Data parasites

SamR 0

Hey all,

Thanks for the feedback, sorry it's taken me long to reply - I'm still at work.
Let me try and clear it up a little more. I'm the only one using my internet; or should be. DHCP leases in PFSense show all my equipment only, and the transfer is reported by PFSense to be going to my PC from my public IP. The port that pfTop reported I believe was 1194, which was what the OpenVPN was running over. I have sense removed that though. It also hasn't happened since I removed the OpenVPN configuration. I don't have a packet capture of it happening, it usually doesn't happen when I'm home and up. It'll be overnight & when I'm at work.
This won't impact HIPAA at all, this is not a device I access work material from. In fact I rarely bring my work laptop home. To clarify it moved 66 Gigabytes over about 4 hour hours, that was not a mistype.
PC OS is 10, the latest updates are applied; I believe 22H2 now. I have checked the Windows data usage - again when it happened with OpenVPN it reported 66 - well actually about 70 GB went over.... OpenVPN.exe, so that didn't really help.

My topology is like this: Modem > Netgate 1100 > tpLink 5 port managed switch and from there it breaks off to my AP; the old tpLink router put in AP mode and my PC. This problem was happening before I got the netgate though; or at least I think it was because I was getting notified by Comcast about data usage as early as June. Didn't get the Netgate until October. As far as the configuration of the Netgate it is more or less default, my home network uses a 10.x.x.x range vs. the default 192.168.x.x, and I pass it through the switch.
 
I did have it turned off when I was out of town recently for a few days; I checked with Comcast when I got back to see what they said I was using - right around the first of the month, it was well under 50 GB.

I had darkstat running for a bit, and now use - I can't remember the name of the package but it graphs data usage and you can break it down hourly, daily, monthly. It doesn't really give information beyond wan rx, lan rx, etc etc and the amount. It doesn't break it down to actual traffic.

@jrey - it's not that I'm particularly concerned with what Comcast is saying, I don't want to incur charges for overages but I know I personally am not consuming that much data. The transfers don't happen every day but they do seem to happen enough to nearly max out my data. The pfTop report showed UDP (I think 1194, the OpenVPN server port, since removed), Public IP > Desktop PC IP, and the amount 70-something billion bytes, or about 70 Gigs. That's all it showed. My question is how I can more accurately monitor what's going on, either with pcap or maybe Firewall logging rules.

johnpoz

@SamR-0 said in Data parasites:

again when it happened with OpenVPN

So this is a openvpn server you run on pfsense so you can remote into your network when away, or a client vpn session and your PC was pulling data through the vpn because you route your pc traffic through the vpn?

SamR 0

@johnpoz I had it configured on the pfsense, I am mainly at this point interested in just making myself a little more anonymous online. It didn't do that though, it just ran through a separate VNIC and got a different IP subnet. My public IP was unaffected. As said though I've since removed it.

michmoor

This smells like some sort of backup job running but heres a question.

How do we track down top talkers over time on pfSense? That would help in the analysis.
This is a feature that i have been asking for since forever considering a firewall/router sits at the core of your network and would be extremely helpful to see what flows go through your core device...thats just me tho..who wouldnt want visibility?

SteveITS

@michmoor Bandwidthd or I think a couple of other packages can track by LAN IP. Bandwidthd does not track type of traffic IIRC, or destination.

michmoor

@SteveITS
The only tool that works on multiple interfaces is ntopng but it doesn’t do reporting on the free edition.
The OP will need to see the flow in real time to determine what the application is and where it’s going.

But let’s not jump to conclusions that it’s threat actors from RU who’s intent is to steal Netflix passwords…

johnpoz

@michmoor said in Data parasites:

threat actors from RU who’s intent is to steal Netflix passwords…

But what about my amazon prime login - then they can get free shipping ;)

michmoor

@johnpoz
ahh well thats a ..."Prime" target

jrey

@michmoor said in Data parasites:

The OP will need to see the flow in real time to determine what the application is and where it’s going.

But the OP has said that:

is the only user on the network with

my PC, the switch, the AP, my cell phone, TV & an old laptop I put Kali on.
has further identified the application as on the PC

the PC is on Windows 10

PC OS is 10,
again when it happened with OpenVPN
and since removed

There is a perfect way in the thread to verify which application on a single PC is causing the data usage. There is only 1 PC, nothing to monitor

but then goes on to say

My question is how I can more accurately monitor what's going on

but the app has been removed and is now only interested in:

I don't want to incur charges for overages
and
I am mainly at this point interested in just making myself a little more anonymous online

which now has nothing to do with monitoring and the application was clearly identified cause the data overage has been removed.

So if you know that OpenVPN was the culprit was and then removed it
that makes it harder to be a "little more anonymous online."

One thing that could work is simple -- unplug the WAN which then can make the claim that you are 100% anonymous.
anything else is something less than 100% or more precisely in the range of 0% to 99%

The better choice, for lack of another might have been to troubleshoot the OpenVPN traffic usage issue. We didn't even get to understand how the VPN was being used or it's intended use. So everything regarding the data usage is off the table in that regard as it has been removed.

@johnpoz asked

So this is a openvpn server you run on pfsense so you can remote into your network when away, or a client vpn session and your PC was pulling data through the vpn because you route your pc traffic through the vpn?

and the reply was:

I had it configured on the pfsense, I am mainly at this point interested in just making myself a little more anonymous online. It didn't do that though, it just ran through a separate VNIC and got a different IP subnet. My public IP was unaffected. As said though I've since removed it.

johnpoz

@jrey said in Data parasites:

I had it configured on the pfsense

Yup wasn't that clear ;)

Mechanic: so is the car a manual or automatic transmission?
User: Yeah it's a car.. It had a full tank of gas, and it's red..

bmeeks

I think most VPN client setups have you alter the default gateway to be an IP of the VPN provider. When configured that way, it is possible (or even likely) that all traffic from the host to any other subnet heads first to the VPN gateway. That would be through the ISP's network. The VPN gateway might have not properly routed said traffic, but it would have gone out through the ISP anyway and counted towards the data cap.

