# Is it possible to hijack my DSL service...



## eric halfabee (Apr 20, 2004)

At work we have 9 Macs connected to the web via a Nokia DSL router and use a service called Jetstream (just their fancy name for DSL) from our ISP Xtra. We have a monthly limit of 3 GB now 5 Gb as we keep going over and thats why this thread.

Our usage always goes over the said amount and apart from the standard email and web browsing not to mention Mac updates (which I try and keep to a minimum by downloading the package and distributing over the LAN), I'm the only one really doing software downloads and uploads as I take care of the Macs and our web page. to me it seems that the usage is way too high and cannot seem to keep under the 3 GB limit.

I was wondering if its possible for someone outside our LAN to sort of hijack our bandwidth, ie have access to our settings and passwords or whatever and help themselves to our MB's etc?

If so does anyone know of away I can monitor if this is happening?

Cheers

eric


----------



## Lycander (Apr 20, 2004)

Get one of those simple Linksys routers, make sure it supports DSL because there's extra authentication (and not just plug and play) for DSL connection to work.

The router has a web based control panel where you can block WAN access, basically anything outside your network. It almost gaurentees that only people on your LAN have access to the DSL connection.

Generally speaking though, it's not likely for someone to hijack your connection, they'd need a connection to begin with. What is possible though, is for a malicious program to get installed and execute itself. It may not be harmful and actually very quiet and subtle, but it may use that infected computer as a "slave" for purposes such as DoS attacking other systems, or sending spam.

Then again, it's Macs you're dealing with right? No worries about viri or worms?


----------



## eric halfabee (Apr 21, 2004)

Cheers Lycander

Unfortunately we have to have the Nokia one as its part of our deal with the ISP. I think I can get access to the Nokia control panel so I'll see what I can find.

Anyone know of software for measuring bandwidth usage?

eric


----------



## eric halfabee (Apr 21, 2004)

Here's a screenshot of the Nokia main page.

eric


----------



## rbuenger (Apr 22, 2004)

Ok, I suggest you to download darkstat 2.6 for OS X. This app is a statistic sniffer that analyse your network traffic and can do some usefull thinks like showing you total bandwidth in and out or what ist often very interesting it can show you where your bandwidth has gone. So you can see how many MB's you used for Mail or for this board.

What darkstat can't do is showing you if some has hijacked your line. But you can compare the bandwith you used with the one you have to pay for 

And I would suggest you another very good app: HenWen is a nice GUI for the included snort NIDS package that analyse your networktraffic searching for intrusions and thinks that shouldn't be there. With some Unix knowledge you even can blow this up to a realtime alerting and monitoring system with database storage...


----------



## brianleahy (Apr 22, 2004)

Are you by any chance using wireless networking?   That would provide an avenue of hijacking.


----------



## macmasta (Apr 22, 2004)

how would darkstat display all the traffic on the network? you'd have to have it installed on the router the get this function. dont think you can install it on a nokia router


----------



## rbuenger (Apr 22, 2004)

No, you just install darkstat on your Mac under OS X. Darkstat then sniffs all packets this Mac transfers. So if you use multiple computers you have to install it on every of this computers.


----------



## macmasta (Apr 22, 2004)

ahh, thats what you meant


----------



## eric halfabee (Apr 22, 2004)

Thanks, i'll give those things a try and get back to you.

Cheers

eric


----------



## Captain Code (Apr 22, 2004)

The RADIUS authentication servers that are commonly used with ADSL usually allow you to log in under one account over PPPoE from more than one place at the same time.  If someone had your account info to log into your DSL account it could be possible for them to use your account for free.  

It's similar to how people used to use one dialup account for multiple people.

3GB is hardly anything though, I wouldn't be surprised if you're using that yourself.


----------



## eric halfabee (Apr 22, 2004)

Hey Captain thats interesting news, my boss also has Jetstream at his home and connects via Airport, and its just got me wondering if he is using the same account info as here. He also reports that he can pickup his neighbors wireless connection and possibly visa versa.

