Community Forum

Unusually high data usage megathread

Highlighted
Frequent Visitor

Re: Internet Data Use

Secondly I am curious as to why the caps where reinstated since we are still in the midst of COVID and many states still have stay at home orders and restrictions? Especially with more people resorting to work at home through zoom and the impending fact many kids are being given the choice to school during the upcoming school year period virtually coming up the data usage is going to continue to climb.  A child using zoom for 7 hours and a parent using 8-10 hours working will rack up a lot of data essentially pigeon holding them into these charges. I think you could safely reinstate your previous practices once we are free of the current world wide situation. This looks like a means to take advantage of people being forced to use more data for work and school. 

Highlighted
Regular Visitor

Increase of Data Usage

Can't understand How Only 2 Adults in a Household , Only Myself during the Day are Using all this Data , NOWAY POSSIABLE , I Never even came close to my limit when I had a 8 people living here ?? And this Started Shortly after Corvid-19 and as Soon as Comcast Started Giving Out Xfinty Wifi Essentials to People who had No Access to Internet , Which didn't apply to Exsiting Customers , Never Ever Have I Even Come Close To My Limit EVER !!
SO SOMETHING SHADY IS GOING ON
Highlighted
New Poster

Extremely high data usage

From 01/2020 to now, there has been an extremely large and random increase spike in household data usage for me (family of 4). It is up the point now that since May, it shows that we have been hovering around 1.1 - 1.3 TB of data usage up from the lowest it was (250+ GB) in feb. What is going on? Xfinity live chat agents refuse to cooperate and give me more details, they just tell me to continue to monitor data usage. There is no possible way 4 people can use this much data if they are not download / streaming extremely large files / 4k video 24/7.

Highlighted
Contributor

This thread speaks for itself

Dare you post any sort of personalized message about excessive usage reporting in the forums your post will be buried in here within minutes (but not addressed).

 

I was about to tear my hair out 8 months or so ago, edging up to the 1TiB cap.  Finally I bought a Asus router that will give me usage stats, per device.  Loved it, finally let me see exactly what was using all the data in my house.  On total usage it was always within +/- 5% or so of what the xfinity meter showed.  This was good enough for me.  When COVID his they removed the cap (temporarily), now that it's back but higher xfinity now reports 30% more than my router shows me.  My router reports as of 7/31 @ 10pm I've used 770GB, xfinity reports I've used 998GB.  This is completely our of whack. 

 

It's easy for Comcast to claim people just aren't realizing what they're using because they have no tools of their own to contest it but EVERYTHING in my house funels through my router.  Every wired and wireless device is labeled on my network and I know exactly what's using data.  THERE IS A PROBLEM

 

Insult to injury, at 10pm CST 7/31 it appears my July meter is already closed out for the month and everything is already being added to August.  That isn't necessarily when it started but just when I happened to check.

 

This seems like a money grab to me.  Just saw an article today about the massive amount of cord cutters that Comcast has lost during COVID.  Seems to me they're trying to force people into "unlimited" internet to help make up for it.

meter.jpg
meter_comcast.jpg
Highlighted
Contributor

Re: This thread speaks for itself

Sure.  There's traffic spikes.  Checkout one of my log tables below.

 

What are port 8080 and 81?  Tripwires.  Hit one of those ports, your traffic is ended with a dynamic firewall (snort.org and pfsense.org).  Pick a random high one, and a random low port number.  Redirect to a firewall.  Tends to stall the script kids and botnets and they move on to the next IP address, or their script just hangs costing them time. 

 

They're hit all the time with sync/ack attacks.  This is unsolicited traffic you will see too.  Mostly portscans, but there's a few others and some UDP DNS attacks.  Sometimes more clever ones too.  When does it happen?  It's random.  Who is it?  Compromised machines, jerks, governments.......the internet.......

 

Couple suggestions:

Check for a firmware update on your gateway.

Looks for known exploits for your modem/firmware on us-cert.gov (like cve-2018-8878).  It could be what they're fishing for.

Turn off ICMP.  Disable UPnP. 

Disable any kind of remote access.  There are other ways to do that if you want to remotely manage your gateway from somewhere else.

Forwarding ports?  Hope they're protected by other means.

