WAN Traffic

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Last night i got up in the middle of the night and noticed the DSL light on my Zyxel 660HW was flashing like mad even though there were no machines on.
I was half asleep so didn't really take much notice.

Tonight, it is doing the same. I did a little test with nothing running from Ubuntu with only the config page of the router open ten minutes apart (attached). The ten minute gap is with no computers on, so I don't understand why there is so much packet transfer. I am going to swop the router over, re-check and e-mail the ISP if it is the same.

Can anyone think why there is what I think is a lot going on with no machines turned on?

Thanks

Si

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Boycey, although that's a few more packets than I'd expect, I would expect some as there is always going to be some overhead traffic between your router and your ISP carrying things like DHCP information and so on.

 

Baba,

That's just it matey, i don't know what is normal- I have never noticed the DSL light constantly flashing or looked at packet transfer.

I am sure someone (Harry ) knows exactly what is normal and possibly what is going on.

Si

 

I just did a quick test. The two attached screenshots have a 1 minute gap between them and although I had a PC running, absolutely everything that might access the net was closed down.


As you can see, in that minute my ADSL modem received 232 bytes and transmitted 24 bytes.

Do you use any p2p programs? I've found that you receive traffic from those networks even if you're not running the application at the time. I guess they are "pings" to see if your node is active. I imagine that could account for a fair amount of traffic over time.

 

Hi Baba,

No, i don't use any peer to peer software and although I haven't sat looking at the DSL light for any given amount of time, I guess I just haven't noticed it.

Edit- I am sure it never used to flash like that.

Merry Christmas

Si

 

Guess we'll just have to wait for Harry...

 

Is the Zyxel attached to the Internet? Why wouldn't packets from the Internet cause the activity light to flicker, even with no active PCs on your network?

 

Mike,

The light is working correctly if there is traffic, but the reason I started the thread was because I don't know what is *normal*- I have never noticed the light flashing constantly.

I have had it for over a year, been with the same ISP for six months and it is placed where the activity lights are viewable easily.

It doesn't seem to make any difference whether there is any machines on or not.

A confused Si.

 

Hm. I always see activity on my Charter cable Internet connection.

 

Boycey

Absolutely normal background noise mate. As well as things like DHCP activity from your ISP, you have to take into account the regular background net scans from things like Slammer, MyDoom, Messenger Spam & crap like that. Also, even with nowt running, you've probably still got things like WMP, Winamp, Acrobat (Adobe's stuff is amongst the worst) and RealPlayer 'phoning home' on a regular basis.

just to put your mind at rest, here's the last few minutes of my firewall logs - inbound only:



If you really want to have a peek at whats going on, get yourself some SNMP logging set up on your router/firewall. You'd be surprised at just how much traffic there is out there!

 

Zeb,

Thanks for that mate. I think it isn't the light on the routers fault, it's my light - i'm turning in to a geek!

I have just downloaded Wallwatcher, although having a bit of trouble getting it to talk to the Zyxel unit - it is on their approved list.

Thanks again.

Si

 

No worries - and if you think YOU'RE a geek for caring, you should see what i do with MY firewall logs every month!

Suffice it to say it involves Excel spreadhseets, reformatting, importing to an database on SQL server and compiling charts & graphs back in Excel.

Now THAT'S sad

 

Zeb,

Blimey, you have just removed my beard and long hair!

Seriously, where would you say a lot of the crap comes from? People port scanning from oversea's?

Si

 

Well, the vast majority of activity you'll see is from Bots or compromised/unpatched Windows boxes. This goes for pretty much all scans for ports 1025-1033 (Messenger spam), port 135/137/139/445 (Windows share vulnerabilities - usually Bugbear, Sasser etc), 3127 (MyDoom), 1433/1434 (Slammer or SQL Server connections) and a whole host of others.

There are much, much less frequent attempts for less well-known exploits that turn up in my logs from time to time. For instance, a couple of months back I started to see a few hits on port 6129 (looking for Dameware) and port 27374 (SubSeven). These lasted about two weeks and were very sneakily spread out. This type of activity is usually more indicative of an 'active' attempt to hack you - but it takes patience (or a pretty good IDS) to discover them.

Speaking of IDS - I run Snort with the ACID console on a Windows box - logging to SQL Server with IIS running PHP. It works an absolute treat (when I can be arsed to turn it on, which, at the moment, isn't very often cos I've got six other boxes running pretty much 24/7 - my last leccy bill was £285 for a quarter ) and provides pretty much all the functionality of a commercial IDS for free...

I find it fantastically entertaining when a new worm breaks out just to watch how my scans go through the roof. When Slammer hit a few years back, I saw compromised boxes on the local Telewest subnets hit my box like buggery - it was pretty funny to get all those calls from the DBAs I'd worked with previously saying that none of their systems worked and they were being screamed at left right and centre by their bosses. Of course, I knew all this in advance from watching my firewall logs and hanging around on newsgroups... and all the DBs I managed were nicely patched on networks that didn't expose 1433/1434 to the Internet

Sometimes being a nerd has its benefits...

 

Zeb,

Thanks for a good explanation - you have cleared up a lot of my questions.

I seem to recall in previous posts you favouring Linksys boxes because you can nuke them and install a *nix based system with a good range of utilities. A *quick* google brought up many wireless mod's. What do you use?

Merry Christmas

Si

 

Hey mate

I use the WRT54G. Its a fantastic piece of kit - but beware of getting one that can't be tinkered with. LinkSys threw their toys out the pram a year or so ago and changed the onboard gubbins that allowed you to modify the firmware - basically crippling it so that there wasn't enough memory to run anything other than the bog standard Linksys firmware.

There's a couple of very good articles around that list the specific model/revisions that are moddable - I'll dig them out when i get the chance.

As for firmware, I've used lots of different kinds - Alchemy from Sveasoft, DD-WRT and HyperWRT and have concluded that, whilst DD-WRT gives the best range of options, HyperWRT is by far the most stable out there. I have flashed tons of WRT54G's and NEVER bricked one with HyperWRT, but haven't had the same success ratio with DD-WRT. That said, HyperWRT doesn't support SNMP and, as its not maintained any more, support for it isn't likely to be added (I miss being able to graph traffic using PRTG/MRTG )

Sveasoft is a different matter entirely - I won't use their stuff on general principle owing to the company owner's (ahem) 'liberal' interpretation of the GPL - for more info on that, just Google 'SveaSoft' and 'GPL'...

This link gives a potted history of the controversy.

 

Zeb,

Interesting read. It is a shame someone has taken their own *view* on GPL.

If you do find anything else on modding the WRT's i'd love to read them.

Si