest checking the router logs for these time periods and see what the router is seeing on the network.

If you have any worries regarding the router being attacked I can change the IP address as a precaution, you may require a reconfigure of the router if you set it up to use a specific IP address to login with.

Kind regards
Simon Mulliss
IDNet support

Will check router logs tonight and see what they say.

Can't remember how I set up IP address - think I just went with whatever the default option was at the time. Changing this sounds a good strategy.

Quote from: Steve on May 14, 2013, 12:43:51
A question, if this is the second case in a week (that we are aware of here) of a customers connection being invaded unknowingly where does the responsibility lie? Customers who do not check their usage on a regular basis could potentially be left with an expensive bill at the end of the month,although the warning email should alert them to a potential problem.

Indeed - thankfully the email alerted me early in the month - I think already I am on 10GB with a 4GB peak limit - so that's a £6 charge. But as the problem seems to be continuing, that charge is rising by the day.
But as I say, thank goodness the email alerted me!

Hi,

As Simon said earlier regarding sniffing/snooping its a major can of worms and I think it is one for now we will avoid as we have no plans to do this on our customers traffic.

tfw7, as a precaution I have changed your IP. Please reboot your router as if you left it on default connection settings it should dynamically get the IP from us anyway. I would advise to monitor the connection with wireless of still and we can check this again tomorrow and see if this makes a difference.

As for nowster`s proposal regarding testing with our own test router on a separate IDNet test line, I certainly do not mind doing this and should other issues like this arise it can be something we can test as an alternative for our customers.

Kind regards
Simon Mulliss
IDNet support

Quote from: Simon on May 14, 2013, 12:42:04
I think that's a whole new can of worms, isn't it?

Of course, hence me mentioning the Regulation of Investigatory Powers Act...

Quote from: SimonM_IDNet on May 14, 2013, 13:21:29
Hi,

As Simon said earlier regarding sniffing/snooping its a major can of worms and I think it is one for now we will avoid as we have no plans to do this on our customers traffic.

tfw7, as a precaution I have changed your IP. Please reboot your router as if you left it on default connection settings it should dynamically get the IP from us anyway. I would advise to monitor the connection with wireless of still and we can check this again tomorrow and see if this makes a difference.

As for nowster`s proposal regarding testing with our own test router on a separate IDNet test line, I certainly do not mind doing this and should other issues like this arise it can be something we can test as an alternative for our customers.

Kind regards
Simon Mulliss
IDNet support

Thanks Simon - will reboot router tonight; keep wireless off; and check in with you tomorrow to see what the stats say. Hopefully that will do the trick!!

ok have rebooted router; wireless is still off.
Will turn pc off again shortly, so there will be no usage from my side overnight again until tomo evening

Hi,

Looking a lot better today. hopefully this has resolved the matter.

145835465    - 2013-05-14 21:49:27:00 - Downloads: 0.01 MB : Uploads: 0.01 MB Rate: PEAK
145842526    - 2013-05-14 22:49:26:00 - Downloads: 0.01 MB : Uploads: 0.01 MB Rate: PEAK
145849280    - 2013-05-14 23:48:03:00 - Downloads: 0.01 MB : Uploads: 0.01 MB Rate: PEAK
145855837    - 2013-05-15 00:46:46:00 - Downloads: 0.01 MB : Uploads: 0.01 MB Rate: OFF PEAK
145862694    - 2013-05-15 01:47:18:00 - Downloads: 0.01 MB : Uploads: 0.01 MB Rate: OFF PEAK
145869568    - 2013-05-15 02:49:22:00 - Downloads: 0.01 MB : Uploads: 0.01 MB Rate: OFF PEAK
145876367    - 2013-05-15 03:50:09:00 - Downloads: 0.01 MB : Uploads: 0.01 MB Rate: OFF PEAK
145883554    - 2013-05-15 04:50:41:00 - Downloads: 0.01 MB : Uploads: 0.01 MB Rate: OFF PEAK
145890146    - 2013-05-15 05:49:21:00 - Downloads: 0.01 MB : Uploads: 0.01 MB Rate: OFF PEAK
145896485    - 2013-05-15 06:47:09:00 - Downloads: 0.01 MB : Uploads: 0.01 MB Rate: OFF PEAK
145904249    - 2013-05-15 07:47:24:00 - Downloads: 0.01 MB : Uploads: 0.01 MB Rate: OFF PEAK
145911595    - 2013-05-15 08:49:12:00 - Downloads: 0.01 MB : Uploads: 0.01 MB Rate: OFF PEAK

Kind regards
Simon Mulliss
IDNet support

 :thumb:

yay!! thank goodness for that!
Many thanks to SimonM and everyone else for their help support.

One question though - was it just some completely random, uncommon, unfortunate incident - or is there something I should/could be doing to prevent it happening again?

Quote from: tfw7 on May 15, 2013, 10:20:23
One question though - was it just some completely random, uncommon, unfortunate incident - or is there something I should/could be doing to prevent it happening again?

