Malware keeps on DDOSing me and using up all my cap

I would first start with a malware scan - the free version of malware bytes should be enough.


I see some of the connections were open to DropBox so presumably you have the DB client on. Even with all apps closed bear in mind that there are a lot of services running that also make connections out.
 
Install something like Net Balancer so you can see exactly what is downloading/uploading on your machine, should be pretty easy to find the file or service responsible for chowing your cap.
 
i have found that there are few things better than netlimiter to check which process is using bandwidth, how much it is using, if it is doing so inbound or outbound and at what rate..

get that installed, go through it and see what pops up..
 
@DJ... - surely denying at the router is too late? By then it's already been accounted by the ISP's systems...
Correct. Very little that can be done if they simply flood the connection, even if the WAN IP is advertised by the LAN, outbound. Identifying that specific traffic signature is going to be tough. Even as an ISP we have to test in a controlled environment to identify it. Then trying to auto mitigate it is even tougher to do without affecting legit traffic. As an ISP it's a problem as it can annihilate capacity at times, although we've managed it on our end. So we're working very closely with IS behind the scenes to try to finalise a solution, but source, ports and bandwidth keep changing. So refining and testing rules on auto mitigation is quite a process for what amounts to relatively small bandwidth. Abuse reports have been sent with clear evidence but no response from the hosts yet. There are also weird and rather sneaky malicious apps posing as legit and serving at least one legit purpose, that we've discovered of late call to very specific, local SIP providers. And attempt to break in using your device and botnet a dos attack. Also shares any successful auth with other instances across networks. Vital to get decent security on your network, especially for capped customers. We quite simply don't log the traffic no matter what anyone claims, so it's difficult for us to pinpoint what bandwidth was used for what services at selected times other than educated guesses and post processing heuristics. Time consuming and frustrating...
 
Last edited:
i have found that there are few things better than netlimiter to check which process is using bandwidth, how much it is using, if it is doing so inbound or outbound and at what rate..

get that installed, go through it and see what pops up..

Install something like Net Balancer so you can see exactly what is downloading/uploading on your machine, should be pretty easy to find the file or service responsible for chowing your cap.
Thanks a lot guys. The problem is just that besides the broadcast of what my current IP is my PC isn't involved with the high bandwidth usage. After the receiver gets my IP it DDOSes my router and not my PC.
 
Thanks a lot guys. The problem is just that besides the broadcast of what my current IP is my PC isn't involved with the high bandwidth usage. After the receiver gets my IP it DDOSes my router and not my PC.

something is broadcasting your ip address, more than likely a device on your network, more specifically a process of some sort on one of the devices.. this is where the applications come in handy.. if nothing on your end is broadcasting your ip, then these guys are simply scanning all public ip ranges for hosts that are alive and just sending traffic towards those hosts with no specific target in mind..
 
something is broadcasting your ip address, more than likely a device on your network, more specifically a process of some sort on one of the devices.. this is where the applications come in handy.. if nothing on your end is broadcasting your ip, then these guys are simply scanning all public ip ranges for hosts that are alive and just sending traffic towards those hosts with no specific target in mind..
Yeah. But this has happened every time I restart and get a new IP since the 22nd of November. So it's definitely not just a random thing. I've pretty much narrowed it down to my PC (which I'm trying multiple different antiviruses on) because I unplugged my PC from the network last night (at which stage I started the scans) and restarted my router to get a new IP and it hasn't seemed to have happened again. I plugged my PC back in a little while so so I'm just waiting to see if any of the minor or 1 or 2 major threats I found yesterday were the issue. The one major issue was a "conduit" virus so I looked it up but it didn't sound like the sort of thing that'd do this. I suppose that the program doing this roils probably just have a minor severity if the antivirus even picked it up.

Anyone know what the delay is on vox between you using your data and the portal reflecting that?

I've tried Spybot Search And Destroy, Malware Bytes and Bitdefender. Anybody got anything else worth trying?
 
