Data parasites
-
@jrey said in Data parasites:
assuming it is a windows PC
Yeah we are all assuming a lot of stuff to be honest, because there is really nothing concrete to go on..
-
Once I removed the "fluff" this is what I was left with from a technical "how can I help out here point of view."
ISP is cranky because of data usage
Friday the 10th; transferred about 66 GB over 4 hours
sort of implies not every day?
andpfTop logging reports the data as going from my WAN to my PC's LAN address
might identify that culprit.
We just now have to wait for the OP to fill in the blanks. more coffee
-
Hey all,
Thanks for the feedback, sorry it's taken me long to reply - I'm still at work.
Let me try and clear it up a little more. I'm the only one using my internet; or should be. DHCP leases in PFSense show all my equipment only, and the transfer is reported by PFSense to be going to my PC from my public IP. The port that pfTop reported I believe was 1194, which was what the OpenVPN was running over. I have sense removed that though. It also hasn't happened since I removed the OpenVPN configuration. I don't have a packet capture of it happening, it usually doesn't happen when I'm home and up. It'll be overnight & when I'm at work.
This won't impact HIPAA at all, this is not a device I access work material from. In fact I rarely bring my work laptop home. To clarify it moved 66 Gigabytes over about 4 hour hours, that was not a mistype.
PC OS is 10, the latest updates are applied; I believe 22H2 now. I have checked the Windows data usage - again when it happened with OpenVPN it reported 66 - well actually about 70 GB went over.... OpenVPN.exe, so that didn't really help.My topology is like this: Modem > Netgate 1100 > tpLink 5 port managed switch and from there it breaks off to my AP; the old tpLink router put in AP mode and my PC. This problem was happening before I got the netgate though; or at least I think it was because I was getting notified by Comcast about data usage as early as June. Didn't get the Netgate until October. As far as the configuration of the Netgate it is more or less default, my home network uses a 10.x.x.x range vs. the default 192.168.x.x, and I pass it through the switch.
I did have it turned off when I was out of town recently for a few days; I checked with Comcast when I got back to see what they said I was using - right around the first of the month, it was well under 50 GB.I had darkstat running for a bit, and now use - I can't remember the name of the package but it graphs data usage and you can break it down hourly, daily, monthly. It doesn't really give information beyond wan rx, lan rx, etc etc and the amount. It doesn't break it down to actual traffic.
@jrey - it's not that I'm particularly concerned with what Comcast is saying, I don't want to incur charges for overages but I know I personally am not consuming that much data. The transfers don't happen every day but they do seem to happen enough to nearly max out my data. The pfTop report showed UDP (I think 1194, the OpenVPN server port, since removed), Public IP > Desktop PC IP, and the amount 70-something billion bytes, or about 70 Gigs. That's all it showed. My question is how I can more accurately monitor what's going on, either with pcap or maybe Firewall logging rules.
-
@SamR-0 said in Data parasites:
again when it happened with OpenVPN
So this is a openvpn server you run on pfsense so you can remote into your network when away, or a client vpn session and your PC was pulling data through the vpn because you route your pc traffic through the vpn?
-
@johnpoz I had it configured on the pfsense, I am mainly at this point interested in just making myself a little more anonymous online. It didn't do that though, it just ran through a separate VNIC and got a different IP subnet. My public IP was unaffected. As said though I've since removed it.
-
This smells like some sort of backup job running but heres a question.
How do we track down top talkers over time on pfSense? That would help in the analysis.
This is a feature that i have been asking for since forever considering a firewall/router sits at the core of your network and would be extremely helpful to see what flows go through your core device...thats just me tho..who wouldnt want visibility? -
@michmoor Bandwidthd or I think a couple of other packages can track by LAN IP. Bandwidthd does not track type of traffic IIRC, or destination.
-
@SteveITS
The only tool that works on multiple interfaces is ntopng but it doesn’t do reporting on the free edition.
The OP will need to see the flow in real time to determine what the application is and where it’s going.But let’s not jump to conclusions that it’s threat actors from RU who’s intent is to steal Netflix passwords…
Firewall: NetGate,Palo Alto-VM,Juniper SRX
Routing: Juniper, Arista, Cisco
Switching: Juniper, Arista, Cisco
Wireless: Unifi, Aruba IAP
JNCIP,CCNP Enterprise -
@michmoor said in Data parasites:
threat actors from RU who’s intent is to steal Netflix passwords…
But what about my amazon prime login - then they can get free shipping ;)
-
@johnpoz
ahh well thats a ..."Prime" target
-
@michmoor said in Data parasites:
The OP will need to see the flow in real time to determine what the application is and where it’s going.
