SERIOUS UNWANTED AND UNSTOPPABLE TRAFFIC

antowan

antowan

Honorary Master
Joined
Nov 1, 2003
Messages
13,054
Good day MyADSL friends,

I have been robbed today! Yes, I have been robbed of more the 2/3rds of my bandwidth due to some anomaly on my ADSL line. The firewall picked up the anomaly but even though it denied access to whatever it was the originating address was looking to access it counted huge volumes of traffic on my machine. How is this possible? Some machine wants to access my pc and I have to pay for it!

The funny thing is that I tried to reconnect to the ADSL network a number of times in the hope of getting the dynamic address, (which Telkom forces down our throats) to change but it did not want to change. After I was capped, I got a new address, which summarily ended the problem of the hectic traffic on my account with the added advantage of now being unable to browse outside the borders of our lovely country…

I am seriously peeved.

Regards
Antowan


He who does not understand the value of war at the right time, cannot comprehend the value of life at any time - Anonymous
 
rpm

rpm

Admin
Staff member
Joined
Jul 22, 2003
Messages
66,740
Hi Antowan

I have reported the matter to Telkom management and they have sent it to the technical department (confirmed). I will let you know as soon as I hear anything more…

Regards,

RPM
rpm@myadsl.co.za
 
M

mbs

Expert Member
Joined
Nov 19, 2003
Messages
2,246
ANT/RPM - this could very well be the first inkling of a major inadequacy in the service (besides the 'normal' ones we all know about) - would appreciate you insisting that full disclosure be made of their findings (which includes technical details), for posting on this forum. No management or marketing spin on the outcome, please...
 
Tharaxis

Tharaxis

Senior Member
Joined
Aug 9, 2003
Messages
560
This would be an obvious problem from the get go, there's no way Telkom can differentiate traffic that has been firewalled on your side, so basically anything that comes to you, unsolicited or not is counted.

It's simple for unsolicited traffic to cap you, and that's all there is to it. Nothing you can do. That and the fact that Telkom's dynamic IP "excuse" of it being safer to have one is absolutely ridiculous, because even if you manually disconnect, you are often reassigned the exact same IP you had (unless of course you get capped, then it's VERY efficient and assigns you a new IP straight away).

It's a ridiculous system, with such an obvious loophole, but there's nothing you can do. This is, after all, Telkom we're talking about.
 
D

dikbek

Well-Known Member
Joined
Mar 28, 2004
Messages
119
So would a DOS attack to the 165 net cap all of the adsl addresses? Wow that's scary!
 
P

podo

Well-Known Member
Joined
Apr 16, 2004
Messages
288
dikbek,

If somebody managed to get their hands on the resources you would need to DDoS an entire class B subnet, then yes, it could have such an effect.

Willie Viljoen
Web Developer

Adaptive Web Development
 
M

mbs

Expert Member
Joined
Nov 19, 2003
Messages
2,246
THARAX - yup, we're aware of the downright idiocy of the mechanism Telkrap uses, but the point is that this may be the first direct evidence (to my knowledge) of an ADSL client being disadvantaged (or, as ANT put it, being robbed), where the policy can be shown up to be useless, by focus on a purely technical matter or mechanism implemented to give realisation to the policy. And this without the usual marketing spin and responses of 'equable service for all' or 'expensive bandwidth' (all of which have been used to ostensibly justify the cap in the past). Which is why I asked ANT/RPM to insist on full disclosure...
 
N

neobyte

Well-Known Member
Joined
Oct 30, 2003
Messages
387
Autowan, a similar thing happened to me a while back. You just have to get hold of the right person. I think Telkom will reimburse your lost bandwidth becuase they "should" have picked up something similar on their side.
 
antowan

antowan

Honorary Master
Joined
Nov 1, 2003
Messages
13,054
Hi guys,

No joy from Telkom or Mweb's people yet. I sent out an email to said parties outlining what happened for the 2nd time yesterday.

Regards
Antowan

He who does not understand the value of war at the right time, cannot comprehend the value of life at any time - Anonymous
 
E

Echo

Active Member
Joined
May 12, 2004
Messages
35
Just tagging, to keep a watch on this situation. I'm interested to hear the outcome!
 
antowan

antowan

Honorary Master
Joined
Nov 1, 2003
Messages
13,054
A response from Mweb. Interesting to note that the tech guy that answered the 1st call sent me a MyADSL forum post on how to safeguard the ADSL router... This response is from the MWeb Abuse dept...

Hi Andre

We'll look into it. Can you confirm the client's MWEB ADSL username. We can get SAIX to investigate whether or not the data was transferred along his ADSL line. (or whether someone else was using his username and password from their own ADSL line). If it was on his line, the capping was correctly enforced. We will assist in resolving the problems if possible or provide what information we can.

IP addresses for ADSL connections are assigned by Telkom / SAIX, being the owners of the ADSL network / infrastructure, and not by MWEB. The same for any ADSL user in the country, regardless of which ISP through which they have their connectivity. General indications from our logs are that in many cases the same IP address will keep getting re-assigned to the same username for a 24 hour period. I have noticed a few cases where this has extended to a number of days.

Brilliant article, B-T-W.

Kind regards
Richard Vice
Security & Abuse Administrator
Tel: + 27 021 5968504
Fax: + 27 021 5968915
abuse@mweb.com
mailabuse@mweb.com

MWEB Head Office, Private Bag X001, N1 City, Cape Town, South Africa, 7463
www.mweb.co.za

MWEB: SA's trusted and reliable Internet Service Provider. Just Like That.


