Mammoth Downloads....

Note: For official invoice and billing responses use billing@exetel.com.au
Post Reply
PilotMcB
Posts: 7
Joined: Sun May 13, 2012 1:47 pm
Location: Muswellbrook

Mammoth Downloads....

Post by PilotMcB » Fri Jan 23, 2015 7:21 am

In the latter days of the last bill period, you guys sent us a warning that we had consumed over half our allocation for the month. We thought it a joke but when I checked "service usage" there it was, an escalation of PRESUMED usage, estimated usage. Good bloody grief! Are you nuts?

Even now, in this new billing period, you are telling us that my wife and I are using up to 15 Gigabytes per day.... Are you nuts? We've got usage when we've turned the modem OFF!!!

What have you people or Telstra done? You have us using 81 Gigs peak in 9 days. That's crazy!! An average of 9 gigs per day.

If you think this is funny, it is NOT! If your estimates of our presumed usage gets close to our monthly allowance, we're out of here!!!

This is crazy!!

User avatar
Dazzled
Volunteer Site Admin
Posts: 6002
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Mammoth Downloads....

Post by Dazzled » Fri Jan 23, 2015 8:40 am

Important - Have you checked this against the usage recorded by your modem?

You should rule out someone freeloading on you (fix your security), and massive data being sent uninvited to you (change your address).

Modem/routers show who is connected in the GUI; the log will indicate if data is being rejected by the firewall.

PilotMcB
Posts: 7
Joined: Sun May 13, 2012 1:47 pm
Location: Muswellbrook

Re: Mammoth Downloads....

Post by PilotMcB » Fri Jan 23, 2015 9:15 am

Dazzled wrote:Important - Have you checked this against the usage recorded by your modem?

You should rule out someone freeloading on you (fix your security), and massive data being sent uninvited to you (change your address).

Modem/routers show who is connected in the GUI; the log will indicate if data is being rejected by the firewall.
All these checked as a matter of routine. Seems funny that it started about a week before close of last month's period. Of course I cannot check that we have been somehow cross connected at the exchange. Wifi code changed monthly, although anyone who worked them out would be a genius. Blew out from an average of 1 - 2 GB per day to well over 10GB per day and our computer usage times have not changed. ATM with 30% month we're showing over 40% of allowance used. It's nuts!

Only shows 2 phones and an iPad as WiFi users, and they are ours, only shows them as connected when active. No one except for our devices have access to our wifi.

Using WPA2-PSK

User avatar
Dazzled
Volunteer Site Admin
Posts: 6002
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Mammoth Downloads....

Post by Dazzled » Fri Jan 23, 2015 10:34 am

If iptables running in the router rejected an uninvited transmission, you'll see a message in the modem log file. This happens about 4 times an hour, and is usually someone probing for a Windows weakness to exploit. The port (DPT=xxx) gives it away. Probe packets are normally small. If someone is accidentally trying to send a gig of data it will also be rejected, but all these uninvited packets will have been measured at Exetel's router.

A typical packet reject looks like-

Code: Select all

kernel: Intrusion -> IN=ppp_8_35_1 OUT= MAC= SRC=213.155.155.2 DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=62641 DF PROTO=TCP SPT=64977 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
(Port 445 if open indicates a known Windows weakness, and would have been followed up with more unwanted poking about).

It's also possible there is an Exetel error, which a staff member can check on. A few days ago some meters were reading zero, the opposite problem. This is fixed.

User avatar
angelos
Exetel Staff
Posts: 1068
Joined: Fri Nov 09, 2012 11:22 pm
Location: Australia

Re: Mammoth Downloads....

Post by angelos » Fri Jan 23, 2015 12:30 pm

PilotMcB wrote:
Dazzled wrote:Important - Have you checked this against the usage recorded by your modem?

You should rule out someone freeloading on you (fix your security), and massive data being sent uninvited to you (change your address).