If your gateway has a firewall, make sure it's at the highest setting.  Does it work or respond properly and record that traffic when it does?  That's entirely a different question.

 

Try some penetration attempts with nmap from a remote location.  Make sure you've got zero open ports, or any port that will disclose its state open or closed.

 

I solved it by throwing hardware at it.  Isolate your gateway:

Internet <-> Gateway <-> Firewall Ex interface <->Firewall In interface <-> wifi (router) <-> Internal clients

 

Traffic was cut in half.  Yeah, I'm not using the gateway wifi, I have another wifi router for that and the internal LAN network.  As a bonus, you can throttle traffic per device if you want to.  Streaming can be as many as 12 streams up to 12-15Mbps.  You can fix them at a lower point, smooth out the stream, and still have decent quality.

 

Now below, if any of these actors hit an open port, they'd be hammering my gateway, and probably from multiple locations:

 

2020-08-03
09:06:41
2TCPMisc Attack46.174.191.28
    
28471192.168.0.16
  
80801:2403358
  
ET CINS Active Threat Intelligence Poor Reputation IP TCP group 30
2020-08-03
09:00:26
2TCPMisc Attack78.108.177.54
    
26525192.168.0.16
  
80801:2403446
  
ET CINS Active Threat Intelligence Poor Reputation IP TCP group 74
2020-08-03
08:30:25
2TCPMisc Attack71.6.158.166
    
23999192.168.0.16
  
811:2403440
  
ET CINS Active Threat Intelligence Poor Reputation IP TCP group 71
2020-08-03
07:43:51
2TCPMisc Attack51.83.171.14
  
57204192.168.0.16
  
80801:2403376
  
ET CINS Active Threat Intelligence Poor Reputation IP TCP group 39
2020-08-03
05:09:18
2TCPMisc Attack185.39.11.105
  
45973192.168.0.16
  
811:2400017
  
ET DROP Spamhaus DROP Listed Traffic Inbound group 18
2020-08-03
05:09:18
2TCPMisc Attack185.39.11.105
  
45973192.168.0.16
  
811:2402000
  
ET DROP Dshield Block Listed Source group 1
2020-08-03
04:58:24
2TCPMisc Attack93.174.93.139
  
53068192.168.0.16
  
80801:2402000
  
ET DROP Dshield Block Listed Source group 1
2020-08-03
04:58:24
2TCPMisc Attack93.174.93.139
  
53068192.168.0.16
  
80801:2403478
  
ET CINS Active Threat Intelligence Poor Reputation IP TCP group 90
2020-08-03
04:49:51
2TCPMisc Attack83.97.20.130
  
60145192.168.0.16
  
811:2402000
  
ET DROP Dshield Block Listed Source group 1
2020-08-03
03:55:52
2TCPMisc Attack78.108.177.52
  
26525192.168.0.16
  
80801:2403444
  
ET CINS Active Threat Intelligence Poor Reputation IP TCP group 73
2020-08-03
00:09:14
2TCPMisc Attack46.174.191.30
  
28471192.168.0.16
  
80801:2403358
  
ET CINS Active Threat Intelligence Poor Reputation IP TCP group 30
2020-08-03
00:07:10
2TCPMisc Attack78.108.177.52
  
26525192.168.0.16
  
80801:2403444
  
ET CINS Active Threat Intelligence Poor Reputation IP TCP group 73
2020-08-02
22:42:22
2TCPMisc Attack61.219.11.153
  
62182192.168.0.16
  
80801:2403424
  
ET CINS Active Threat Intelligence Poor Reputation IP TCP group 63
2020-08-02
21:51:13
2TCPMisc Attack78.108.177.52
  
26525192.168.0.16
  
80801:2403444
  
ET CINS Active Threat Intelligence Poor Reputation IP TCP group 73
2020-08-02
21:14:36
2TCPMisc Attack185.39.11.105
  
33253192.168.0.16
  
80801:2400017
  
ET DROP Spamhaus DROP Listed Traffic Inbound group 18
2020-08-02
21:14:36
2TCPMisc Attack185.39.11.105
  
33253192.168.0.16
  
80801:2402000
  
ET DROP Dshield Block Listed Source group 1
2020-08-02
20:16:03
2TCPMisc Attack46.174.191.32
  
