Hi anyone else have this issue...?

I have noticed like everyday on my Web Africa account my bandwith usage seems to grow and grow. I only browse and upload small files to the web, as well as receive my daily emails.
When I started with them it was like 20-40mb per day, but now it is going on to 200mb some days.
I have thoroughly scanned my pc's for spyware, trojans, etc I have installed 3rd party firewalls on all of them. Using the SASA thingy I can see only 1 concurrent connection on my account at a time. I have a wireless router, but i have an app that tells me if another ip tries to come onto my network, I switch my router off at night.... I have tried it all.
Web Africa claims they can't do anything about it. I have checked the stats at SAIX and it shows the same as Web Africa.
Can anyone advice me as to what might be happening???? Is it my ISP? Where can I start looking for the problem?
Another mate told me he is with MWEB and even though he pays more, his stats definitely only shows what he uses..

CONFUSSED :confused:

Does your wireless sytems also watch out for MAC address piracy? I would get your ISP to submit a Fault Query to SAIX. Also, what are you usinbg to monitor your bandwidth?

Its not your ISP, its either a data leak on your side, or SAIX being telkomish

"SAIX being telkomish"

We seem to be getting more and more clients complaining about errant bandwidth usage... I even noticed 43MB additional unexplained MB's on my PC's dialup session the other night.

It is a wonder...

That app monitors MAC as well.
WEb Africa has a monitor thingy for bandwith, I also go to te saix site, and that SASA app that everyone around here uses.
They all seem to co-ordinate more or less

but i have an app that tells me if another ip tries to come onto my network
Which app are you using?

Leave your modem on, and turn off your PC for 2 days. Then check your ADSL usage for that period...

;)

Globetrotter I use MyMiFiZone, only drawback it obviously only monitors when your pc is running.
Razor do u ever switch off your pc for 2 days?? :)

If you really want to do something like stop usage for 2 days, just unplug your router from you're pc. As easy as that, you won't have internet for 2 days, but at least you'll still be able to play computer games etc.

Dont mean to sound stupid ..... but have you checked for Spyware and adware on your pc..... Usually these type of programs send data out on their own without your knowledge.

Besides viruses and such you could be experiencing bad line that needs to keep resending packets due to drops. This wouldnt normally explain for the massive extra bandwidth being used.

I suggest you do this.

Get an app that can monitor bandwidth properly.... the likes of netlimiter and such.

Keep your pc on for one day and dont do any inet or email
check your app to see if data has been sending and receiving from your pc... if so you have app problems if not then its your account being hijacked.

One of the easiest things to do is to change your webafrica password, the password you use to connect, you can do that in the DSLconsole. The other thing is check your startup entries, it could be a simple thing such as a program (Adobe etc.) updating. It won't be a daily thing, but maybe the update fails and restarts again. Download www.netlimiter.com and see which applications upload and download while you surf. It just takes a bit of monitoring, but change the password, just to make sure :)

What increased? upload, download, both by same margin?

webafrica has DSL secure technology,

simply log into your webafrica DSL account using http://dsl.nurve.co.za or http://dsl.wadns.net and goto settings, you'll see DSL secure.

That'll allow you to limit your DSL account to your specific phone line (up to 4 phone lines in total).

Also you'll be able to see there if there has ever been a connection on a phone line other than yours... You can also see if there is more than 1 connected session under authentication.

Dont mean to sound stupid ..... but have you checked for Spyware and adware on your pc..... Usually these type of programs send data out on their own without your knowledge.

Besides viruses and such you could be experiencing bad line that needs to keep resending packets due to drops. This wouldnt normally explain for the massive extra bandwidth being used.

I suggest you do this.

Get an app that can monitor bandwidth properly.... the likes of netlimiter and such.

Keep your pc on for one day and dont do any inet or email
check your app to see if data has been sending and receiving from your pc... if so you have app problems if not then its your account being hijacked.
I'd expect NetLimiter to show usage of anything using the internet, including malicious software.

I had the same problem at Web Africa. I switched to someone else and suddenly I am no longer mysteriously running out of bandwidth. I was otherwise very happy with Web Africa.

I'd expect NetLimiter to show usage of anything using the internet, including malicious software.

I had the same problem at Web Africa. I switched to someone else and suddenly I am no longer mysteriously running out of bandwidth. I was otherwise very happy with Web Africa.

Netlimiter will NOT show all the usage unfortunately.

Nox sounds like someone had your username then. I take it this was before DSLSecure came out to prevent abuse? Did anything else change on your side when you moved over?

It's not possible for the radius server to make up stats. All the information comes straight from Telkom's NAS ports.

If anything were to go wrong ever, (the diginet link goes down, or our radius servers etc) our traffic would be the LESS of the two since we would loose those packets containing your traffic accounting data.

Cases of bandwidth come up from time to time, in every case, it was either wireless bandwidth theft (Remember people WEP and WPA are vulnerable). or username theft (through having an insecure default password on clients router). The latter can be solved through DSLSecure while the former through using a 16character random password on WPA.

Did anything else change on your side when you moved over?
Not a thing, and I don't have any wireless. The month after I changed to another provider was the first time that I didn't find stats that made no sense and did not correspond to my actual usage. The disappearing bandwidth happened with two different passwords. Since my bandwidth is no longer mysteriously disappearing I am just going to stay where I am.

Who did you change to NOX?
Even though Web Africa is very convenient, they insist it is a problem on my side, even though I have done all the above tricks and still have this problem.
What makes me doubt them more is the fact that when I moved to a new premises my account stopped working, even though on their side they could see me logging in etc.
Eventually I had to just persuade them to make a new accout for me even though the guys did not believe me. So their system is definitely not foolproof!!!

same problem here

could some of the web africa guys on the forum check his out? it's a serious worry, and an unfortunate blemish on an otherwise perfect reputation.

i'm turnig off my router till monday. god help you if my account shows usage for tomorrow.

night night

Hi guys, I handle the technical aspects of our ADSL service at Web Africa, but unfortunately do not know the specific details of which are being referred to here (ie. which accounts or what kind of behaviour was experienced).

Firstly, our servers do not "make up" traffic, it's certainly *possible* to just magically place arbitrary additional usage into the database (if you have access to it), but in this case (RADIUS accounting) this does not take place. We only record what gets sent to us by SAIX/Telkom. What we do do is a bit of additional number crunching on our side to provide some of the additional services (such as hourly updates without connection resets), but there's never more usage added into the database, getting a number such as 20 from SAIX (not a real usage value), and splitting it into 15+5 still gives you 20 at the end of the day.

If the data we're getting is erroneous (which could happen) then naturally the data we're calculating with is wrong and the whole thing falls apart, unfortunately we cannot prove nor disprove that the information we get from SAIX is accurate - we have to trust it to be accurate - and as such we cannot prove nor disprove that a specific client actually did the usage he says he did. The only way we can get a general idea (and it is only a general idea) is linking up usage to specific ADSL lines, hacked accounts are generally easy to see (especially by the client whose account was hacked) just by being aware of how many lines you *know* are supposed to be accessing that account vs. how many lines have in the past, or alternatively, how many lines are currently accessing it. We provide facilities such as DSLSecure and being able to forcefully disconnect all sessions on an account as a means to mitigate (but unfortunately not always eliminate) hacking and account theft. If for example we see only a single line has connected to that account (and is the line currently connected to that account) and the client comes to us saying that there is an inordinately large amount of usage, all we can do is point out possible areas on the client side that may have caused the problem (such as an open WIFI connection, using P2P applications such as BitTorrent, Skype, etc., an infection of Virii/Malware on one of the networked machines, all of these are possible causes of abnormal download/upload behaviour and more times than not, the client comes back saying "woops, we did have one of those").

Secondly, DSLSecure does not stop a line from CONNECTING to an account, it merely causes that line to experience capped behaviour (ie. they can still browse the Web Africa website, etc.), this is how the support staff could see you logging in but chances are your line was not on the "allowed" list of lines and that connection was therefore being set as capped (preventing external network access). Though unfortunately without the specifics of the situation I can only make assumptions based on what has been said rather than an actual analysis of the situation.

There have been a couple of instances where people have queried their usage, if the usage does infact appear strange we have done further analysis including looking at individual line usage, past access history, ensuring no record duplication, etc. in *most* cases the usage is infact caused by the client, any faults we do have are taken seriously and if it appears to be a bug within the system itself it's rapidly corrected.

If usage does honestly appear inaccurate or incorrect the best bet is to contact support (generally via the ticket system) and get them to escalate it to someone who can analyse the usage in more detail (namely myself) - but please don't query every single blip of usage, only usage stats that you *seriously* think are in error.

Oh, also, it's worth pointing out that usage of 20-40MB a day is an incredibly small amount of usage for ADSL, heck, just sitting idle an ADSL connection racks up close to 10-20MB, and that amount is definitely dependent on how fast a line you're using. Also don't forget, even unsolicited traffic (any traffic) that touches your router, whether firewalled or not, counts towards usage, that includes port scans, attempted DoS attacks, etc.

