Possible evidence against Telkom

[SirBruce]

At 11:00am on the first of June 2004, I noticed that the usage
figures preported from SAIX (via IS) said I had already used 800MegaBytes.

My business can't function while capped, so I keep a close eye
on those figures and I know the reported usage is IMPOSSIBLE!!

I had a look at the logs on my ADSL router, cleard the log file
and power reset the router. I then watched the logs while it
logging in. After logging in, it waits for a while (2 min)and then receives time from a time server, the time being handed out apprears to be BOGUS !!! and could explain a lot. I also can't find a TIME_ZONE on the router.

I know my case is not unique, there will be others who have also
lost parts of their 3Gig, wondering how it is possible.

The router was reset at ( 11:01 04 June 2004) Here are the logs:

1/1/1970 0:0:0> Ethernet Device 0 Detected
1/1/1970 0:0:0> ATM: Detected
1/1/1970 0:0:0> ATM: Setting up vcc0, VPI=8, VCI=35
1/1/1970 0:0:0> Dynamic NAPT is enabled
1/1/1970 0:0:0> CfgMgr: 'Shtm.dlz' module loaded.
1/1/1970 0:0:0> CfgMgr: 'Washer.dlz' module loaded.
1/1/1970 0:0:0> Washer - washer_reg called!
1/1/1970 0:0:11> ATM Connected
1/1/1970 0:0:11> ATM layer is up, cell delineation achieved
1/1/1970 0:0:11> ADSL connected
1/1/1970 0:0:11> PPP1 PPPoE Session is established.
1/1/1970 0:0:14> PPP PAP Authentication success
1/1/1970 0:0:15> PPP1: PPP IP address is 165.165.93.220
1/1/1970 0:0:15> PPP1: PPP Gateway IP address is 165.165.80.1
1/1/1970 0:0:15> PPP1: DNS Primary IP address is 196.43.1.13
1/1/1970 0:0:15> PPP1: DNS Secondary IP address is 196.43.3.206
1/1/1970 0:0:15> NAT/NAPT Session Start: interface ppp1, WAN IP is 165.165.93.220
1/1/1970 0:0:15> Initialized Dynamic NAPT.
1/1/1970 0:0:15> Initialized NAT Virtual Servers.
1/1/1970 0:0:15> No Static Session Information is defined.
1/1/1970 0:0:15> PPP1 Session is up.
6/3/2004 22:1:24> Received time from Time Server 128.138.140.44

Notice the time difference, almost 13 hours behind !!!!

Please could others check, confirm and post their logs.

 

[asmith]

The time on your router has no bearing at all on the cap. It is simply used to time stamp the logs that you may look at and sometimes to supply time the pc's on your lan.

 

[SirBruce]

Well, what if Telkom SAIX times out the connections based on that
same bogus time?

Who says their ADSL equipment is not using the same time? causing
a conflict on the usage reports, the same usage reports which
don't have any proof or evidence like your cell phone account gives
you, validating the usage.

 

[podo]

SirBruce,

Upon reading your other posts I feel I should warn you that some users may perceive you as a forum troll. Please do not submit posts merely for the perpose of eliciting replies or sensation.

That aside, the time on your router or on that time server is irrelevant to the traffic monitoring system.

Traffic volumes generally seem to be calculated at around 6AM. The cap is also implemented at the time that the traffic volume is calculated, if you have exceeded it.

What you may want to consider is that someone may be stealing your traffic. If you are using the Marconi ADSL POTS router or any ADSL router device that can be remotely managed, please make sure that the username and password to manage the router, on all interfaces and via all management connections, is changed from the default.

A router running with the default password and having all interfaces open for management, can be easily compromised by an attacker. Many malicious users even scan the ADSL subnet for signs of routers that have not been secured.

Once your router is compromised, it is easy for the attacker to steal your username and password, thus allowing them to establish a PPPoE connection from their own ADSL line using your credentials. All internet accounts support at least two concurrent sessions, so it is very possible that such a bandwidth thief can be connected at the same time as you are using your connection, without you noticing him.

The traffic the thief uses will still count against your cap though, as I have pointed out in my reply to your other post, the volume cap is tied to your internet account, not your ADSL line.

If your ISP can also report the time you spent logged in, look out for strange anomalies, like having spent 48 hours online in a 24 hour day. That is a tell tale sign that your bandwidth is being stolen.

Also, remember that merely changing the password on the web configuration interface, on most routers, still does not change the password for the SNMP or telnet management interfaces, which most routers have. Thus, simply changing the password on the web interface does not mean you are protected from this kind of attack.

If you suspect that your username and password may have been compromised in this way, secure your router and contact your ISP to have them change the password right away. There is no way to prove that your bandwidth has been stolen, so changing the password to stop the attacker is the only way to atleast insure that no further bandwidth is stolen.

Willie Viljoen
Web Developer

Adaptive Web Development

 

[SirBruce]

Willie,

hmm, I hear you! Seems so strange to be handing out incorrect
time, and have nobody else question why the time should be incorrect. I'll direct my questions to the powers that be.

cheers

 

[podo]

SirBruce,

It's quite odd though, the time server should not be configured by Telkom. DHCP IP assignments only include addresses for your default gateway and two DNS servers. Time server addresses are certainly not included.

All I can think is that it is hardcoded into the router firmware. Is it the Marconi router? Marconis are re-badged modems purchased from Dax Networks, in India.

If the time server is hardcoded, all your router logs are in Indian time...

Trust Telkom...

Willie Viljoen
Web Developer

Adaptive Web Development