WAN MAC address using large amount of data

[NetworkingNoob]

Hello,

I'm pretty new to networking in general. My ISP recently imposed a data cap and I saw my usage double from one month to the next with no apparent reason.

I wanted to see what was causing all of the data usage so I flashed DD-WRT and installed YAMon usage monitor. Overnight it looks like my WAN MAC is reported to have used over 500mb of data. Is this normal? I'm not 100% clear on what the WAN MAC would need that much data for. I contacted my ISP and they said my modem was out of date so I purchased a new one. It still seems that my WAN MAC is using large amounts of data. None of the other devices on my network are using as much data as the WAN MAC. Any idea what could be causing this?

Any help would be greatly appreciated.

[/URL][/IMG]

 

[Rifter]

your WAN port on your router should have the highest traffic, as in it should have ALL your traffic from your whole network flowing through it.

 

[NetworkingNoob]

That's what I was thinking but this data is only going to and from the WAN MAC address itself. It doesn't appear to match any usage by any of the devices on the network. It's not a sum of all the other usage. Here's what I'm seeing.

 

[Gryz]

Learn the difference between a MAC-address (layer-2) and an IP address (layer-3). The source IP address indicates who was the originator of data. (Unless NAT is involved. But that's another question). If you look at a frame (a frame is a packet at layer-2), then the source MAC-address only indicates which device is *forwarding* a packet. It does not indicate who originated it. If you wanna know that, look at the source IP address.

 

[NetworkingNoob]

Learn the difference between a MAC-address (layer-2) and an IP address (layer-3). The source IP address indicates who was the originator of data. (Unless NAT is involved. But that's another question). If you look at a frame (a frame is a packet at layer-2), then the source MAC-address only indicates which device is *forwarding* a packet. It does not indicate who originated it. If you wanna know that, look at the source IP address.

I think I might be following you. So if I look at the source IP, such as the below screenshot, and see an unknown IP address, that is the originating user of the data. In this instance I have no idea what IP address this is since it's not any of my devices. What would this indicate?

 

[thecoolnessrune]

The WHOIS Record for that IP Address:

Source: whois.apnic.net
IP Address: 117.38.14.85
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

% Information related to '117.32.0.0 - 117.39.255.255'

inetnum: 117.32.0.0 - 117.39.255.255
netname: CHINANET-SN
descr: CHINANET Shanxi(SN) province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
admin-c: CH93-AP
tech-c: XC9-AP
mnt-by: APNIC-HM
mnt-routes: MAINT-CHINANET-SHAANXI
mnt-lower: MAINT-CHINANET-SHAANXI
status: ALLOCATED PORTABLE
remarks: --------------------------------------------------------
remarks: To report network abuse, please contact mnt-irt
remarks: For troubleshooting, please contact tech-c and admin-c
remarks: Report invalid contact via www.apnic.net/invalidcontact
remarks: --------------------------------------------------------
source: APNIC
mnt-irt: IRT-CHINANET-CN
changed: hm-changed@apnic.net 20070615

irt: IRT-CHINANET-CN
address: No.31 ,jingrong street,beijing
address: 100032
e-mail: anti-spam@ns.chinanet.cn.net
abuse-mailbox: anti-spam@ns.chinanet.cn.net
admin-c: CH93-AP
tech-c: CH93-AP
auth: # Filtered
mnt-by: MAINT-CHINANET
changed: anti-spam@ns.chinanet.cn.net 20101115
source: APNIC

person: Chinanet Hostmaster
nic-hdl: CH93-AP
e-mail: anti-spam@ns.chinanet.cn.net
address: No.31 ,jingrong street,beijing
address: 100032
phone: +86-10-58501724
fax-no: +86-10-58501724
country: CN
changed: dingsy@cndata.com 20070416
changed: zhengzm@gsta.com 20140227
mnt-by: MAINT-CHINANET
source: APNIC

person: Xianghong Cao
address: Shanxi provice data communication Bureau
address: 185# zhuque Road
address: Xi'an city, Shanxi provice 710061
country: CN
phone: +8629-523-3633
fax-no: +8629-522-8093
e-mail: sxic@public.xa.sn.cn
nic-hdl: XC9-AP
mnt-by: MAINT-CHINANET
changed: caoxianghong@263.net 19990409
changed: hm-changed@apnic.net 20170317
source: APNIC