Random and unfortunate, yes. Uncommon, no. And there is absolutely nothing you can do from your end to stop it.

Curious perhaps, though, that I don't recall this being reported on here before (although, it might have been), yet we seem to have had two in one week.  Coincidence?

Probably. A targeted attack against the IDNet IP range would probably have resulted in more complaints on here.

Does anyone know if the warning regarding bandwidth utilisation works on the amount downloaded or on a predicted figure. If you have a high download allowance ie 100Gb it's going to take a few days before you get anywhere near whereas with only 4Gb a you'll soon find out.

Quote from: Steve on May 15, 2013, 13:51:41
Does anyone know if the warning regarding bandwidth utilisation works on the amount downloaded or on a predicted figure. If you have a high download allowance ie 100Gb it's going to take a few days before you get anywhere near whereas with only 4Gb a you'll soon find out.

Also, Support told me the warning only goes out on certain dates. Something like the 7th, 14th, 21st and 28th I think.

I raised the issue myself several months ago because my FTTC connection can consume nearly 500MB a minute at full flow which means 50p a minute if you exceed your allowance  :eek4:

So theoretically if you go away for a week or so and leave your router on,suffer a persistent DDOS attack in the meantime . End result could be a very expensive bill. I do leave my router on whilst away as often people baby sit the house and dog,I don't check emails whilst abroad, perhaps I should think again.

On the Billion, you can set it to detect 'Intrusions'.  Would that offer any protection?  :dunno:

https://www.grc.com/x/ne.dll?bh0bkyd2 (https://www.grc.com/x/ne.dll?bh0bkyd2)

           Don't know if this may be of any use, it's supposed to sniff out vulnerabilities.

Quote from: Simon on May 15, 2013, 17:42:04
On the Billion, you can set it to detect 'Intrusions'.  Would that offer any protection?  :dunno:

Don't think so as it doesn't stop them coming down the line, it tell you whats happening but the only sure way is to turn the router off or change the IP address.

Quote from: talos on May 15, 2013, 18:03:10
https://www.grc.com/x/ne.dll?bh0bkyd2 (https://www.grc.com/x/ne.dll?bh0bkyd2)

           Don't know if this may be of any use, it's supposed to sniff out vulnerabilities.

Yes it's useful Bob as a security check of your networks exposure to the WAN but it still doesn't stop the b*stards looking at or flooding the connection, which is what has happened here.

It is slightly worrying that there seems to be no way to prevent this from happening.  :-\

Quote from: Steve on May 15, 2013, 13:51:41
Does anyone know if the warning regarding bandwidth utilisation works on the amount downloaded or on a predicted figure. If you have a high download allowance ie 100Gb it's going to take a few days before you get anywhere near whereas with only 4Gb a you'll soon find out.

predicted figure I think - because my peak limit is really low at 4GB, if I do happen to download a few things in the first week of the month I often get a warning, but then by the end of the month find I haven't exceeded my limit at all.

Not sure if they go out on set dates, but tracking back through a few I've had (yes I keep all the emails!) they seem to come a week apart - ie you only get a 2nd one 7 days after the first one.

Quote from: Simon on May 15, 2013, 19:17:21
It is slightly worrying that there seems to be no way to prevent this from happening.  :-\

indeed

I suppose I've always realised this danger of static IPs, but if I get it right IDNet charge on data which passes through their servers to the IP address, so it's irrelevant whether the data flood gets into your local network or not (i.e. is blocked by the router). Is the only way round this to disconnect the router or PC in the case of a direct connection, so there's no synchronisation with IDNet's server and no data flow beyond IDNet's server for them to measure (or are you stuffed as the data is still moving through their network), whilst you get them to change your IP address? The router and PC will often if secured show nothing amiss, only the IDNet reporting 24 hours or more later. The only thing I'm unsure about is if your router is set to block all port scans from the internet, why would an attacker mount an attack if "nothing's ever there", the same as an unused address? With a dynamic address you can reboot after a suitable delay to ensure you get a new IP address.

Does using a one of the free VPN's for all traffic help - prevents sniffing of traffic I suppose to identify an active address, but the unlikelihood of an attack has to be balanced with the loss of some entertainment/financial and business services which also need to identify your IP address for location purposes. (As far as I can tell they can detect VPN software is installed even if it's not running?).

Why can't the website and hence the connected widget, show real time or hourly updates, though if these are available to IDNet as seems to be the case?

Quote from: mervl on May 15, 2013, 19:54:54
Why can't the website and hence the connected widget, show real time or hourly updates, though if these are available to IDNet as seems to be the case?

ADSL is conveyed over the backhaul to/from the DSLAM (exchange equipment) as PPP encapsulated in L2TP. (21CN and LLU may work differently. I've not been in the business for getting on for 4 years now.) The cost for bandwidth is for the backhaul from DSLAM to LNS (originally called a Home Gateway) at the ISP. If there's no PPP session (ie. the modem is off) the traffic is dropped at the LNS and doesn't travel over the backhaul, so is not chargeable.

The traffic will still be reaching the ISP over their links to other ISPs (upstreams and peers), but that cost is at least two orders of magnitude less than that of backhauling between the customer's exchange and their own network.

Periodically, the LNS reports the traffic associated with an individual PPP link, using a RADIUS accounting report. It depends on how often it reports as to how often the ISP can update their billing database. Depending on how the ISP is structured, they may or may not have direct control of parts of this infrastructure.

This happened to me as well and has pushed me way over the limit and at IDNets exorbitant data rates of £1 per Gigabyte I'm facing extra charges :eek4:. Despite having been an EXTREMLY light user on average less than 1.5GB of my 15GB allowance every month for the last 2 years IDNet insist on making the charge even though I could do nothing to stop the flood being aimed at me. I have decided to ask for a MAC and switch to Plusnet so I don't get hit with unexpected charges. There is no way that it costs anywhere near £1 per GB in bandwidth charges, you would have thought in a case like this that there would be some leeway but seems IDNet would rather get a one off fee and loose a customer.

Actually, IDNet's additional bandwidth charges are fairly competitive, when compared with like for like ISPs.  Zen, for example, charge £1.52 per Gb for an 'overdraft'.   I do see your point, though.  It doesn't seem fair that a customer should have to foot the bill for something out of their control, but I guess it's not IDNet's fault either, so it's a bit of a catch 22. 

It is the customers responsility ultimately to keep an eye on their usage. Perhaps in light of recent events we should all be more vigilant.

If you have a 20Mbps connection for instance, a particularly nasty attack could eat up 7GB per hour. Go away for a bank holiday weekend whilst it's happening and that's 500 GB gone.

(2 × 60 × 60 × 24 x 3) ÷ 1024 = 506.25

So if you have a 80 Mbps or FTTP 300 Mbps connection, your screwed  :eek4:

Is it so impossible for IDNet to offer a dynamic IP option? Anyone concerned could then say turn their router off say when not in use, say overnight, to force an IP change and limit the potential "damage". Those that need static IPs - who I suggest are usually more knowledgeable users - can decide whether to take, and may be better placed to manage, the risks.

Traditionally I've "kept" my maximum use to below 50% of my allowance to allow for this sort of risk - which is not an option for those on the basic packages.

Quote from: psp83 on May 17, 2013, 08:31:29
So if you have a 80 Mbps or FTTP 300 Mbps connection, your screwed  :eek4:

Yup. If I didn't notice a full-on DOS attack it'd cost over £360 a month.  :eek4:

To be honest I doubt that's likely. a) I'd notice it and b) I think it unlikely as it would require some serious kit or that I be the target of a bot farm. Technically quite possible but not likely.

I think it would be good if IDNet offered the option of throttling or even disconnecting a connection if it goes beyond a certain level. Not as an alternative to the current system but as a further stage. A credit limit so there was only a certain amount you could exceed your allowance by.

Even with a dynamic IP address the risk still exists. It just makes it easier to resolve.

In my case it started on the 10th and took 5 days to notice and in that time it had used 20GB  :(

I don't think people are going to check their bandwidth usage every day, and yes I appreciate it isn't IDNets fault as much as it isn't mine. But at the end of the day it makes it an unacceptable risk as it means that if it happens two or 3 times a year my broadband could end up costing me a small fortune. I doubt very much that it costs anywhere near £1 per GB to provide the bandwidth so IDNet are getting an unexpected windfall from their customers when their customers are targeted. If it does cost cost £1 per GB then IDNet have done very well out of me over the last 2 years having used on average only £1.50 worth of bandwidth, they have been £13.50 up every month. I just expected some understanding from them and perhaps offer to average the usage over a couple of months considering my extremely light use.

I just can't afford the risk or the inconvenience of having to check usage every day, and now you can get unlimited packages cheaply from a number of providers it seems to make sense to take one of those options for a stress free life. The problem for IDnet is that the more people that get hit with unexpected charges the more are going to do the same. Not because they particularly dislike IDNet but purely for peace of mind.

I'm sure if iDNet could get a more favourable wholesale contract, they would.

Hi,

In any case such as this, the best advice we can give would be if you suspect that you are being attacked etc would be to turn off the router and call us directly. We can then issue out a new IP address to resolve the issue. Being on a static IP does make this slightly more difficult to resolve than being on dynamic as you need us to change the IP manually.

As stated by earlier posters all usage is chargeable should it go over the limit. Unfortunate as this is we will strive to ensure we resolve the issue and give our customers the best advice we can.  Due to the nature of these issues, since they come from off our network the only thing to do is report the offending IP to their own host to investigate. We do of course send out emails to alert customers to unusually high usage so at least we can try and nip these sort of things in the bud.