Modem/routers show who is connected in the GUI; the log will indicate if data is being rejected by the firewall.
All these checked as a matter of routine. Seems funny that it started about a week before close of last month's period. Of course I cannot check that we have been somehow cross connected at the exchange. Wifi code changed monthly, although anyone who worked them out would be a genius. Blew out from an average of 1 - 2 GB per day to well over 10GB per day and our computer usage times have not changed. ATM with 30% month we're showing over 40% of allowance used. It's nuts!

Only shows 2 phones and an iPad as WiFi users, and they are ours, only shows them as connected when active. No one except for our devices have access to our wifi.

Using WPA2-PSK
We will double check the usage records with our Suppliers records and see if it tally's and will get back to you.

PilotMcB
Posts: 7
Joined: Sun May 13, 2012 1:47 pm
Location: Muswellbrook

Re: Mammoth Downloads....

Post by PilotMcB » Sat Jan 24, 2015 7:49 am

Well, now I'm officially stumped!!! I really have absolutely no idea, fair dinkum....

Some time ago, and records will show this, we 'fiddled' with torrent (to see what all the fuss was about) but had it set to activate during off peak times. That was finished ages ago, out of my system now, lol.

Now this month, a week before the end of monthly period our usage number blew through the roof and continued as such until yesterday when I started this thread. I have checked usage in dashboard and our usage plunged from (last three days), 11, 14, 15 G down to 1 G approx, with no change to time on computers. We just do the same thing every day, same time, same ol', same ol'....... We're boring old farts, set in our ways.

For those who can look at the complete figures, look at this entire month and see the blow out from 05/01 to 23/01.

These are the rounded figures in MB: (From 01/01)457, 1134, 861, 866, 3422, 1096, 12948, 9289, 13032, 11417, 11106, 11454, 12802, 5848, 6959, 7539, 7864, 11365, 3712, 8364, 14301, 15076, 1450 (23/01).

Unbelievable. I have no idea what we'd have to actually do to get figures like these. Is it possible to download these amounts daily? Anyone done the math? When we have top conditions we WERE capable of achieving DL rates of 3.5MB/s until Telstra banged the 2.5MB/s limit on the DSLAMs, something they still deny.

Even when we played an online rpg years ago we got no where near these figures.

Still absolutely stumped.......
Thanks for the replies Dazzled and angelos.

PilotMcB
Posts: 7
Joined: Sun May 13, 2012 1:47 pm
Location: Muswellbrook

Re: Mammoth Downloads....

Post by PilotMcB » Sat Jan 24, 2015 7:51 am

Dazzled wrote:
A typical packet reject looks like-

Code: Select all

kernel: Intrusion -> IN=ppp_8_35_1 OUT= MAC= SRC=213.155.155.2 DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=62641 DF PROTO=TCP SPT=64977 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
(Port 445 if open indicates a known Windows weakness, and would have been followed up with more unwanted poking about).
Mate, never, ever seen anything like this.
Thanks for the heads up

User avatar
Dazzled
Volunteer Site Admin
Posts: 6002
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Mammoth Downloads....

Post by Dazzled » Sat Jan 24, 2015 9:33 am

While you wait for meter feedback from angelos, check the usage as recorded by your own modem/router. All brands record usage both ways as part of their operating system, and nearly all have a display in the browser interface, usually somewhere under "status".

Record the traffic - a screenshot of the page is easiest, then press the reset button provided to bring it back to zero. Keep and eye on the subsequent readings. Usually you will get a breakdown, by each device connected in your home, and by the connection to the external internet. Here is a sample of what to look for, but your model may vary -

Rejected data wll not be included in the count.
Attachments
stats.png
stats.png (36.29 KiB) Viewed 4089 times

PilotMcB
Posts: 7
Joined: Sun May 13, 2012 1:47 pm
Location: Muswellbrook

Re: Mammoth Downloads....

Post by PilotMcB » Sun Jan 25, 2015 8:00 am

Dazzled wrote:While you wait for meter feedback from angelos, check the usage as recorded by your own modem/router. All brands record usage both ways as part of their operating system, and nearly all have a display in the browser interface, usually somewhere under "status"..........
Our steam driven Netgear DGN1000 doesn't report Bytes, only packets and from memory, from previous monitoring, these figures appear ok.

