[SOLVED] Massive uploads from my Internet account

ravin_29

Prominent
Mar 24, 2019
38
0
530
0
Hi,
I have Dlink DIR 615 router and ISP gives me PPPoE connection with Public IP. Sometimes there are massive uploads from my account on to the Internet. In excess of 20 - 30 GB in 3 - 4 hours. I know it because even when no device is connected to the router, the Internet LED glows rapidly. I can then cross verify with ISP provided data upload/download reports. This issue stops after I reboot the router.
I have been investigating and have eliminated most of the possibilities like
  1. Router is well secured, WPS disabled and long WPA2 password. Ping disabled, no port forwarding
  2. No one knows my PPPoE userid/password and connection has some sort of physical port binding to the CPE device
  3. No unidentified devices seen in router logs when it happens.
Unfortunately support from ISP is almost nothing. They have not provided any explanation or support.
Now the question is, can Internet attacks on the router cause massive data uploads in anyway? Is it possible?

Whatever is happening is definitely happening on router itself either wired to ISP on WAN port or wireless way as I find Internet LED rapidly blinking when it happens. Reboot however stops it. Reboot would generally acquire a different Public IP.

I am trying to link all these pieces together. Any inputs would be greatly appreciated. Thanks.
 
Last edited:
It is not likely the router itself. The router does not have anyplace to store those large amounts of data. I think it was asus that had the ability to have the router act as a torrent server and serve up files from a USB attached device. It is/was a very strange feature that I can't believe was even included.

I would completely disable the wifi radios and see if it still happens. I would leave just 1 pc connected via ethernet. Most routers have some ability to see open sessions or how much data is being transfer over the wan. You will need to check the manual. You can verify it is not this last pc by watching the resource monitor network tab. It would show any traffic going to the internet from that pc.

If it keep happening and you really want to know I would get a small switch that has port mirror/monitor ability. You could then insert it between the router and the modem and use wireshark to capture all the traffic. You would at least get the IP addresses the data was going to on the internet even if it was all encrypted.
 
Reactions: ravin_29
It is not likely the router itself. The router does not have anyplace to store those large amounts of data. I think it was asus that had the ability to have the router act as a torrent server and serve up files from a USB attached device. It is/was a very strange feature that I can't believe was even included.

I would completely disable the wifi radios and see if it still happens. I would leave just 1 pc connected via ethernet. Most routers have some ability to see open sessions or how much data is being transfer over the wan. You will need to check the manual. You can verify it is not this last pc by watching the resource monitor network tab. It would show any traffic going to the internet from that pc.

If it keep happening and you really want to know I would get a small switch that has port mirror/monitor ability. You could then insert it between the router and the modem and use wireshark to capture all the traffic. You would at least get the IP addresses the data was going to on the internet even if it was all encrypted.
 
Reactions: ravin_29
Because this is an older model, there is a good chance that somehow the router has been compromised and hence the router is being used to attack other sites on the Internet at full speed.

I would start by defaulting the router's configuration. If it still does it. Upgrade or downgrade the firmware to get rid of the infected firmware. I would do this when disconnected from the Internet as I suspect as soon as you reconnect it that it will be re-infected.

If it gets reinfected, install the newest firmware and see if that works. If not, you'll need to get another router that won't get infected like this. You can still use the existing one as an access point, but make sure there is no access to the router from the subnet you are using it on by changing the ip address on the router to a static one outside your normal IP range.
 
Reactions: ravin_29

ASK THE COMMUNITY