% Information related to '117.38.0.0/18AS4809'

route: 117.38.0.0/18
descr: China Telecom Shaanxi Province
origin: AS4809
mnt-by: MAINT-CHINANET-SHAANXI
changed: dingsy@cndata.com 20070711
source: APNIC

% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (UNDEFINED)



Note that that IP Address has been reported multiple times for SSH and FTP Brute forcing attempts. This IP is included in Cisco's Cloud Security as a malicious IP address:

https://www.abuseipdb.com/check/117.38.14.85

If you've got that much data going to / from that IP address, you may be dealing with an Intrusion. Do you have ports that are open? Have you left anything internet-facing with default credentials? Are you using TOR, BitTorrent, or other Peer-to-Peer systems? Are you using UPnP on systems that could be vulnerable?

 

[NetworkingNoob]

The WHOIS Record for that IP Address:

Source: whois.apnic.net
IP Address: 117.38.14.85
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

% Information related to '117.32.0.0 - 117.39.255.255'

inetnum: 117.32.0.0 - 117.39.255.255
netname: CHINANET-SN
descr: CHINANET Shanxi(SN) province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
admin-c: CH93-AP
tech-c: XC9-AP
mnt-by: APNIC-HM
mnt-routes: MAINT-CHINANET-SHAANXI
mnt-lower: MAINT-CHINANET-SHAANXI
status: ALLOCATED PORTABLE
remarks: --------------------------------------------------------
remarks: To report network abuse, please contact mnt-irt
remarks: For troubleshooting, please contact tech-c and admin-c
remarks: Report invalid contact via www.apnic.net/invalidcontact
remarks: --------------------------------------------------------
source: APNIC
mnt-irt: IRT-CHINANET-CN
changed: hm-changed@apnic.net 20070615

irt: IRT-CHINANET-CN
address: No.31 ,jingrong street,beijing
address: 100032
e-mail: anti-spam@ns.chinanet.cn.net
abuse-mailbox: anti-spam@ns.chinanet.cn.net
admin-c: CH93-AP
tech-c: CH93-AP
auth: # Filtered
mnt-by: MAINT-CHINANET
changed: anti-spam@ns.chinanet.cn.net 20101115
source: APNIC

person: Chinanet Hostmaster
nic-hdl: CH93-AP
e-mail: anti-spam@ns.chinanet.cn.net
address: No.31 ,jingrong street,beijing
address: 100032
phone: +86-10-58501724
fax-no: +86-10-58501724
country: CN
changed: dingsy@cndata.com 20070416
changed: zhengzm@gsta.com 20140227
mnt-by: MAINT-CHINANET
source: APNIC

person: Xianghong Cao
address: Shanxi provice data communication Bureau
address: 185# zhuque Road
address: Xi'an city, Shanxi provice 710061
country: CN
phone: +8629-523-3633
fax-no: +8629-522-8093
e-mail: sxic@public.xa.sn.cn
nic-hdl: XC9-AP
mnt-by: MAINT-CHINANET
changed: caoxianghong@263.net 19990409
changed: hm-changed@apnic.net 20170317
source: APNIC

% Information related to '117.38.0.0/18AS4809'

route: 117.38.0.0/18
descr: China Telecom Shaanxi Province
origin: AS4809
mnt-by: MAINT-CHINANET-SHAANXI
changed: dingsy@cndata.com 20070711
source: APNIC

% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (UNDEFINED)



Note that that IP Address has been reported multiple times for SSH and FTP Brute forcing attempts. This IP is included in Cisco's Cloud Security as a malicious IP address:

https://www.abuseipdb.com/check/117.38.14.85

If you've got that much data going to / from that IP address, you may be dealing with an Intrusion. Do you have ports that are open? Have you left anything internet-facing with default credentials? Are you using TOR, BitTorrent, or other Peer-to-Peer systems? Are you using UPnP on systems that could be vulnerable?

Thanks for the info, I just setup my OpenDNS the other day and traffic seems to have decreased quite a bit. I also updated the router password from the default. Nothing else is default as far as I can see. No TOR, torrent, p2p, or anything on my end. As far as I can tell no UPnP devices are currently open.


Thanks again for the input!