I have a SAIX and IS account. I've been on my IS account for the last 3 days; I checked my SAIX bandwidth usage with WAfrica now and it is still sitting on the same value as 3 days ago, as it's supposed to. So luckily no strange things happening on my WA account.

Who did you change to NOX?
Even though Web Africa is very convenient, they insist it is a problem on my side, even though I have done all the above tricks and still have this problem.
What makes me doubt them more is the fact that when I moved to a new premises my account stopped working, even though on their side they could see me logging in etc.
Eventually I had to just persuade them to make a new accout for me even though the guys did not believe me. So their system is definitely not foolproof!!!

Hi jack and Nox, would you mind PM'ing Richard or myself your username. This sounds like someone else was using your account or Telkom was making stats up. (I've never seen this happen though).

Either way I believe we have the most accurate and reliable system out of any ISP, and would like a chance to get to the bottom of it..

We have many thousand clients on DSL, if this was a problem we be swamped with complaints. If *anyone* else who has a query is most welcome to PM us their username and be more than happy to investigate fully.

Thanks

As I asked NOX, who did you move to again?? I would think if a client phones back more than two weeks consecutively it would seem there really is a problem and, according to warichard, that client would have been put through to him by now.
But then again, how can I prove it from my side? Things like netlimiter etc is useless when you are on a PPPoE LAN connection. Another thing is, as far as I understand these things, if I have all my pc's connected through my router, it will still show only one connection right???? So that would render DSLsecure useless as well, allowing 3 more lines to connect before anything untowards would happen, or have I got it wrong????
I'm not a techie...
If just plain idling caused 20-40mb of usage, then your stats were wrong on my side right from the word go, 'cos that is what it was when I got my account from you guys, including browsing and receiving my emails.... some days it still shows that, but less often and often goes up to 100mb...

Hi Jack, a query is not necessarily forwarded to me unless the problem is definitely something they cannot solve themselves. Looking back at your query regarding this, it appears that the situation was explained that unfortunately should usage occur from only a single line (3 PC's or not) there is nothing further we can do (as we can neither prove nor disprove that that usage is legitimate). DSLSecure, as it was explained, is only designed to prevent unwanted access from separate lines (it is not a one-stop hack preventer, just like a password isn't), and we are not responsible for the security of the site of the client. Should unwanted usage be occurring from that single line, it is the responsibility of the client to ensure that his PC's, router, etc. are secure. We cannot do that for him - you'll find that opinion coming from every single ISP out there. Separate machines on the network do not come up as separate lines (as they all go through a single router), therefore you could have those 3 networked machines on your network accessing the internet simultaneously. However that usage we see will still come up as a single line from a single connection (and will only list it as a single connection), that way we can still identify it came from a specific client. There is no way we can get finer usage details than that, it's up to the client to monitor his individual PC's.

As for idling causing 10-20MB of usage, there's nothing wrong about it, it's entirely possible for this to happen and our stats are not wrong because of it, browsing and receiving e-mail (depending on how much you do it) could use a further 10-20MB, falling into your 20-40MB of usage argument.

Looking at your raw statistics however, the usage appears 100% legitimate, there are no duplicates, there are no overlaps, though I would say your average usage daily was probably 20-40MB you did have peaks that would go up to 80-100MB (and were consistent enough to indicate standard behaviour). I will agree that at the end of the month your usage increases by a pretty substantial amount compared to the previous weeks, and I can agree that it looks suspicious. Unfortunately the fact that it's all from the same line screams the fact that it seems to be a client-side problem, such as a virus or other form of malware, P2P, an open version of Skype on the network, etc. something you picked up near the end of the month.

In the end the only way to guarantee that you are not going to rack up any usage while not using the internet is to disconnect your actual physical router from the ADSL network.

Tell me more about the open version of Skype, cos I have started using Skype because of one of my customers.....??????? Maybe that is the problem....

In actual fact I checked my usage now trying to pinpoint it. It seems to have started going up since I installed Skype. I haven't been using it a lot, but it has been open most of the time.. I also have't used it for voiceover but just normal chatting...

Even when not being used Skype makes use of your bandwidth for routing the calls of other callers to improve the voice quality of the network, this is regardless of whether you are behind a firewall or not, as long as the application is running it could be potentially using your ADSL connection. A lot of usage queries we get eventually end up revolving around a recent installation of Skype. I would suggest removing the application and then over the course of a week or something just checking to see if it's resolved the situation.

warichard, I have to thank you, I think you have solved the problem. I haven't in fact used Skype the past few days, and my usage seems to be normal for those days.
Thank you very very much. Now wouldn't it have been neat if someone there by you guys could have suggested that from the beginning instead of just telling me over and over I have a virus.
Seems I'll be hanging on with you guys after all.