Solved

Bandwidth gets used to quickly

Posted on 2014-01-15
9
312 Views
Last Modified: 2014-01-20
Hi all

i got his mail from one of my clients. she is hoping that we can solve her problem...

---------------------
Hi Steven

I wanted to chat about moving onto your companies ADSL as soon as possible in the hopes that we will finally get to the bottom of the mystery of the dissapearing bandwidth. Today is the 14th of the month and we have used 97% of our 100gigs. For example, on the 6th 21 gigs was used and we can’t figure out who is using it.

---------------------

now we have taken over the contract of this client a little while ago from some random guy that use to stay in the backpackers that they own (this is the site where the problem is). he didn't do much for a living except abuse their internet and trying to hack everything he can.
he still comes there now and again and i'm sure he is up to no good.
is there some sort of software or something that we can capture the computer MAC address and computer name or any details to see whats happening. Obviously the ISP cant help us as they only see what we use from the single dynamic IP. It might not even be him, it might be some staff member as well....point is, we need to figure it out.

any help please...?

thank you
0
Comment
Question by:stevenvanheerden
9 Comments
 
LVL 6

Expert Comment

by:Jon Snyderman
Comment Utility
My first immediate thought is how this person is getting on the network.  Is the wireless secured?  Is there a firewall at the site?  I think that we may need a little more details about the site configuration and security.  There are many many ways to restrict the access, but much depends on the technology available with the client.

~Jon
0
 

Author Comment

by:stevenvanheerden
Comment Utility
Yep one of those clients that doesn't want to spend "unnecessary" money if you know what i mean.
there isn't any firewall like pfsense of so if that's what you mean.
we haven changed all passwords (pretty complex) and Wi-Fi passwords as well.
only firewall is the built in one from the D Link ADSL router...
except for restricting it, i think we might need to first find out the cause if possible as i think this will help us decide the course of action as budget is always an issue...
hope this makes sense...

thanks so far
0
 
LVL 6

Accepted Solution

by:
Jon Snyderman earned 167 total points
Comment Utility
Unfortunately, without finding out how the user is breaching the system in the first place or without a higher end firewall, your hands are going to be pretty well tied.   Sorry.   If the passwords are good and have been changed, I would investigate each and every mac address in the dlinks dhcp range and determine what the ip is and who it belongs to.  He can be cheap about hardware all he wants, but i gaurantee that he will pay more for your time than he will on a decent firewall to protect his business.
0
 

Author Comment

by:stevenvanheerden
Comment Utility
yes i totally agree with you on that...
but do you not know of any software in this case that can pick up what computer is using lots of bandwidth and the time its used?
something we can install on the server that handles the DHCP?
like i say, it might not even be him....also, the account is being used at two other residential addresses as well...could be there.
I'm just trying to find a real inexpensive way to see where its coming from.
i know if they move over to our company in terms of ISP, we can monitor to see what circuit number uses the most data...so that will cover that part....i just have a suspicion about the back packers....
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 6

Expert Comment

by:Jon Snyderman
Comment Utility
Once the DHCP is picked up from the server and the DNS for the site is resolved, the only devices that see the packets between the user and the internet are the switch and the firewall.   ANything you do MUST somehow talk to one of those.   Because the switch is most likely unmanaged and the firewall is a DLink, you have absolutely no visibility in to the traffic.   If the switch was managed, you could sniff the line.  If the firewall were better, it's tools would likely help.

I have one crazy idea but I really dont know that it will work.  You could put an old hub between the switch and the firewall and then put a sniffer on the hub.   But then you will need to watch it happening.  I dont know any tool specifically that will do this for you.   You could check out Solarwinds, but that will also be expensive.
0
 
LVL 1

Assisted Solution

by:gbotts
gbotts earned 167 total points
Comment Utility
I agree with Jon, but I would also do the following:

Since you say he has a "hacking" mentality, I would scan each and every system on the network. You say this guy comes back every now and again?  That usually means the system he's using as a "back door" was either rebooted (which means he has to start the daemon again) or the log is full and he has to collect and purge.  Track  when systems go
"offline" and when he stops by.  That would narrow down your search possibly.
 Look at it from the outside as well. You should be able to get the Public IP used by the D-LINK that allows internal users to surf the web. Once you find that, do a scan on that IP to see  which ports are open if any.  If you find any open ports, go to the D-LINK and see if there's a "port forwarding" to a PC.  
If you have an internal web server, check to the sites to ensure he isn't running a "streaming" site on that server.

There are many other things to check but this should start you off .  

Let me know if this helps...
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
Make them run netalyzr.icsi.berkeley.edu
Run one for you and make suggestions how they can fix.
0
 
LVL 23

Assisted Solution

by:Mohammed Hamada
Mohammed Hamada earned 166 total points
Comment Utility
I would suggest placing a hub in their network and use Ming to monitor the bandwidth on all of the PCs.

Here's 3 options for supported typologies, I would go with the first one.  
http://bandwidth.mingsoft.com/topo.html

If you don't like the above suggestion, I would recommend setting up a firewall/router that has a bandwidth monitor capability and place after the current router and configure it with NAT and in this way it would capture all the bandwidth and give u a clear statistics on which PC is using how much bandwidth.

there's two options in this case which I'm aware of and used before for such purpose.
1- Untangle (pretty much easy to install and configure).
2- Using Pfsense firewall with (BandwidthD plugin)

I have tried bandwidthD and it's very effective and will give you what you're looking for.
0
 

Author Closing Comment

by:stevenvanheerden
Comment Utility
Thanks guys. Appreciated.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now