Its very probable that it is us chewing through the bandwidth but with just most of our eight employee's using only email and the web for browsing (its only me that downloads software and updates) it seems quite a lot. For instance I have started downloading software and stuff to a specific folder over the past two weeks and that is only about 50 MB in size, obviously that doesn't take into account my email & attachments (few and far between), the web pages that I visit and Apple updates.

Stayed tuned.

BTW cannot get HenWen's LetterStick to work.

Cheers

eric


----------



## profx (Apr 22, 2004)

it is not possible for for than one router to log into Jetstream as you have a static IP address assigned to you by xtra. Two routers cannot have the same IP address so the second login will fail. however Jetstart is different, it uses dynamic ip addresses so it is possible to have the same account being used at the same time from different locations, in this case it depends on how your ISP deals with multiple logins.

If you go to the jetsteam website - i think its www.jetstream.co.nz you can check your account MB usage. You might want to check this daily, to see if there is a sudden spike in your MB usage. It least then you will have some idea of when you go over your limit anyway!

I think the router you have (M1122) is quite a powerful router, even though it's quite old. Have a look through the manual. Check if there are pinholes setup, make sure you are blocking all incoming traffic and only allow ports you want to get out. This will stop people on your lan using things like peer-2-peer although that doesn't sound like much of a problem with 9 employees.

You could also check that they are not using internet radio streaming, this could chew some bandwidth as well.

If I were you i would block all outgoing traffic except for
port 80 web-browsing
port 110 pop email access
port 25 smtp email access

you may have some other services you want to allow access to aswell.


----------



## eric halfabee (Apr 22, 2004)

Hi profx

Im not certain that we have a static IP, Im sure its dynamic too, check out this screenshot:


eric


----------



## rbuenger (Apr 23, 2004)

The problem with Letterstick is that HenWen (or better the included snort) saves all the alerts under /var/log/snort. Letterstick trys to open the alert file there to watch for changes. 

Sometimes it's possible that this directory/file is protected to Letterstick (you) haven't the right to open it. You just have to make your user able to access this files.


----------



## scruffy (Apr 23, 2004)

Check also the logs on the router - I don't know what it logs, but that might tell you somehthing.  You might also be able to turn on more logging...


----------



## profx (Apr 23, 2004)

Your static ip can still be assigned automatically. Do you know if you have jetstart or jetstream? You could try checking the ip address of the router, turn it off then check if it is still the same once it reconnects


----------



## Natobasso (Apr 24, 2004)

eric halfabee

(that's a great Monty Python song.)

Are you in Auckland? Is your company a design agency?

I might suggest that you try surfing the web with more cached images stored in your browser so the web pages you regularly visit can load without extra downloading; or surf the web without images turned on. Boring, I know, but less bandwidth. 

Do your employees email each other using this DSL connection? You might try setting them all up with AOL IM or iChat (in OS X) so that they don't use up the bandwidth sending emails and or files to each other. 

Kia Ora
Kia Kaha


----------



## EvenStranger (May 6, 2004)

Bandwidth usage can rack up so quickly these days, especially when there are so many applications that offer online streaming services. We have found that the streaming audio from iTunes spiked our bandwidth tremendously. Also, more and more websites are abandoning the old idea of dial-up accessibility and redesigning more complex, graphically intensive sites for broadband, which pushes the bandwidth usage even higher. Many of the new games on the market have an online option, where you can play against other users. Anyone staying after hours to play? Applications that "phone home" searching for updates don't send much data at a time, but over the course of a month can really rack up as well.

In addition to what's been listed in previous posts, I would consider installing a proxy server between the workstations and the router. The proxy server would cache frequently viewed websites, and if those pages haven't changed since the last request, would serve the page locally rather than downloading the entire page again. I like the idea mentioned previously of blocking all ports except for 110, 25 and 80. That's one of the ways network administrators manage their firewalls - block everything, then punch holes as needed. Your proxy box would be a good place to install your snort/henwen software as well.

If you have a laptop with an original Airport card (not Airport Extreme), you can download and install the latest version of KisMac. This will allow you to sniff out rogue wireless access points that might be hijacking some of your bandwidth. I recommend the original Airport card because it can be set for passive, or monitoring, mode. The AE card can't yet.

Good hunting!


----------