I still lean towards a backup job of some sort. Nothing else would accumulate that amount of traffic so quickly except maybe being a Bittorrent host.

JonathanLee

You can always use Snort with AppID enabled, you can have my text rules to use..

https://forum.netgate.com/topic/183210/guide-snort-s-appid-custom-rules-quick-guide-to-blocking-example-shows-openai-chatgpt-or-itunes?_=1699909924927

Check it out if you can run inline mode you can block down to application level with pfSense.

Or use it to for visibility to isolate the issue.

textrules2.txt

jrey

@bmeeks said in Data parasites:

all traffic from the host to any other subnet heads first to the VPN gateway

we'll never know, the OP removed the offending application. OpenVPN

johnpoz

@jrey said in Data parasites:

removed the offending application. OpenVPN

There is no possible way "openvpn" was the offending application - the whatever that was using 66GB in 4 hours might have flowed through it ;) But openvpn itself was not going to use really any data.. I mean other than maybe keep alives to the server it was connected to if it was a client setup.

bmeeks

@johnpoz said in Data parasites:

@jrey said in Data parasites:

removed the offending application. OpenVPN

There is no possible way "openvpn" was the offending application - the whatever that was using 66GB in 4 hours might have flowed through it ;) But openvpn itself was not going to use really any data.. I mean other than maybe keep alives to the server it was connected to if it was a client setup.

Yep! This ^^^

OpenVPN was simply a conduit for the traffic (at least that's how I interpret the OP's original post and follow-up).

I don't think it was anything nefarious. I suspect a configuration issue (like how things were connected and what IP addresses were assigned where) was the root cause. VPN providers love to tell you to change the default gateway so all traffic is routed to them instead of just the traffic that really "needs" to be routed to them.

jrey

@bmeeks said in Data parasites:

Yep! This ^^^

I never said it was..

The OP came to that conclusion and removed it. Before anyone could even find out how it was set up or the intended use case.

johnpoz

@jrey ^ yup this ;) hehehe

Very entertaining thread so far, zero info and nothing learned - but entertaining

Other that learning that RU hackers are after my netflix and prime accounts - hehehe

I mean you would think they would be busy trying to do bad stuff to Ukraine.. But hey maybe netflix accounts they sell on the black market is what is keeping their economy afloat? ;)

jrey

@johnpoz said in Data parasites:

zero info and nothing learned - but entertaining

Right !?

Actually a lot of "Bad traffic" that hits my FW, is actually (apparently? more likely spoofed) from AS7922. Not sure it amounts to 66GB over 4 hours however, I should check that. LOL ;-)

SamR 0

Alright, so apologies, for taking so long and not being more clear. Like I said I'm not exactly a network guy. Someone suggested I said OVPN was the issue, it wasn't. I knew it wasn't. I just got rid of it because it wasn't configured how I wanted. Red herring.
I came home from work today to a massive ongoing download -- about 55 GB by the time I got it stopped.
Checked the Perf monitor, it was svchost.exe (NetworkService -p) which tied to the service "Delivery Optimization" in the Task Manager. Stopped that service & the transfer petered out to nothing.
It's delivery optimization. It's apparently a Windows service for updating.... stuff. Thanks Windows.

Checked the activity monitor under Settings > Update & Security > Delivery Optimization > Activity Monitor.... 185.3 GB since 11/1/2023, 100% from MS Servers. There you go. That tracks pretty close with what Comcast says my usage is. Powershell, get-deliveryoptimizationstatus agrees with that, too. In fact it has more it wants to download. I don't get anything from the MS store besides what comes bloatware with Windows, so it merits some further investigation. I'll keep an eye on it.

I'm going to try and reinstall Windows to see if maybe that Service is just borked. There could still be some other Tomfoolery at work here, but I think I can pretty conclusively say what's consuming my data. I suppose I could just block that on PFSense, Microsoft might not like that though, and it may even be useful, sometimes. But 185 GB of usage for "Delivery Optimization" (how much did someone get paid to come up with that word?) is way too much.

Want to thank everyone for the input, I got some good ideas where to look in the future & tools I can use. I'll be in touch again soon I'm sure -- I still haven't figured out how to get VLANs working right ;)

bmeeks

@SamR-0 said in Data parasites:

Checked the Perf monitor, it was svchost.exe (NetworkService -p) which tied to the service "Delivery Optimization" in the Task Manager. Stopped that service & the transfer petered out to nothing.
It's delivery optimization. It's apparently a Windows service for updating.... stuff. Thanks Windows.

Delivery Optimization is a process that Microsoft introduced some time back to help spread update files to other discoverable PCs in your local network. That traffic probes your local network to find other receptive Windows machines and they share Windows Update files they have much like Bittorrent clients share pieces of a full download. Here is Microsoft's description: https://support.microsoft.com/en-us/windows/windows-update-delivery-optimization-and-privacy-bf86a244-8f26-a3c7-a137-a43bfbe688e8. Normally it stays local and does not search for PCs on the Internet, but that is a configurable option. Sounds like yours is configured to look on the Internet for partners to share Windows Update files with. Here is how that page should look on your Windows PC:

Restricting this to only PCs on the local subnet can be a good thing, but probably not so good if it also attempts to find other PCs to share with out on the Internet. Sounds like probably your configuration has that bottom radio button checked.