Sudden unexplained download traffic from our ISP is making i

[FrankAKay]

I've just joined the Gargoyle community following a week of struggling to understand this problem.

We are a church, 800 or so members, in the UK. In our office and visitor centre we have a business broadband account, with a fixed IP, and a network with Microsoft Small Business Server 2011, 4 desktop PCs, 2 of which are powered up 24x7. We also have up to 8 WiFi users with laptops, tablets, phones etc. The connection is ADSL, and usually registers 4-5 Mbps for downloads. We have a Netgear ADSL modem, and a Netgear SRXN3205 router, both of which have been operating perfectly for 4 years or so. Also a Talkswitch phone system, managing 2 PSTN lines, with IP handsets, one of these remote, connecting over the internet.

I noticed at the beginning of the week that the ADSL 'activity' light on the modem was flashing rapidly, regardless of user activity. I've checked all our computers for malware, rootkits, etc, and they appear to be clean. Checking our usage with the ISP, we are 'downloading' up to 9Gb daily. This makes no sense at all.

I have used Wireshark to log network traffic, and can't see anything unusual. The packet capture rate in wireshark is sometimes rapid, sometimes there are pauses in packets arriving. The rate of flashing on the modem activity light is rapid and constant.

The usage profile provided by our ISP includes approximately equal amounts of 'Download' and 'Broadband phonecall' traffic. And if I disconnect the router from the ADSL modem, the activity flashing continues.

Can anyone suggest any explanation of this problem? Is it some sort of DDoS attack, or some scanner that has latched on to our IP address and is bombarding us with traffic? And would trying a Gargoyle router help?

[pbix]

You should share a drawing which details how you connected wireshark to your system. It requires some thinking to actually see all the traffic that is going/coming from your network to your ISP.

Or you could use a Gargoyle router which can also show traffic by IP address helping you isolate who is using the traffic you are seeing.

[FrankAKay]

The simplest arrangement: router configured with port forwarding to match our SBS 2011 and Talkswitch telephone switch, but connected ONLY to ADSL and my laptop cabled to the router, running Wireshark with all protocols turned on.

Interestingly, the traffic has been very quiet today (Sunday) - our 2 'always on' PCs are on, but the other 2 (office staff) are not. Some laptop/phone users. I'll see what tomorrow looks like - both office PCs (Windows 8.1) have been checked for malware and seem clean.

[pbix]

Your stated "simples case" can only see traffic from the computer running wireshark. Since the offender is likely another computer this will not do you any good.

You should read here http://wiki.wireshark.org/CaptureSetup/ ... d_Ethernet and then get the hardware you need to see what you are looking for.