But the OP has said that:
is the only user on the network with
my PC, the switch, the AP, my cell phone, TV & an old laptop I put Kali on.
has further identified the application as on the PCthe PC is on Windows 10
PC OS is 10,
again when it happened with OpenVPN
and since removedThere is a perfect way in the thread to verify which application on a single PC is causing the data usage. There is only 1 PC, nothing to monitor
but then goes on to say
My question is how I can more accurately monitor what's going on
but the app has been removed and is now only interested in:
I don't want to incur charges for overages
and
I am mainly at this point interested in just making myself a little more anonymous onlinewhich now has nothing to do with monitoring and the application was clearly identified cause the data overage has been removed.
So if you know that OpenVPN was the culprit was and then removed it
that makes it harder to be a "little more anonymous online."One thing that could work is simple -- unplug the WAN which then can make the claim that you are 100% anonymous.
anything else is something less than 100% or more precisely in the range of 0% to 99%The better choice, for lack of another might have been to troubleshoot the OpenVPN traffic usage issue. We didn't even get to understand how the VPN was being used or it's intended use. So everything regarding the data usage is off the table in that regard as it has been removed.
@johnpoz asked
So this is a openvpn server you run on pfsense so you can remote into your network when away, or a client vpn session and your PC was pulling data through the vpn because you route your pc traffic through the vpn?
and the reply was:
I had it configured on the pfsense, I am mainly at this point interested in just making myself a little more anonymous online. It didn't do that though, it just ran through a separate VNIC and got a different IP subnet. My public IP was unaffected. As said though I've since removed it.
-
@jrey said in Data parasites:
I had it configured on the pfsense
Yup wasn't that clear ;)
Mechanic: so is the car a manual or automatic transmission?
User: Yeah it's a car.. It had a full tank of gas, and it's red.. -
I think most VPN client setups have you alter the default gateway to be an IP of the VPN provider. When configured that way, it is possible (or even likely) that all traffic from the host to any other subnet heads first to the VPN gateway. That would be through the ISP's network. The VPN gateway might have not properly routed said traffic, but it would have gone out through the ISP anyway and counted towards the data cap.
I still lean towards a backup job of some sort. Nothing else would accumulate that amount of traffic so quickly except maybe being a Bittorrent host.
-
You can always use Snort with AppID enabled, you can have my text rules to use..
https://forum.netgate.com/topic/183210/guide-snort-s-appid-custom-rules-quick-guide-to-blocking-example-shows-openai-chatgpt-or-itunes?_=1699909924927
Check it out if you can run inline mode you can block down to application level with pfSense.
Or use it to for visibility to isolate the issue.
-
@bmeeks said in Data parasites:
all traffic from the host to any other subnet heads first to the VPN gateway
we'll never know, the OP removed the offending application. OpenVPN
-
@jrey said in Data parasites:
removed the offending application. OpenVPN
There is no possible way "openvpn" was the offending application - the whatever that was using 66GB in 4 hours might have flowed through it ;) But openvpn itself was not going to use really any data.. I mean other than maybe keep alives to the server it was connected to if it was a client setup.
-
@johnpoz said in Data parasites:
@jrey said in Data parasites:
removed the offending application. OpenVPN
There is no possible way "openvpn" was the offending application - the whatever that was using 66GB in 4 hours might have flowed through it ;) But openvpn itself was not going to use really any data.. I mean other than maybe keep alives to the server it was connected to if it was a client setup.
Yep! This ^^^
OpenVPN was simply a conduit for the traffic (at least that's how I interpret the OP's original post and follow-up).
I don't think it was anything nefarious. I suspect a configuration issue (like how things were connected and what IP addresses were assigned where) was the root cause. VPN providers love to tell you to change the default gateway so all traffic is routed to them instead of just the traffic that really "needs" to be routed to them.
-
@bmeeks said in Data parasites:
Yep! This ^^^
I never said it was..
The OP came to that conclusion and removed it. Before anyone could even find out how it was set up or the intended use case.
-
@jrey ^ yup this ;) hehehe
Very entertaining thread so far, zero info and nothing learned - but entertaining
Other that learning that RU hackers are after my netflix and prime accounts - hehehe
I mean you would think they would be busy trying to do bad stuff to Ukraine.. But hey maybe netflix accounts they sell on the black market is what is keeping their economy afloat? ;)
-
@johnpoz said in Data parasites:
zero info and nothing learned - but entertaining
Right !?
Actually a lot of "Bad traffic" that hits my FW, is actually (apparently? more likely spoofed) from AS7922. Not sure it amounts to 66GB over 4 hours however, I should check that. LOL ;-)