Kind regards
Simon Mulliss
IDNet support

Quote from: Going_Digital on May 17, 2013, 10:44:16IDNet have done very well out of me over the last 2 years having used on average only £1.50 worth of bandwidth, they have been £13.50 up every month.

Yup, that's right. Light users typically help to subsidise heavy users. That's what makes flat rate pricing viable and is why 'heavy users' should be frowned upon. Unfortunately the only alternative is metered usage and no-one wants that back. So what ISPs do is set things up to be profitable but in a typical billing period only the very heaviest users of a package are getting best value.

The reason it looks so expensive is because you have moved outside of your package and that means you are seeing the full price without that subsidy from light users. On the plus side (little consolation) it means that this month you've had the best value from your subscription than you've ever had before. You are probably one of the 'elite' group of IDNet customer's that the rest of mugs have been helping to pay for. Up to a point  ;)

If all this sounds 'wrong' then consider that it's pretty much the way every aspect of human society works. There's always someone at the top gaining benefit from those at the bottom. This is just another form of the way things have been for thousands of years. Deal with it  :laugh:

Oh well just waiting for my MAC now, so I won't have to worry about it any more.

Andrue, I don't think it's as bad as you make out. Subscriptions include both OpenReach's charge for the use of the local loop (£10pm or so) which aren't bandwidth-related, and IDNet's network costs (capital + maintenance as well as support), in addition to the use-based network charges.

As others have pointed out every ISP has this problem, and you just have to make a judgement on the IDNet "tight" caps, against their QoS benefits - though I think the latter are unnecessary for "average" domestic connections. (The rest of the world have improved, for those of us that recall how bad some of them were - the past tense is the important point here). If your business is skint though then you may have other problems too.

As you say the TBBQM monitoring latency, combined with the IDNet specific use widget linking (though the data is one day in arrear) to IDNet's download bandwidth recording (which goes red if your allowance is likely to be exceeded, by proportioning your use) are good monitoring tools. When I (deliberately) ranked up my usage over a couple of days earlier this month the IDNet e-mail was fairly prompt in letting me know (what I already know though) within 2 working days of starting.

This was my secondary FTTC line anyway, as my main connection with another provider is an unlimited package @ £20 a month has not gone down at all since it was installed. I decided rather than get stuck with a contract with another provider I'd just cancel it and wait a couple of months until someone offers FTTP On Demand.

Ok so here is the bad news... I seem to have been hit again. I had my suspicions yesterday, so unplugged the router last night as a precaution. On checking my usage on the idnet website this morning, it shows 1.1GB off peak usage for the 18th when again I know no devices were on.
So for this to happen to me twice in such a short time am I exceedingly unlucky, or are idnet's IP addresses being targeted somehow??
Help!!

I guess it's possible that an IP range could be being targeted, but I don't know. The only thing I can suggest is that you disconnect your router again and call IDNet first thing in the morning.

Just a thought and I've not read the whole thread so I'm sorry if this has been asked.

Have you done a malware/virus scan? Just saying this as it could be broadcasting your IP somewhere and if it is and not removed then it doesn't matter how many IPs you get given it will keep happening.

Yes have done virus and malware scans - last ones I did were last night. Router is off, and have now had to resort to using phone to post here. Not a happy bunny  >:(

Quote from: tfw7 on May 19, 2013, 13:02:40
Yes have done virus and malware scans - last ones I did were last night. Router is off, and have now had to resort to using phone to post here. Not a happy bunny  >:(

I think I'd second psp83's comments. It's very unusual and for it to happen twice seems like too much of a coincidence. I have a static IP address and run a mail server. It gets continuous spam (never reaches my inbox though :) ) and goes through periods where someone tries to log in to it for a week or so. So I'm living life with my head 'above the parapet' but have never had any kind of DOS related issue.

Unless of course having a mail server on my address means there's more value in them taking it over rather than squashing it   :hide2:

Quote from: tfw7 on May 19, 2013, 09:36:28
Ok so here is the bad news... I seem to have been hit again. I had my suspicions yesterday, so unplugged the router last night as a precaution. On checking my usage on the idnet website this morning, it shows 1.1GB off peak usage for the 18th when again I know no devices were on.
So for this to happen to me twice in such a short time am I exceedingly unlucky, or are idnet's IP addresses being targeted somehow??
Help!!

Sorry not read the entire thread, have you tried to do a factory reset of your router then reflash its firmware? If so then put whatever DNS you are using in manually. I mention this after reading that 13 routers being tested have critical vulnerabilities which might mean more have although this is probably not the case, but it does no harm to reflash and enter the settings back in by hand not from a restore. http://news.softpedia.com/news/Critical-Vulnerabilities-Found-in-13-SOHO-Routers-Many-Can-Be-Exploited-Remotely-346536.shtml

Also there seems to be a backdoor into some tp-link routers as well. Once again I'm sure the chances are rare but I guess its worth noting.  http://tech.slashdot.org/story/13/03/15/1234217/backdoor-found-in-tp-link-routers

Might be also a good idea to try a different AV use a 30 day test of one, like Bitdefender, or Kaspersky  as its possible that your AV could be missing something, also maybe use Malwarebytes I'm sure people will have other suggestions. If you can monitor outward and inbound connections and see if anything unusual is showing up with a software firewall that would help too.