Reported usage from yesterday appears back to normal usage (527MB rounded), real time sitting at computer didn't change.

This has me totally 'bamboozled'. No wireless freeloaders were seen, we haven't altered our usage, from time to time, for short periods other have used our computers, for short and monitored times, the odd youtube vid watched, you know, sorta typical 'old fart usage'.

We haven't had connection interruption for a good while, we've restarted the modem on occasion, but nothing out of the ordinary. This is definitely out of the scope of control of Exetel, but stone the crows, what the hell has happened (rhetorical)?

I can recall that the straw that broke the camel's back and prompted us to move to Exetel years ago was Telstra's 'figure fiddling', we watched our usage go up and up even though our usage had not change. Even showed a lot of usage even though we disconnected for days on end.

No idea....... Hopefully this is an isolated incident, appears that way.....
Many thanks people, investigation on going.

User avatar
Dazzled
Volunteer Site Admin
Posts: 6002
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Mammoth Downloads....

Post by Dazzled » Sun Jan 25, 2015 5:03 pm

Not one of my favourite routers, as they lock the telnet interface where there is full control over the device.

It also has a known security vulnerability - it is listening to a local network port for an unauthenticated back door entry. That is, somebody on your network could fiddle with it without knowing the password. If your password is default it isn't worth worrying about, a user can assume it anyway.

The telnet interface can be unlocked if you wish. See http://wiki.openwrt.org/toh/netgear/telnet.console. You would only need this to read the FULL usage data in bytes to/from each connected device. The terminal/dos prompt command after telnet login to read this information is cat /proc/net/dev.

For the moment just keep an eye on that packet count. Unfortunately you don't know which ones are big.

PilotMcB
Posts: 7
Joined: Sun May 13, 2012 1:47 pm
Location: Muswellbrook

Re: Mammoth Downloads....

Post by PilotMcB » Mon Jan 26, 2015 6:52 am

Thanks for the heads up Dazzled. Firmware version: V1.1.00.50_ww

Holy smoke!! Sorta glad I gave this stuff up years ago, I'll plough through it and see if I can make some sense of it all, lol.

Well at least something good has come out of this, it is totally localised, no one else has picked up and posted they have experienced the same. That's good news at least.

Still scratching my bum big time......
I reckon bloody Telstra has got something to do with it. Talk about rogues and thieves. They're top of the heap......

User avatar
angelos
Exetel Staff
Posts: 1068
Joined: Fri Nov 09, 2012 11:22 pm
Location: Australia

Re: Mammoth Downloads....

Post by angelos » Tue Jan 27, 2015 10:15 am

I've checked the usage records and they appear to be correct. So it seems the data transferred was on your connection itself.

And I can confirm that your usage has reduced since the 22nd so I would agree with you in saying that is rather strange. We would advise you to investigate the internals further.

PilotMcB
Posts: 7
Joined: Sun May 13, 2012 1:47 pm
Location: Muswellbrook

Re: Mammoth Downloads....

Post by PilotMcB » Thu Jan 29, 2015 6:35 am

angelos wrote:I've checked the usage records and they appear to be correct. So it seems the data transferred was on your connection itself.

And I can confirm that your usage has reduced since the 22nd so I would agree with you in saying that is rather strange. We would advise you to investigate the internals further.
Thanks angelos.

I smell a Telstra rat......
Years ago, prior to to us joining Exetel, the straw that broke the camel's back was an incident when we went on holidays for a week, turned off all computers and the modem, on our return usage figures for the week away were only slightly lower than the week prior to us leaving. When confronted with this Telstra claimed that their usage figures were estimates and sometimes had to be balanced out over the monthly term. No matter how persistent I was in asking questions and the number of referrals I got, no one would explain to me exactly how and why usage was 'estimated', how it was estimated and how could they justify adding usage to our account when no actual usage had occurred.

I would suggest that you guys have no more luck in getting the truth out of Telstra than I had. They are a contemptible mob of lying mongrels.

Post Reply