What is stealing my bandwith?

S

Sl33py

Well-Known Member
Joined
Mar 11, 2009
Messages
262
Good day.
My client’s Internet usage history is as follow
June 2010 - 2.4GB
July 2010 - 2.2GB
August 2010 - 2.9GB
September 2010 - 5.0GB Capped in the middle of the month

I am running IPCOP and it is blocking any download bigger than 5mb, except on the managers PC.
I also have Hmailserver installed and they can’t send emails bigger than 5mb. They can’t access YouTube or Facebook, streaming ext.

The network connects to IPCOP and then to the ADSL Router that is on a different IP address range, all traffic has to go through IPCOP to reach the internet and then gets logged.
My logs for the internet I get 16729 MB and email 337 MB which totals to 2016MB which is more in line with our normal usage.

As a safety net I run Open DNS which stops users to run proxy/anonymizer and P2P/File sharing.
The ISP says they can only see what the daily usage and total usage is for our connection.

How do I find out where all the bandwidth went to and how do I stop it from happening again?
 
karnuffel

karnuffel

Expert Member
Joined
Jul 5, 2010
Messages
4,777
Im not an expert at all (hehe my disclaimer) but do you have windows update switched on?
 
S

Sl33py

Well-Known Member
Joined
Mar 11, 2009
Messages
262
on some of the pc, IPCOP got update Accelerator on so it should cache the updates. Not sure how my max 5mb download setting affects the windows updates ? Which one will take preference?
 
Jola

Jola

Honorary Master
Joined
Sep 22, 2005
Messages
20,124
I noticed some rather large windows updates going through recently (about two weeks ending 17 Sep)
 
S

stevovo

Expert Member
Joined
Apr 24, 2008
Messages
1,496
Isn't it possible that if the windows update is larger than 5mb - it fails and tries to redownload it again and again...

Just a guess though.

Try checking the windows updates log and see if there are a bunch of "failed" entries.
 
Splice

Splice

Senior Member
Joined
Feb 8, 2010
Messages
655
Is IPCOP running on a server or is that running on all the PC's ? You need something that can monitor the the modem/routers traffic this way you will atleast know which user/computer the suspect is.

OK so i googled IPCOP not familiar with it. But it doesn't show you the traffic per user. I would recommend something like MRTG, Squid, Sarge.
 
Last edited:
S

solo7

Well-Known Member
Joined
Dec 14, 2009
Messages
237
check your monthly usage per day... and then check which days downloads are not high... and maybe see who was out the office on the low download days.... then raid there pc...
 
M

MickZA

Executive Member
Joined
Jan 19, 2007
Messages
7,575
Some suggestions:

1) Check out the TCAR addon for IPCop (Traffic Control And Report) http://www.onmind.ru/tcar/tcaren.htm

2) Change your ISP password

3) Adjust the Windows auto update settings so 1 PC can download the lot and the rest can use the Update Accelerator proxy

4) Check Update Accelerator has sufficient available cache space
 
H

HavocXphere

Honorary Master
Joined
Oct 19, 2007
Messages
33,155
Check what port nums are connecting to the ISP a/c. ISP should be able to tell you. For some you can even check yourself.

If thats a dead end then either someone is connecting to the router without going through the IPCop (e.g. wireless) or the IPCop box got hacked.

Also, router keep track of how much data goes through them. Pick a timeframe and compare what the IPCop box logs w/ what the router says.
 
K

Kroks

Well-Known Member
Joined
May 27, 2009
Messages
158
Have a look at how many update accelerator processes are runningin the background. I have had it in the past that a windows update fails (was with a Vista service pack). The line that was used was unstable to say the least, so we ended up with 10 update accelerator processes trying to download the same update. burned thru 5 gigs in a day....

edit: I dont think that update accelerator gets logged in your proxy logs. but you should see the spike on the interface logs. Also have a look at the ISP's customer page, most of them will show you your usage per day, and also have a look at all the concurrent connections that is logged by the ISP (most of them should show this).
 
Last edited:
R

Ry4n

Senior Member
Joined
Feb 5, 2006
Messages
870
I agree with HavocXphere
On my ISP it even tells you the phone number of the line that is using your account try calling them :p
 
S

Sl33py

Well-Known Member
Joined
Mar 11, 2009
Messages
262
They are with ISAT, will check the Update Settings and look at that TCAR add on.
Think i am going to get them to enter a username and password before they can acces the net.
 
S

Sl33py

Well-Known Member
Joined
Mar 11, 2009
Messages
262
The router is on 10.0.0.2 and IP Cop is on 10.0.0.3 and the other side of the network is on 192.168.x.x
I keep getting this warning UDP Packet - Source:208.67.222.222 Destination:10.0.0.3 - [PORT SCAN]
 
EchoZA

EchoZA

Expert Member
Joined
May 26, 2005
Messages
4,416
Got a better one for you, I'm on un-capped. Went away for the weekend and turned off all PC's and unplug the power to the router before I left and when checking after I got back, there was bandwith used on my account :)
 
R

rebel998

Expert Member
Joined
Dec 3, 2007
Messages
3,519
Who is your ISP?

I got the same thing some time ago, when using a WISP.

EchoZA said:
Got a better one for you, I'm on un-capped. Went away for the weekend and turned off all PC's and unplug the power to the router before I left and when checking after I got back, there was bandwith used on my account :)
Click to expand...
 
You must log in or register to reply here.
Top