In my case I am 100% sure no malware as I had one linux firewall machine connected direct to the openreach modem as it was a backup connection it was largely unused but lots of requests being sent to it caused the huge spike in data use. It would seem IDNet customers are being targeted by someone as there is another thread on here about it as well. For me the solution was to unplug the modem and order a cancellation for the service but not everyone is going to have that luxury.

Quote from: Going_Digital on May 19, 2013, 21:51:01
In my case I am 100% sure no malware as I had one linux firewall machine connected direct to the openreach modem as it was a backup connection it was largely unused but lots of requests being sent to it caused the huge spike in data use. It would seem IDNet customers are being targeted by someone as there is another thread on here about it as well. For me the solution was to unplug the modem and order a cancellation for the service but not everyone is going to have that luxury.

the other user said he had similar but tbh it could have been many things as I'm not aware he trouble shooter like you. I hope if IDNet was being targeted we would see more posts about it. Time will tell though. Personally I have had no issues but that's does not mean it could not start.  :-\ I can't see the pint in attacking idnet tbh it's not like they are a big target for this kind of thing really is it. Nothing to gain really compared with other targets. Although anythings possible. Maybe idnet should be taking a look into this.

I doubt IDNet is being targeted specifically, more likely that it is a random attack and we have just been fortunate that IDNet IPs have not seen any significant volume of attempts before now. The bulk of the traffic I saw was trying to exploit a problem with apache causing it to stop responding, so general net vandalism really.

I guess it could be only IP addresses that have been scanned and found something to respond that have been subsequently targeted.

Just a thought, maybe when you was given a new IP address, it belonged to someone else before that was having the same issue? There's not many IPv4 addresses so its likely someone had your IP before.

thanks for all the advice above.
I have nothing unusual on my set up at all - it's just a very basic home network. Not running any web servers or anything.
I have done AV and malware (Malwarebytes) scans, and the only things that showed up were connected to things I installed after posting first on here - the PRTG thingy in particular.
My router (basic DLink DSL 2740R) doesn't seem to keep a log of anything meaningful at all unfortunately.
I have an old router (and a very old modem) that I think still work, so I shall change my existing router tonight and reconnect to the internet with the same (second) IP address to see if that does the trick.

I always thought silencing the ports and ignoring requests at the router helped this. But in all honesty, if someone (even accidentally) targets a connection, there is little to be done except changing phone numbers/IPs (phone numbers for calling nuisances, like wrong fax number adverts!  :laugh: ).

Quote from: psp83 on May 20, 2013, 01:02:44
Just a thought, maybe when you was given a new IP address, it belonged to someone else before that was having the same issue? There's not many IPv4 addresses so its likely someone had your IP before.

I hope not!!

well I connected a different router last night to see if that made a difference - hopefully Simon can produce my hourly stats so I can see if there was traffic when the router was on but the pc was off

Have you thought about using OpenDns servers, you might then be able to block lots of attacks.

Quote from: cavillas on May 21, 2013, 15:18:22
Have you thought about using OpenDns servers, you might then be able to block lots of attacks.

Can you explain how you think that will help?

Ok so last night I had the computer on between about 6.30pm and 8.30 when I was changing between routers - I connected the new router at about 7.25pm, and turned the computer off at about 8.30, but left the new router on until unplugging it at about 9:35.

Here are the logs Simon gave me from yesterday
2013-05-20 19:21:16:00 - Downloads: 33.32 MB : Uploads: 8.16 MB Rate: PEAK
2013-05-20 19:38:23:00 - Downloads: 0.07 MB : Uploads: 0 MB Rate: PEAK
2013-05-20 19:40:10:00 - Downloads: 5.07 MB : Uploads: 0.09 MB Rate: PEAK
2013-05-20 20:42:59:00 - Downloads: 17.59 MB : Uploads: 1.78 MB Rate: PEAK
2013-05-20 21:31:53:00 - Downloads: 1.21 MB : Uploads: 0.01 MB Rate: PEAK

I make that a total of 57MB downloaded which I guess isn't much, but the networx monitor I have installed only showed 38MB by 8.30 when I turned the pc off - so that is a discrepancy still of nearly 20MB.

Unfortunately neither router seems to keep meaningful logs. I did also run wireshark captures a few times (recommended by someone), but am not really sure I understand the results (as you may have noticed I am kinda gettign out of my depth here......)

