cancel
Showing results for 
Search instead for 
Did you mean: 

Usage spike

flighty
Newbie
Posts: 2
Registered: ‎15-09-2012

Usage spike

Hey all,
First post here so be gentle Smiley
I have the Plusnet 60gb a month account, which is just enough for my household (but only just).
Heavy users in our house. Which roughly equates to 2gb a day.
We had a bit of shock though when we noticed that 25gb was used last Thursday. I was at work and my son, who is a computer science student checked the logs from our Netgear router and it looks like our connection was somehow breached and hijacked. The firewall is up and running, so he tells me. He checked the logs and the vast majority of the hijacked usage was being directed via China (no surprise there). Most of the usage type was detailed as streaming on the Plusnet website. No one in the house even remotely would come close to that in one session. He checked the router logs in detail and he thinks that somehow they found a vulnerability via an iPad that was connected as he identified its IP address as being the one they used as the 'carrier'.
This has left us a little bit shocked to say the least. Our only defence was to restart the router to get a new IP address. The router at the time had been on the same IP for 6 consecutive days.
We did a search on the internet and didnt turn up any similar stories so we are completely baffled. Thanks goodness for dynamic IP allocation. At least we know when we restart there is no way they can find us again.
I am just gutted we now have less than half our usage allowance left and are only 5 days into the month!
Anyone had anything similar happen?
Cheers for now.
4 REPLIES 4
CX
Grafter
Posts: 750
Thanks: 4
Registered: ‎16-09-2010

Re: Usage spike

Were these Chinese IP addresses definitely associated with the usage, or just intrusion attempts that the router thwarted?
Could there be a less sinister explanation - perhaps the iPad was downloading iTunes purchases, or iCloud synchronisation (onto the iPad rather than out of it), or Video podcast (vodcast) subscriptions updating?
I imagine that if it was 25GB in one day it wasn't iCloud uploading of your photos (since 1Mbps upload maxed out can only manage around 10GB per day, and 448kbps even less). That suggests that it was all, or mainly, downloads of some sort.
Is the iPad jailbroken, or stock?
jelv
Seasoned Hero
Posts: 26,785
Thanks: 971
Fixes: 10
Registered: ‎10-04-2007

Re: Usage spike

Regardless of your current issue, if 60GB is tight for you there's a 120GB option available if you look at Extra Usage at https://portal.plus.net/wizard/?wizard_id=20
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£14.40/month)
Mobile: iD mobile (£4/month)
flighty
Newbie
Posts: 2
Registered: ‎15-09-2012

Re: Usage spike

Thanks jelv for the tip... I will look into that. Didn't know that option existed.
Thanks CX23880 for your suggestions as well.
The IP addresses were associated with the usage and there were multiple ones involved, majority being Chinese and several were from Taiwan. It almost suggest a botnet type of attack. My thinking being there is some sort of hole perhaps in Safari for iPad that they have discovered, as it is Safari that is most active most on that iPad.
interesting thoughts as regards iCloud but I don't have the photo upload option turned on as yet in iCloud.
Also, I don't subscribe to any Video podcasts at all and that would be a huge amount of iTunes purchases.
The iPad is a 2nd gen and is stock and not jailbroken at all.
It would be nice to get an idea of what happened as it is a worry.
It is even more annoying and embarrassing as I operate quite a strict security regime, with password changes on a regular bases. And I consider myself more knowledgable than most in these things....
Just proof that you are never as completely safe as you think you are.
WWWombat
Grafter
Posts: 1,412
Thanks: 4
Registered: ‎29-01-2009

Re: Usage spike

Quote from: flighty
Our only defence was to restart the router to get a new IP address.

Are you sure about that?
It is possible for someone to direct unrequested packets (such as in a DDoS attack) which would be considered to be part of your usage, and possible for those packets to be made huge. This isn't standard usage of IP, but is certainly possible. However, it just isn't very likely.
It is thus rather more likely that the usage came from established connections.
However, the presence of a firewall makes it unlikely that a connection would be made incoming... so the likelihood is that it is an outbound connection made from something on your side of the firewall. And if that is true, then it is unlikely to care about the IP address, nor about whether the router has been restarted.
Note that this is about the direction of establishment of the connection, which is different from the direction that the bulk of the usage went in.
Plusnet Customer
Using FTTC since 2011. Currently on 80/20 Unlimited Fibre Extra.