mysterious internet use

[monoufo]

I can't say for sure this is a bug, but it is certainly mysterious.

Sometimes, a user will see their internet usage rise rapidly. Sometimes a user will use up several days worth of quota in a few hours. Sometimes this might just be them using a lot of internet, but other times it happens when the user isn't even home, and their computer isn't even on!

I have seen a person connect to netflix servers, yet they don't have a netflix account. A different person has a netflix account, but their computer isn't usually connected to our network. The mac address was from the off computer, not the person who has netflix.

I have also seen weird activity, where a person would visit a ton of porn sites really fast for like 20 minutes. It has happened on a few occasions, to different users.

is there a virus or something that can use up internet like crazy and spoof the mac address of someone else on the network? one of the times in question, I am pretty sure the computer was a mac! If I new what exactly I was looking for maybe I could figure out whose computer is causing trouble.

[monoufo]

It happened again sometime today. 192.168.1.112 used up 7GB of internet in just one day. That IP address used to belong to someone who no longer lives here.It used to belong to her WIRED NIC. No one in this network should have been able to get the address 192.168.1.112. I don't think anyone is doing it on purpose. What could cause this.

[Eric]

That is rather worrying. If you check the bandwidth logs do they show any increased usage by those users when the quotas increased? That would be a good check to see whether this is a bug or some virus/intruder causing problems.

Also, what version are you running? 1.1.3-1.1.5 have a few known issues with quotas. If you aren't running the latest 1.1.6, I suggest you upgrade.

[monoufo]

That IP definitely was using bandwidth. It shows up in the bandwidth usage section. Like I said, sometimes I catch this thing in action and can enable web monitoring to see where it is going. I didn't catch it in action this month

I always use the latest version. I upgrade about once a month, if there is a new version and I want a new feature. I was using 1.1.6 when this happened. This started all the way back when I first got gargoyle several months ago. Maybe it was happening before gargoyle, but DD-WRT doesn't have quotas or anything so there was no way to tell.

This typically only happens at the beginning of the month. It happens to a different IP every time. I have no idea what kind of malicious activity that could be.

[Nicholy]

Hi you can try to use ProteMac Meter.It’s firewall record of your network and controls incoming and outgoing internet traffic.It’s must be helpful to your.It’s really good tool.

[monoufo]

It is still happening. It just happened tonight to my friend upstairs, and to me a few days ago. It is really messing up our quotas. It happens everry month, to a different person, at a different time, and across different versions of the software.

I might check out that program recommended above, but I don't really want to invade anyone's privacy.

[monoufo]

Can anyone help me? It happens more often now.

[DoesItMatter]

Your situation is fairly hard to troubleshoot.

Your only way to really troubleshoot this would be to limit usage
to 2 different people/IP and track it like that.

That way, if its someone hacking, it will be pretty obvious because
you should be able to tell who/when is using the internet at
any given time as well as making it simpler to track usage.

Other option is to manually assign static IP's per MAC address

[monoufo]

I can't limit the network to two people. There are about 16 people sharing the connection.

I already do manually assign static IPs. I've been doing that for months.

I can show you a graph of where my laptop's wired IP address has used up a ton of internet, even when that computer hasn't been connected to the wire in days, and even when that laptop isn't even in the house, or turned on.

Last night, somehow, the amount of internet used WENT DOWN. We were at 100% and without changing anything, it went down to 96% after an hour or so.

[Eric]

The fact your usage decreased is a potentially more serious issue than what you initially described.

If there is actually someone there using bandwidth, there's no way for me to know what's really going on or replicate the situation so that I can debug it. When someone is using bandwidth the software is working correctly -- you just have a malicious person (or more likely malicious software) on your network. If you think it's an error with Gargoyle,feel free to use a different monitoring program to confirm (and if there is a discrepancy, let me know).

However, the counters are set up so that usage should never decrease. The only time bandwidth use should going down:

1) when quota resets
2) if there's a power outage up to 4 hours of history may be lost, and counters may go down (manual reset from web interface shouldn't have this problem though)
3) You reset the quotas on the web interface
4) You restore from a backup

And, I have to admit the possibility....
5) if there's an ugly bug somewhere I havn't caught yet

I'm most curious if it might be (2). Was there a power outage of any sort?

Otherwise, I'll need as many details as possible about the sort of quotas you have setup. In particular are there time-dependent quotas and/or all-others individual or all-others-combined? No guarantees (if I can't replicate it, I can't fix it), but I am rather concerned about random decreases in bandwidth usage -- that's definitely a problem.