Will also run alternative AV scan tonight as well

Wireshark captures are probably only going to be helpful if you put your router into DMZ mode with the "unrecognised" traffic being sent to the IP of the computer running Wireshark.

thanks SimonM for these stats from yesterday
2013-05-21 19:53:26:00 - Downloads: 0.24 MB : Uploads: 0.01 MB Rate: PEAK
2013-05-21 20:08:08:00 - Downloads: 0.25 MB : Uploads: 0 MB Rate: PEAK

I had the replacement router on (but no computers) from about 6.50 to 8.10 - so this is looking much much better.
I will try a bigger scale test tonight to see if it is still looking good.

Long term though I can't carry on using this replacement router as it is old, gets very hot, the LAN ports are dodgy and I'm not sure the wirelss works properly!, so will have to try the proper router again at some point.

I think it was Gary who recommended doing a factory rest of the router and flashing the firmware, so I will need to look into doing that. 

Quote from: tfw7 on May 22, 2013, 15:03:58

I think it was Gary who recommended doing a factory rest of the router and flashing the firmware, so I will need to look into doing that. 

I cant remember what router you are using, but normally a reflash and reset is quite easy, some people recommend doing a 30-30-30 reset. If you look that up for your particular router you will see what's needed, or not as the case may be. Reflashing does not take long and a hard reset after makes sure the router is reset with the new firmware properly. Adding your settings back in manually assures no carry over of issues from previous backups.  :fingers: All will be ok after you have done that.

Now there's a thought: could the firmware of the original router have been hacked? (It does happen.)

Quote from: nowster on May 22, 2013, 23:18:13
Now there's a thought: could the firmware of the original router have been hacked? (It does happen.)

well that is now the direction I am heading in - since I changed routers there has been no large unexplained traffic at all - hopefully this will continue!

my logs for last night for instance were:
2013-05-21 19:53:26:00 - Downloads: 0.24 MB : Uploads: 0.01 MB Rate: PEAK
2013-05-21 20:08:08:00 - Downloads: 0.25 MB : Uploads: 0 MB Rate: PEAK
2013-05-22 20:10:45:00 - Downloads: 7.31 MB : Uploads: 0.28 MB Rate: PEAK
2013-05-22 21:13:39:00 - Downloads: 0.52 MB : Uploads: 0.06 MB Rate: PEAK
2013-05-22 22:11:29:00 - Downloads: 0.32 MB : Uploads: 0.02 MB Rate: PEAK
2013-05-22 23:11:13:00 - Downloads: 0.42 MB : Uploads: 0.01 MB Rate: PEAK
2013-05-23 00:12:18:00 - Downloads: 0.44 MB : Uploads: 0.01 MB Rate: OFF PEAK
2013-05-23 01:10:05:00 - Downloads: 0.37 MB : Uploads: 0.01 MB Rate: OFF PEAK
2013-05-23 02:11:07:00 - Downloads: 0.51 MB : Uploads: 0.01 MB Rate: OFF PEAK
2013-05-23 03:11:21:00 - Downloads: 0.1 MB : Uploads: 0.01 MB Rate: OFF PEAK
2013-05-23 04:13:08:00 - Downloads: 0.03 MB : Uploads: 0.01 MB Rate: OFF PEAK
2013-05-23 05:10:44:00 - Downloads: 0.04 MB : Uploads: 0.01 MB Rate: OFF PEAK
2013-05-23 05:33:37:00 - Downloads: 0.01 MB : Uploads: 0 MB Rate: OFF PEAK


The computer was on running AV scans from about 6.30pm; router was connected to interent at about 7pm; computer turned off about 10pm; router turned off at 5.30am this morning.
So I am presuming all the "0." ones are okay ( I think SimonM said earlier that a router idling with computers off would generate less than 1MB per hour traffic)

So that does seem to suggest that the router I was using was causing the problem.

Maybe you router was calling home to grab updates and then getting caught in a loop?

Yeah. Some of the errors can just be pcs/devices stuck in a loop. It's a computer, it runs until something gives in. :P

well I've tested the connections through the alternative router for a couple of days now and there doesn't seems to be any unexplained usage. And I have thoroughly AV/malware scanned the computers.
So now I am setting up the wireless again to allow the 2nd pc internet access, and if that all seems to go okay then I will try going back to the original router (can't use the alternative one long term as it is pretty knackered); resetting it/flashing firmware etc and see how that goes.
It just is a little frustrating not knowing what caused it in the first place, but at the moment it does seem to be router related.

And I am extremely grateful to everyone on here for all their help and suggestions!

well have just spent 4 hours trying to update the firmware of the original router but with no success. Have done reset etc, tried it in IE, FF, redownloaded and unzipped update file, etc etc
Keep getting error message "failure to update due to ...The uploaded file was not accepted by the router"

So am now seeing how it goes with the original router and hoping now it has been reset all might be okay.........

lots of unknown traffic yesterday whilst original router was connected. Will get SimonM to check the overnight stats.

However have finally managed to upgrade the firmware this morning!!!

So will check stats again later to see if that has made a difference...if not, I guess the only option will be buying a new router!!

Just a thought, but could there be a security setting in the 'good' router, which isn't enabled, or even an option, on the 'bad' one?

possibly, yes. Neither router seems very configurable, but the temporary/older/good one seems to have a few more options than the original/newer/bad one.

Bad news is updating the firmware hasn't worked (I am now back connected with the temporary one) - after I updated it I left it running for 3 hours earlier today, and the stats Idnet have just sent me how that in that period (just router on, pc off, wireless off) there was about 100MB downloaded and 30MB uploaded.

So that firmware update doesn't seem to have helped - I think the only option left to me now seems to be to buy a new router - preferably one that is a little more advanced so I can use more monitoring/configuring tools. Hmmmph!

Routers generally look for updates when you login, reflashing and doing a hard reset should have fixed any issues. It does not make a huge amount of sense that one router is allowing these connections and another isn't. Has this router got any cloud services its uploading to? Very odd.  :dunno:

However I did find this interesting that attacks being targeted at older routers, not necessarily the case here but it just shows sometimes why not all routers are the same.

http://status.aa.net.uk/posts.cgi?itype=Broadband&oseverity=2


Quoted direct-

It seems that some customers have been suffering with severe problems, notably around 8pm to 11pm last night.

This looks to be customers with older zyxel routers. We are still shipping zyxel P660's as PPPoE bridges and that configuration is not affected. However, some years ago, we sold the ZyXELs simply as broadband routers.

Over the last few months these have been the target (well, intermediatory) for DNS amplification attacks resulting in some customers having high usage (and in some cases bills).

Yesterday at around 00:36 we saw an attack start, which is why we did emergency upgrades on our infrastructure over night. It now seems that the attack is either directed at, or co-incidentally affecting, these older ZyXEL routers and causing them to reboot.

The attack is hitting lots of ISPs and appers to be happening in busrts, sometimes lasting many hours.

In the long run the solution to both issues may be customers updating to newer routers. This will have the side effect of also getting customers on to IPv6.

If we find a work around in the mean time, I'll post more details.

View this post only >>
Update
26 May 19:31:47   
The attack started again at 6pm Sunday.

Update
26 May 19:56:33   
The attack appears to be broken TCP port 80 packets. It may be that a config change on affected routers will avoid this specific issue. If we find more details we'll post them.

Update
27 May 10:03:41   
Using the web interface on the ZyXEL P660, Advanced>Remote MGMT, set all to LAN only.

"DNS amplification" means that the affected routers were not discriminating as to where the DNS lookup was coming from, so allowed traffic coming from the external interface to use the router as a DNS forwarder.

The way the attack works is that the DNS lookup is sent to the router using a forged "victim" sender IP address. The "victim" then gets deluged with response traffic from all over the world which, because DNS responses are normal and expected traffic, is very difficult to block.

https://www.us-cert.gov/ncas/alerts/TA13-088A

Thanks! :thumb:

Ok - so new router purchased, installed and up and running - I also took the precaution of requesting a new IP address as well - thought that would give me a fresh start.
So, hopefully!!!!, all will now be well again...

Good luck!   :thumb: :fingers:

Quote from: tfw7 on May 31, 2013, 14:13:22
Ok - so new router purchased, installed and up and running - I also took the precaution of requesting a new IP address as well - thought that would give me a fresh start.

And you have a new month (quota reset) as well!

Quote from: andrue on May 17, 2013, 09:25:06
Yup. If I didn't notice a full-on DOS attack it'd cost over £360 a month.  :eek4:

To be honest I doubt that's likely. a) I'd notice it and b) I think it unlikely as it would require some serious kit or that I be the target of a bot farm. Technically quite possible but not likely.

I think it would be good if IDNet offered the option of throttling or even disconnecting a connection if it goes beyond a certain level. Not as an alternative to the current system but as a further stage. A credit limit so there was only a certain amount you could exceed your allowance by.

Quote from: SimonM_IDNet on May 17, 2013, 11:54:13
Hi,

In any case such as this, the best advice we can give would be if you suspect that you are being attacked etc would be to turn off the router and call us directly. We can then issue out a new IP address to resolve the issue. Being on a static IP does make this slightly more difficult to resolve than being on dynamic as you need us to change the IP manually.

As stated by earlier posters all usage is chargeable should it go over the limit. Unfortunate as this is we will strive to ensure we resolve the issue and give our customers the best advice we can.  Due to the nature of these issues, since they come from off our network the only thing to do is report the offending IP to their own host to investigate. We do of course send out emails to alert customers to unusually high usage so at least we can try and nip these sort of things in the bud.

