Announcement

Collapse
No announcement yet.

Internet connection leeched, can't find the source :(

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Internet connection leeched, can't find the source :(

    Hi everyone,

    I'm an IT support technician in a small school.

    Recently at work our ADSL2 internet connection was thrashed till it's shaped to 64k by something or someone. Even though i changed the internet password, disconnected the gateway (linux) and just have the modem on, the downloads just kept going.

    It finished around 2 Gigs of data each day ( roughly 150MB / hr)

    We have 3 separate lines for internet. It's happening to two of them.
    We use a linux box as a proxy gateway and firewall. We have updated Antivirus on all the workstation and servers. We checked all possible venues and we're exhausted

    I'm no security expert, but i know for sure it's not done from our internal network, we disconnected the gatewy and it kept going!

    The internet provider said there's nothing they can do about it because it shows that our network is downloading those bytes.

    My questions are :

    1. Is it possible for someone to purposely do this? Can they flood our network in a way so it seems like we're downloading huge amount of files but never get to see them?

    2. Our exchange server recently had problems with spam, even though the spams didn't flood the mail queus, could it be that those spams are responsible for the downloads?

    3. What other steps can i take to find out if my network is secure from such attacks?


    I don't know what to do, this is beyond my skills as a technician I appreciate your help.

  • #2
    Re: Internet connection leeched, can't find the source

    When you say you disconnected the gateway then do you mean nothing is plugged into the router and it still shows as "downloading" data?

    You can get a copy of Wireshark and track what is happening (assuming something is still connected). Your router may even show you connected IP addresses.
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: Internet connection leeched, can't find the source

      Originally posted by AndyJG247 View Post
      When you say you disconnected the gateway then do you mean nothing is plugged into the router and it still shows as "downloading" data?
      Yes that's right, i just can't put my finger on it. If this is only involving 100 or 200 Mb a day i can live with that. But it's likee 2 GB a day. We'll finish the quota in less than 10 days.

      I'll give Wireshark a go, thanks for that.

      PS : I just finished skimming an article about DoS attacks, could that be the problem?
      Last edited by dodes47; 10th March 2009, 09:48.

      Comment


      • #4
        Re: Internet connection leeched, can't find the source

        Is your public IP dynamic?
        Your ISP should be able to give you information from their side if there is significant traffic coming from other hosts, their routers can log as well.
        Your router, what is it? You may be able to get more info from it also.
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: Internet connection leeched, can't find the source

          We have a static ip and my router is the actual linux box itself, i got a colleague who's a linux guru, but he's scratching his head as well.

          Thanks Andy

          Comment


          • #6
            Re: Internet connection leeched, can't find the source

            Not a linux guru myself so maybe one of them can lend an eye to this.

            I would imagine there are plenty of logs that can be looked at on the box though. Even just destination & ports. We really need logs to go anywhere with this.
            cheers
            Andy

            Please read this before you post:


            Quis custodiet ipsos custodes?

            Comment


            • #7
              Re: Internet connection leeched, can't find the source

              Ok Andy,

              First thing tomorrow i'll post a log from the linux box here.

              Thanks

              Comment


              • #8
                Re: Internet connection leeched, can't find the source

                Run a TCPdump on the Linux machine to see what is happening.
                disconnect the LAN side to make sure that no other traffic can be initiated from the internal LAN segment.
                Import the TCPdump file into wireshark and check it out.

                TCPdump is natively included within Linux.
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment


                • #9
                  Re: Internet connection leeched, can't find the source

                  Originally posted by dodes47 View Post
                  Yes that's right, i just can't put my finger on it. If this is only involving 100 or 200 Mb a day i can live with that. But it's likee 2 GB a day. We'll finish the quota in less than 10 days.
                  Have you run iftop on that interface?
                  Wesley David
                  LinkedIn | Careers 2.0
                  -------------------------------
                  Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                  Vendor Neutral Certifications: CWNA
                  Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                  Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                  Comment


                  • #10
                    Re: Internet connection leeched, can't find the source

                    Run PRTG or MRTG packet sniffer and port monitor the upload link from the router to the internet and find the source of the leaching.

                    Comment


                    • #11
                      Re: Internet connection leeched, can't find the source

                      Originally posted by joeqwerty View Post
                      Run PRTG or MRTG packet sniffer and port monitor the upload link from the router to the internet and find the source of the leaching.
                      You must really like that tool... you've mentioned it at least 3 times in the last week.
                      Wesley David
                      LinkedIn | Careers 2.0
                      -------------------------------
                      Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                      Vendor Neutral Certifications: CWNA
                      Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                      Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                      Comment


                      • #12
                        Re: Internet connection leeched, can't find the source

                        My goodness...


                        I can't believe it..This is gonna sound retarded, but we finally figured out what's causing the downloads to skyrocket.


                        Apparently our exchange server's anti virus ( Mirosoft Antigen ) had something wrong with the update engine. It was downloading engine and signature updates every hour for 8 different A/V engines. As soon as we disabled the updates, the downloads calmed down.


                        I know i mentioned that i disconnected the gateway and the downloads kept going. apparently i didn't disconnect it long enough to notice the difference in downloads on the volume usage. (duuhh)


                        So one connection is fixed, but this still doesn't explain the other gateway where 50 GB was downloaded in less than 3 days. I'll have to wait till the connection is unshaped then try out all the steps you guys mentioned above.



                        Thanks a lot guys. Btw, this is a bit off topic, but can anyone recommend a good A/V for Microsoft Exchange?

                        Comment


                        • #13
                          Re: Internet connection leeched, can't find the source

                          Originally posted by dodes47 View Post
                          So one connection is fixed, but this still doesn't explain the other gateway where 50 GB was downloaded in less than 3 days. I'll have to wait till the connection is unshaped then try out all the steps you guys mentioned above.
                          I'm lost in this sea of gateways and proxies. Is this gateway the linux one? iftop is the poor man's way of tracking bandwidth usage. Give it a try.



                          Originally posted by dodes47 View Post
                          Thanks a lot guys. Btw, this is a bit off topic, but can anyone recommend a good A/V for Microsoft Exchange?
                          A new topic would be good, but I'll toss you a bone anyway : Take a look at GFI MailSecurity
                          Wesley David
                          LinkedIn | Careers 2.0
                          -------------------------------
                          Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                          Vendor Neutral Certifications: CWNA
                          Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                          Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                          Comment


                          • #14
                            Re: Internet connection leeched, can't find the source

                            Originally posted by Nonapeptide View Post
                            I'm lost in this sea of gateways and proxies. Is this gateway the linux one? iftop is the poor man's way of tracking bandwidth usage. Give it a try.
                            Hehehe, All the gateways are linux based, We've got three of them. Two of them is acting weird. One of these two is fixed, the other one not. I read up somewhere about a similar utility called NTOP. Is it the same with iptop?


                            Thanks for the link bro, i'll give it a whirl.

                            Cheers

                            Comment


                            • #15
                              Re: Internet connection leeched, can't find the source

                              Originally posted by dodes47 View Post
                              Hehehe, All the gateways are linux based, We've got three of them. Two of them is acting weird. One of these two is fixed, the other one not. I read up somewhere about a similar utility called NTOP. Is it the same with iptop?
                              I just did a quick search for ntop (never heard of it before) and iftop looks like a similar tool just without the web interface. See what it shows you and let us know!
                              Wesley David
                              LinkedIn | Careers 2.0
                              -------------------------------
                              Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                              Vendor Neutral Certifications: CWNA
                              Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                              Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                              Comment

                              Working...
                              X