Last edited:
Yeah. But this has happened every time I restart and get a new IP since the 22nd of November. So it's definitely not just a random thing. I've pretty much narrowed it down to my PC (which I'm trying multiple different antiviruses on) because I unplugged my PC from the network last night (at which stage I started the scans) and restarted my router to get a new IP and it hasn't seemed to have happened again. I plugged my PC back in a little while so so I'm just waiting to see if any of the minor or 1 or 2 major threats I found yesterday were the issue. The one major issue was a "conduit" virus so I looked it up but it didn't sound like the sort of thing that'd do this. I suppose that the program doing this roils probably just have a minor severity if the antivirus even picked it up.

Anyone know what the delay is on vox between you using your data and the portal reflecting that?

I've tried Spybot Search And Destroy, Malware Bytes and Bitdefender. Anybody got anything else worth trying?

Tried HijackThis?
 
Correct. Very little that can be done if they simply flood the connection, even if the WAN IP is advertised by the LAN, outbound. Identifying that specific traffic signature is going to be tough. Even as an ISP we have to test in a controlled environment to identify it. Then trying to auto mitigate it is even tougher to do without affecting legit traffic. As an ISP it's a problem as it can annihilate capacity at times, although we've managed it on our end. So we're working very closely with IS behind the scenes to try to finalise a solution, but source, ports and bandwidth keep changing. So refining and testing rules on auto mitigation is quite a process for what amounts to relatively small bandwidth. Abuse reports have been sent with clear evidence but no response from the hosts yet. There are also weird and rather sneaky malicious apps posing as legit and serving at least one legit purpose, that we've discovered of late call to very specific, local SIP providers. And attempt to break in using your device and botnet a dos attack. Also shares any successful auth with other instances across networks. Vital to get decent security on your network, especially for capped customers. We quite simply don't log the traffic no matter what anyone claims, so it's difficult for us to pinpoint what bandwidth was used for what services at selected times other than educated guesses and post processing heuristics. Time consuming and frustrating...
Thanks yeah. But surely mine is definitely malware? I get ddosed every time I get a new IP of I turn my PC on.

Really hoping I won't need to format.
 
Guys. So even when I run my router with no devices connected and the WiFi disabled my cap still continues to run. What would you guys say? Buy a new modem?
 
Guys. So even when I run my router with no devices connected and the WiFi disabled my cap still continues to run. What would you guys say? Buy a new modem?

It's malware on one of your pcs then. Format and get it over with.
 
It's malware on one of your pcs then. Format and get it over with.
But how is it malware on my PC if the data continues to run when my PC has been off since yesterday and I've restarted my modem multiple times to get a new IP?
 
But how is it malware on my PC if the data continues to run when my PC has been off since yesterday and I've restarted my modem multiple times to get a new IP?
Maybe something is installed on the router or does your adsl account allow concurrent connections from different locations?

If so perhaps someone(even a friend or acquaintance) has stolen or borrowed your adsl account details and is using it from another location. Log on to your adsl providers web page dashboard and see what info it provides, some even can show how the data was used and the location. Definitely change your adsl login info, password and username.

Also check if your adsl account has a fixed ip address, that's normally something you pay extra for but perhaps it is enabled or given free with your account for some reason, of so have it changed or fixed ip disabled.

Edit, oops seems I'm quite late to the party.

Another tactic to try is have your adsl speed manually changed to something like 2mbs for a while, that might make whoever is doing this lose interest and look for new prey.
 
Last edited:
Maybe something is installed on the router or does your adsl account allow concurrent connections from different locations?

If so perhaps someone(even a friend or acquaintance) has stolen or borrowed your adsl account details and is using it from another location. Log on to your adsl providers web page dashboard and see what info it provides, some even can show how the data was used and the location. Definitely change your adsl login info, password and username.

Also check if your adsl account has a fixed ip address, that's normally something you pay extra for but perhaps it is enabled or given free with your account for some reason, of so have it changed or fixed ip disabled.

Edit, oops seems I'm quite late to the party.

Another tactic to try is have your adsl speed manually changed to something like 2mbs for a while, that might make whoever is doing this lose interest and look for new prey.
Thanks. I'm going to go try buy a new router. I reset my passwords for my two ADSL accounts and my portal password. I've also checked and made sure there's only open sessions on my line.
 
I battled with a similar issue with a relative's VDSL connection in New Zealand.

After a lot of troubleshooting I was able to prove to Vodafone that it was their counter that was messed up and not anything sinister on his side.
 
Last edited:
Top
Sign up to the MyBroadband newsletter
X