Kind regards
Simon Mulliss
IDNet support

Things like this almost make me want to return to my legal days; barristers these days really seem to lack imagination.  I think it would be easily arguably that the customer is not liable for this usage.  Two arguments can be made, with analogies that would work in front of a typical county court judge:-

(1) The argument "we can't tell the difference between DDoS traffic and genuine usage because we don't traffic shape" isn't valid.  This amounts to arguing that you didn't see the activity because you chose not to look; hardly a valid defence.  Do you think you think if you opted to close your eyes while driving, and subsequently hit something, you could argue that you had no reasonable way of knowing there was something there because you had your eyes closed?  The customer is not in a position to monitor this traffic, but the ISP is; if the ISP chooses not to do so then they implicitly accept liability for the consequences.

(2) The customer can argue that they are only responsible for solicited traffic, i.e. traffic that was requested by a device under their control.  If someone fakes my IP address in a DNS request such that the results are sent  to my router, that has not been requested by me, so I am not liable for the carriage charges.  It is rather like someone phoning a pizza place pretending to be you and sending a pizza round to your house.  Do you think you would be liable to pay because the pizza company brought it to your door under the false belief that you had requested it, when in fact you had not done so?

I'd say if you were faced with a sizable bill that would be well worth a punt.  People so often don't realise that just because a company says (often in a standard terms contract) that they're not liable for something, it doesn't actually make them not liable for it.  Standard terms contracts are more of a company wish list than a legal reality in most cases.

Re (1), are you suggesting that you'd rather IDNet monitored all traffic?  Surely there are privacy issues surrounding this?

Quote from: Simon on Jun 01, 2013, 14:06:49
Re (1), are you suggesting that you'd rather IDNet monitored all traffic?  Surely there are privacy issues surrounding this?

Depends what you mean.  I'm not suggesting they monitor traffic *content*; as SimonM says, that would be illegal as well as a gross invasion of privacy.  I am suggest that they could monitor traffic *patterns*; this is what ISPs do when they traffic shape - they don't snoop on the contents, but an analysis of traffic patterns allows them to throttle some types of traffic even when directed to the HTTP port.  Of course we don't want any throttling or any other form of traffic shaping, but the same technology can be used to monitor and counter DDoS attacks before they reach the customer.  It takes money to implement, and if not used for traffic shaping I can understand why IDNet don't want to bother, but the flipside of that is that they should accept liability for the consequences of not having it.  At least, that's the argument I would make.  I think both sides could mount a reasonable case in practice.

If it became common unless I'm been too pessimistic you'd have no choice except to go unlimited or to an ISP that gave some guarantee of relative immunity to at least the cost implications of a sustained DDoS attack.

Well I am pleased to say my new router seems to have done the trick - it's been on 24/7 since Fri pm now, and these are my stats:
Daily Bandwidth Breakdown 1 June 2013 to 3 June 2013
Day Download (GB) Upload (GB) Peak (GB)* Off-Peak (GB)*
1st 0.17 0.02 0.17 0.0
2nd 0.22 0.07 0.22 0.0
3rd 0.0 0.0 0.0 0.0
Total:0.39 0.09 0.39 0.0

Back to my normal, light usage - yay!! ;D

Once again I am hugely grateful to all those who proffered help - many thanks for all your fantastic suggestions. In the end a new router was the solution - the only slight frustration for me was not knowing quite why the old router started misbehaving. But hey ho, all now seems well. And the new router has a very accurate usage log which will make it really easy for me to check there are no future issues.

Quote from: tfw7 on Jun 04, 2013, 19:15:07the only slight frustration for me was not knowing quite why the old router started misbehaving.

The joys of IT. At least when I'm debugging my code I nearly always get to the bottom of what it's doing. But the complexities of IT often leave me mystified  :)x

I once spent from 7pm - 4 am trying to get internet connection sharing working between 2 PC with my mate. They wouldn't have it despite reboots, threats of abuse etc, we gave up eventually and went to bed. Got up in the morning turned on the 2 pc's still the same, so started to make breakfast, then the modem started dialing "what have you change" I asked, no reply, my mate was in the loo. The modem connected and worked fine, that is until I tried to disconnect via the software, the only way to clear the line was to pull the plug. Never found out why it though.

Quote from: Glenn on Jun 04, 2013, 21:40:58
I once spent from 7pm - 4 am trying to get internet connection sharing working between 2 PC with my mate. They wouldn't have it despite reboots, threats of abuse etc, we gave up eventually and went to bed. Got up in the morning turned on the 2 pc's still the same, so started to make breakfast, then the modem started dialing "what have you change" I asked, no reply, my mate was in the loo. The modem connected and worked fine, that is until I tried to disconnect via the software, the only way to clear the line was to pull the plug. Never found out why it though.

Same here. No idea what was going on in 95 to XP pre SP1, but PCs would NOT link properly and it was like black magic getting them to work. I think it turned out to be 1 button/tick box hidden away and a reboot that fixed it. But I'd be darned if I ever found it a second time in all those years.

Come my Windows 7d ays, and even XP SP2/3 and it works fine (note I intentionally leave Vista out... but mainly cos I don't use it so don't know!).