Posting here in the hope that someone can explain some router messages to me, which I've searched for already on the forum but not found a suitable answer for. I work in IT, so I don't particularly enjoy time spent on 'technical' helplines - hopefully someone who knows what they're talking about will read this!
Our line has 10.5 Mbit downstream and has been performing pretty much within a few percent of that for a year (since we took on the connection). Over the last 4 or 5 days we've been absolute loss of bandwidth without loss of connection, which has been occuring at any time but particularly between 4pm and 11pm. The times I've been able to test the bandwidth, the speed starts out at 1Mbit at most and quickly falls away to nothing (I've not been able to complete any test I manage to get started during one of these periods). I've done some web dev in the past, so the best I can explain it is like a DDOS attack or someone leeching our bandwidth for some nefarious purpose.
Poking around in the HH3 router's logs, there are a lot of instances of the following firewall messages:
OUT: BLOCK  First packet is Invalid (Invalid tcp flags for current tcp state: TCP [192.168.1.xx]:xxxx->[xx.xx.xxx.xxx]:xxx on ppp0)
IN: BLOCK  Remote administration (TCP [22.214.171.124]:58566->[xx.xxx.xx.xxx]:xxxx on ppp0)
When bandwidth disappears, these remote admistration attempts become very frequent (every five to ten mins during loss of bandwidth). I've changed my public IP many times during an 'attack', but nothing changes. Networking is not my forte, so I'm not even sure if that would help, although my intuition says they need that to consistently 'attack'. My questions are thus:
For my curiosity, am I being overly cyncial in believing these remote administration attempts are coming from one centralised location?
For my paranoia, are these attempts related to the loss of our bandwidth?
If they are related, how on earth do you explain that to a tier 1 BT tech support operative so they actually pass it up the chain?
If they're not related, any advice on getting past a tier 1 BT tech support operative would be handy anyway 😄
Do you have any incoming ports open (port forwarding), as these are often the target for SYN floods, quite often from the country mentioned.
These attacks send lots of SYN packets, but ignore any ACK responses. This can cause your connection to "hang", until the incomplete handshakes time out.
Normally, changing your public IP will stop them for a while. You can do this by using the disconnect tab on you home hubs Internet settings, then reconnecting again.
I see this on my web server sometimes, and have set up IP filtering rules to block incoming connections from quite a number of offending subnets.
It may have nothing to do with that.
It could simply be a high error rate (CRC) events, causing the slowdown.
Have you checked your ADSL stats during the slowdown?
Thanks for the reply.
Just come out of one of these periods, which lasted from 4pm to 6pm and has been consistent with the past few days. The most I managed in that time was to get my forum post off. Going by recent outages, it'll happen briefly between now and 9pm before it goes almost completely down again for a couple of hours.
You're right about the CRC events:
The down noise margin has crept up the last few days, but it was balanced perfectly at the beginning of the problems (I'm assuming the power cycles I've put the hub through and contributed to a temporary rise).
The other values, I have no idea what they mean for my connection. Do they look ok or are they the cause of these CRC events? I can pretty much set my watch on when bandwidth completely disappears for a long stretch - does that give any indication of where the fault lies? Saying that, we've had blackouts of a few mins sprinkled throughout the day.
Your errors appear very high but you have not shown connection time which is important. If short time then the very high number of errors will be restricting your download speed
can you run btspeedtester and when first test completes then run diagnostic test and post results
Probably some form of electrical interference, plasma TVs are a common source, but there are plenty of others.
If you have a medium wave portable radio, tuned to a quiet part of the dial, you may hear what is causing it.
Also, if you are not plugged directly into the master socket, then any extension wiring would also pickup any interference.