dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1074
JacksonTech
join:2013-06-01
United State

JacksonTech

Member

Phantom Traffic - it's BitTorrent (also 2% pktloss and RSTs)

Whew, boy, I don't even know how to start on this one.

So after the outage, I had 2% packet loss and random "Connection Resets" in Firefox. I had a lot of errands to run so I didn't get to explore it until last night.

First thing I noticed: a constant 60KBit/s download on my WAN interface. See graph:




I fired up a network monitor and saw that there were several THOUSAND connections to my WAN IP address. They were all bouncing off my firewall, but they were still using my bandwidth. (Hint: a month's worth of constant 60KBit/s is about 17GB!) Some work with a packet analyzer revealed it to be BitTorrent traffic.

But I don't use BitTorrent, and neither does anyone in the family. (I can guarantee these both for several long-winded reasons I won't explain here.) I can also guarantee that no one is using my wireless network without permission. After examining the LAN-side interfaces, I could tell this traffic was entirely unsolicited.

Here's my notion: the outage changed my IP address. When the modem rebooted, it associated with a different IP Gateway and got a different IP address...and whoever had been using this IP address before me (they *are* dynamic, you know) was heavily into BitTorrent. I've been told by people who actually know how BitTorrent works (I don't; I have moral objections to using it for illegal purposes and I just avoid it) that it can take a very long time for other peers to forget your IP address. In essence, a few thousand BitTorrent users out there think I have copies of Pearl Jam and The Eagles and are trying to connect to me...using quite a bit of bandwidth in the process.

I'm glad I caught it within a few days, otherwise I would be out a few GB or more.

Now, here's the gem: I rebooted the modem, got a different IP address, and giggled with glee when I noticed that my baseline traffic was back to 0KBit/s, where it should be.

And the 2% packet loss went down to 0%.

And I haven't seen a Connection Reset since.

Since I'm big on theories, here's another one to try on: whatever IP Gateway I had been using (so sorry--I should've written it down!) is saturated by BitTorrent traffic and/or just extremely loaded. It should be obvious that my satellite equipment and network can communicate just fine with the NOC; this rules out everything but the infrastructure between the NOC and the Internet. There *is* a bottleneck somewhere, much as HughesNet refuses to acknowledge it.

I don't consider rebooting the modem repeatedly to be a solution to the problem. Unfortunately, I don't have many suggestions either (whining without at least one suggestion for improvement is not proper). Well, I have one that may prove unpopular: pull a Comcast and start traffic-shaping BitTorrent traffic. While I'm usually quite against any form of Internet censorship, in this case, people really shouldn't be using BitTorrent on a satellite connection anyway. It hurts everyone else, if only in the sheer number of TCP connections it opens. Maybe that's why the CGN boxes are swamped. (Fun fact: default timeout for an open TCP connection is 5 days on a Linux box...)

I posted this on my blog with a complete explanation: »jacksontech.net/index.ph ··· officer/

gwalk
Premium Member
join:2005-07-27
West Mich.

gwalk

Premium Member

Wow,
Even rebooting the modem you have no control over which IP you will be dynamically assigned. You could very easily end up with another "afflicted" IP.
A hardware firewall being "after" the modem isn't going to help.
This is truly a job for Hughes Engineering. I cant imagine the time it will take to solve this one.
silbaco
Premium Member
join:2009-08-03
USA

silbaco to JacksonTech

Premium Member

to JacksonTech
Strange. I would have assumed bittorrent would see the dropped packets and assume the host is unreachable instead of continuing to flood the IP address.

I have seen Spotify do strange things like this.

james1979
Premium Member
join:2012-10-09
Quinault, WA

james1979 to JacksonTech

Premium Member

to JacksonTech
said by JacksonTech:

There *is* a bottleneck somewhere, much as HughesNet refuses to acknowledge it.

There sure is. Whenever I get stuck with sub 1Mbps speeds, I reboot the modem and try to get on a different gateway. Your discovery helps explain why this sometimes works.
james1979

james1979

Premium Member

Sorry for following up on myself, but what JacksonTech described seems more like an unintended denial of service attack rather than a "bottleneck", right? That's very consistent with what I am experiencing. Sometimes Gen4 works as advertised, and sometimes it doesn't. Sometimes rebooting the modem switches me to another gateway (with speeds restored), and sometimes it doesn't.

gwalk
Premium Member
join:2005-07-27
West Mich.

gwalk

Premium Member

What he is describing is "hits" on his modem & resulting Bandwidth loses after being assigned a dynamic IP by Hughes that a previous Hughes user used BitTorrent.
gwalk

gwalk to JacksonTech

Premium Member

to JacksonTech
The original thread, more details and any official Hughes response can be found here:

»community.myhughesnet.co ··· ned_dish

EDIT:
official reply:

OFFICIAL REP) 14 minutes ago

Hi JacksonTech and thanks for the post. Let us look into the Phantom Traffic and your connection reset concerns. I will touch base as soon as I have some news. Suz

james1979
Premium Member
join:2012-10-09
Quinault, WA

1 edit

james1979 to gwalk

Premium Member

to gwalk
Even though I know little about BitTorrent, I understood JT's post. It seems like thousands of "hits" on the modem would be similar to a DOS attack, and that would explain the erratic performance of GEN4. I had already figured out that I could "restore" my speeds by temporarily by rebooting the modem, but that's not really a solution.

Apparently, it's difficult to block BitTorrent: »security.stackexchange.c ··· ications

Thanks for the link to HughesNet community.

EDIT: As a side note, Opera is warning me about a certificate on the HughesNet Community: