dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
824
share rss forum feed

bburley

join:2010-04-30
Cold Lake, AB

International Telecoms - Port 32662

It started with me noticing that the traffic graphs for an office building were showing excessive upload traffic for the last couple of days. When I checked further, abnormal upload traffic is coming from almost every switch port in the building. I didn't get very far as the traffic dies off when the office workers go home. Another glitch is the graphing software (cacti) showed the highest upload traffic on an inactive switch port. I rebooted the switch and will wait until morning to see if these problems are still there.

Then I had a look at the syslogs for this buildings router and noticed something unusual (per the thread title). The firewall is dropping a very large number of inbound packets with a destination port of 32662. I did some lookups on some of the many different source IP's and they are all registered to Telecom companies in various overseas countries.

I am really puzzled as to what this is about. I don't know if this has anything to do with the abnormal upload traffic but maybe tomorrow will shed more light.

Has anyone heard of Telecom company traffic all directed at the same port (32662) before?

raytaylor

join:2009-07-28
kudos:1
Sounds like a botnet to me.


Inssomniak
The Glitch
Premium
join:2005-04-06
Cayuga, ON
kudos:2
reply to bburley
I had a similar story just the other day. We hooked up a company with about 25 computers. They were switching from the big WISP to us because of slow speeds (which is rare for them to be slow). Said it was slow for months. They called up every day saying it was slow with us too, they were continually maxing their upload bandwidth all day (but at 5pm it stopped). Their IT company couldn't find the source. All we could tell is that most of the traffic was going to an amazon AWS service. So they finally said come in and find it we will pay you we don't care.

Showed up with an RB 951 router and swapped it in for theirs, a quick torch and an ARP table check, Mac manufacturer lookup we had the source computer as a MacBook Pro laptop, then a few quick commands on the Mac, the source was photostream. The employee had 15,000 pictures on the computer and it spent all its time uploading them. And he didn't even use photostream.
--
OptionsDSL Wireless Internet
»www.optionsdsl.ca

voxframe

join:2010-08-02
reply to bburley
I love it when "companies" have "IT departments" who are too stupid to diagnose basic problems like this and point the finger at the ISP instead of checking their own shit first.

Hope you charged them handsomely.

jcremin

join:2009-12-22
Siren, WI
kudos:3
reply to Inssomniak
said by Inssomniak:

we had the source computer as a MacBook Pro laptop, then a few quick commands on the Mac, the source was photostream. The employee had 15,000 pictures on the computer and it spent all its time uploading them. And he didn't even use photostream.

I've had a similar issue with a customer who has an iPhone. Sometimes they will call about slow internet and can see their upload maxed out to Amazon AWS. We have them shut off devices one by one, and when they shut off the phone, the traffic stopped.

Does the iPhone have photstream too? They had no idea what could be uploading, and since I don't have any Apple devices, I wasn't able to help troubleshoot much further. Any other programs that would be common on the iPhone to be uploading to Amazon?

On a similar type of issue, I've had about 4 or 5 customers call about slow internet (a couple had Macbook's and said the internet was completely offline) and we look at their connection and find their download is maxed out. Each time, shutting off a new Amazon Kindle that they got for Christmas seemed to fix the problem. They all claimed there was nothing that they had chosen to download, but their connection would be maxed out for hours, or all day. Any ideas what might be syncing or downloading on a Kindle that would need to download that much data?

petecarlson

join:2004-11-06
Baltimore, MD
I have my iphone set to automatically sync photos and video to google. Photos go over LTE and WiFi while video only goes over Wi-Fi. It can use a boatload of bandwidth and I wish there was a setting to say which networks to upload over.

raytaylor

join:2009-07-28
kudos:1
reply to bburley
I have a dentist client who uses a crappy dsl plan with a major telco, that gives him 10 gb of data per month.

Anyhow it turned out to be an apple tv unit they use to play generic videos above their dentist chairs from a pc running itunes. you get to stare at fish or cartoons while you get your filling.

the apple tv device was downloading the same 570mb firmware file twice a day.


TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5
reply to voxframe
said by voxframe:

I love it when "companies" have "IT departments" who are too stupid to diagnose basic problems like this and point the finger at the ISP instead of checking their own shit first.

But dont you know, its never the customers fault.

Its always outside the corporate network...


John Galt
Forward, March
Premium
join:2004-09-30
Happy Camp
kudos:8
reply to bburley
Have you run Wireshark to see what is happening on the port?

bburley

join:2010-04-30
Cold Lake, AB
Most of the problem was not present today. The funny telecom company traffic was gone and the upload traffic was significantly reduced.

The upload traffic that was still there (still above normal) turned out to be a sudden increase in the use of a server-side database from a satellite office through a VPN connection.

We did notice one person that wasn't in today (a Mac user, no less), but that can only be speculation at this point. We didn't do a roll call to check everyone.

I didn't wireshark it yet, first I just want to know where the extra traffic is coming from. The only thing to do now is watch again on Monday.

robbin
Premium,MVM
join:2000-09-21
Leander, TX
kudos:1
reply to jcremin
said by jcremin:

Does the iPhone have photstream too? They had no idea what could be uploading, and since I don't have any Apple devices

Yes, both iPhone and iPad have photostream.

TBBroadband

join:2012-10-26
Fremont, OH
reply to bburley
I had the same problem when using Megapath for a T1. Once in a while i'd get the same issue with some US based small mom/pop cable companies. Reported them but nothing. Ended up bring the T1 down to a crawl at times and I later dropped them.

bburley

join:2010-04-30
Cold Lake, AB
I should have known it wouldn't be just one problem. Today it was found that a misconfigured WDS system was generating excessive broadcast traffic (but only when triggered by some usage) which explained the similar traffic on all switch ports.

Another strange item was that it appeared that an internal security DVR was being accessed by a Korean IP address belonging to DVRStation.com.

I don't know if a staff member signed up for this (unlikely as few know enough detail to login independent of a pre-configured app), or if the website is a front for hacking activity.

Looking at the website, it doesn't strike me as all that professional. In any case something like that would never be authorized, and I would hope that common sense would prevent other people from signing up and allowing their security video to flow to Korea.

That website is now blocked.

Still no sign of the telecom company traffic from Friday.

I wonder what tomorrow will bring.

bburley

join:2010-04-30
Cold Lake, AB
I finally stopped and did a search on the DVR issue and I am not any happier after finding this;

»forums.securityinfowatch.com/arc···480.html