He who does not understand the value of war at the right time, cannot comprehend the value of life at any time - Anonymous
 
M

mbs

Expert Member
Joined
Nov 19, 2003
Messages
2,246
ANT - only the first para of Vice's response says anything definite (the man's surname is interestingly appropriate, given the nature of his position title at MWeb) - the second merely re-stated that which we all know. His statement "If it was on his line, the capping was correctly enforced" is that which must be challenged, for the simple reason that the data volume did not originate from yourself, and you've consequently been unfairly disadvantaged (marginalised?!). There is no way that the capping can be seen to be 'correctly enforced' under such circumstances, obviously. I'd be interested in seeing the outcome of Vice's review of the logs received from SAIX, as well as what actions have been taken to identify and correct the cause...
 
antowan

antowan

Honorary Master
Joined
Nov 1, 2003
Messages
13,054
22h01

It is happening again. Very strange. Port scanning running up and down the port number list. Much like SASSER methinks. All of a sudden and out of the blue. I have run 2 different virus checkers to see if it might be a virus on my side and nothing pops up. Thus I cannot find the virus if it is on my PC. Ran ethereal and some of the communication is from my PC and a lot from external IP's on the ADSL IP net. I have the ethereal logs so please ask me if you would like to have a look at them.

I am at a loss here guys. I hate not being in control and it has cost me a lot of money... Anybody have any clues??? Is anybody else experiencing this? Maybe a new virus? If so, should we expect to be charged for its consquences?

Cheers
Antowan
 
antowan

antowan

Honorary Master
Joined
Nov 1, 2003
Messages
13,054
22h34

Quiet again...

??????

He who does not understand the value of war at the right time, cannot comprehend the value of life at any time - Anonymous
 
M

mbs

Expert Member
Joined
Nov 19, 2003
Messages
2,246
Hey ANT - mail me an extract of the logs, please - mebbe I can suss something out, or at least give it a try - /aside to TheRodent and Podo: any help you guys can offer would surely be appreciated, I'm sure...
 
antowan

antowan

Honorary Master
Joined
Nov 1, 2003
Messages
13,054
Hi

You can download the LOGs at the following locations:

http://www.antowan.com/adsl/ethereal040629

http://www.antowan.com/adsl/ethereal0406291005

Note that it is in Ethereal native format. I will convert it later today. (Not at the machine currently.)

Cheers
Antowan

He who does not understand the value of war at the right time, cannot comprehend the value of life at any time - Anonymous
 
M

MrGoodbyte

Member
Joined
Jul 15, 2004
Messages
10
Hi guys, I am getting a similar situation on my side.
I am getting at least 50Megs per day of attacks (Port Scans and DOS attacks) reaching my Netgear Router. They are immediately squashed however it is the middle of the month and Telkom are going to CAP me within the next week.
I think there is a serious problem here, it is definately not originating on my side as my server logs are clean, no sends, no receives.
I have blocked all ports incoming but Telkom is still racking up the attacks as downloads.
I phoned telkom last night and they said that I must send as much information as I can to abuse@saix.net so I have sent about 1000 lines of attack information but have gotten no response from them.

I am very despondant as I bought ADSL for the permanent connection features and no it seems that I am going to have to unplug my modem and use it like Dial-up.

What do you guys recommend?

Thanks
Mr Goodbyte
 
M

MrGoodbyte

Member
Joined
Jul 15, 2004
Messages
10
An update on this situation. Willy from saix came back to me and sent me his logs corresponding to the one's I sent him. All these logs show me is the bandwidth (Up/Down) which has been flowing against my account. Essentially this includes all attacks SENT to my router, originating from another user. These are logged to ME as DOWNLOADS.
I replied to Willy about this over a week ago and he has not come back to me as yet.
When he sent me the logs he also said I could ask questions at support@telkomsa.net and abuse@telkomsa.net
I have sent recent logs to them with no response as of yet.

I feel like I am running 512 ISDN because I have to "dial-up" only when downloading web pages so I minimise the time my router is connected to the internet.
Thanks Telkom for introducing me to Always on internet. (Honestly that wasn't sarcasm[:p])
 
K

Karnaugh

Banned
Joined
Jul 23, 2003
Messages
1,575
I noticed this traffic a few weeks ago and logged it with SAIX. The ticket is still open and there has been no response (it was logged with helpdesk@saix and with abuse@saix.net)

- Colin Alston
colin at alston dot za dot org

"Getting traffic shaping right is easy and can be summed up in one word: Dont." -- George Barnett
 
antowan

antowan

Honorary Master
Joined
Nov 1, 2003
Messages
13,054
Hi

Thus it is safe to say that Telkom will only help you if they really, really, reeeeaaaaaallllllyyyy feel up to it...

[V]



<blockquote id="quote"><font size="1" face="Verdana, Arial, Helvetica" id="quote">quote:<hr height="1" noshade id="quote"><i>Originally posted by Karnaugh</i>
<br />I noticed this traffic a few weeks ago and logged it with SAIX. The ticket is still open and there has been no response (it was logged with helpdesk@saix and with abuse@saix.net)

- Colin Alston
colin at alston dot za dot org

"Getting traffic shaping right is easy and can be summed up in one word: Dont." -- George Barnett
<hr height="1" noshade id="quote"></blockquote id="quote"></font id="quote">

&lt;&lt;&lt;&gt;&gt;&gt;Black holes are where God divided by zero.&lt;&lt;&lt;&gt;&gt;&gt;
 
You must log in or register to reply here.
Top