28471192.168.0.16
  
80801:2403358
  
ET CINS Active Threat Intelligence Poor Reputation IP TCP group 30
2020-08-02
19:19:42
2TCPMisc Attack46.174.191.29
  
28471192.168.0.16
  
80801:2403358
  
ET CINS Active Threat Intelligence Poor Reputation IP TCP group 30
2020-08-02
18:16:04
2TCPMisc Attack156.96.117.151
  
48635192.168.0.16
  
811:2400011
  
ET DROP Spamhaus DROP Listed Traffic Inbound group 12
2020-08-02
17:44:13
2TCPMisc Attack78.108.177.52
  
26525192.168.0.16
  
80801:2403444
  
ET CINS Active Threat Intelligence Poor Reputation IP TCP group 73
2020-08-02
17:31:36
2TCPMisc Attack58.8.141.64
  
58129192.168.0.16
  
811:2403384
  
ET CINS Active Threat Intelligence Poor Reputation IP TCP group 43
2020-08-02
15:32:30
2TCPMisc Attack156.96.156.138
  
54632192.168.0.16
  
80801:2400011
  
ET DROP Spamhaus DROP Listed Traffic Inbound group 12
2020-08-02
14:18:40
2TCPMisc Attack46.174.191.32
  
28471192.168.0.16
  
80801:2403358
  
ET CINS Active Threat Intelligence Poor Reputation IP TCP group 30
2020-08-02
14:08:01
2TCPMisc Attack58.53.187.6
  
35756192.168.0.16
  
80801:2403384
  
ET CINS Active Threat Intelligence Poor Reputation IP TCP group 43
2020-08-02
13:47:37
2TCPMisc Attack37.49.230.150
  
51964192.168.0.16
  
811:2402000
  
ET DROP Dshield Block Listed Source group 1
2020-08-02
12:41:12
2TCPMisc Attack78.108.177.53
  
26525192.168.0.16
  
80801:2403444
  
ET CINS Active Threat Intelligence Poor Reputation IP TCP group 73
2020-08-02
12:05:29
2TCPMisc Attack1.34.10.11
  
64328192.168.0.16
  
811:2403302
  
ET CINS Active Threat Intelligence Poor Reputation IP TCP group 2
2020-08-02
11:50:18
1UDPPotential Corporate Privacy Violation192.168.0.16
  
63517185.246.210.145
  
531:2014703
  
ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set
2020-08-02
11:50:18
1UDPPotential Corporate Privacy Violation192.168.0.16
  
55843209.126.117.208
  
531:2014702
  
ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set
2020-08-02
11:50:18
1UDPPotential Corporate Privacy Violation192.168.0.16
  
55843209.126.117.208
  
531:2014703
  
ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set
2020-08-02
11:50:18
1UDPPotential Corporate Privacy Violation192.168.0.16
  
25668181.41.213.54
  
531:2014703
  
ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set
2020-08-02
11:50:18
1UDPPotential Corporate Privacy

 

Highlighted
Frequent Visitor

Re: Internet Data Use

@BobWang Thanks for your confirmation on the usage meter correction.  I refrained from comment to ensure that my numbers matched, but the meter DOES seem to be corrected, and my numbers now match what xfinity is reporting.  I don't think that was the case earlier in July, but at least for August, I'm seeing numbers that line up on the Data Meter and my own vnstat output on Cable Modem interface.

Highlighted
Frequent Visitor

Re: Internet Data Use

Joe:
Thanks for the heads up, 

now my Usage meter shows ZERO usage in August 😜

Bob

Highlighted
Frequent Visitor

Re: This thread speaks for itself

I too have recently noticed a huge increase in our "usage".  According to Xfinity's meter we have used 63GB in the first two DAYS of August.  what??  We alsmot hit the cap last month, and I fear we might hit it this month.  Something does not seem right with the metering and we aren't given many tools to determine if there is indeed a culprit.  Communication with Customer Service and Tech Support were unhelpful.  "Run an anti-virus scan" was about all they could suggest.  I am moving everyone off our ORBI router and onto the Gatweay's Wifi with profiles to see if I can narrow it down, but it would be helpful if Xfinity would provide a more detailed breakdown.  Even my wireless carrier can tell me every single number I've called and a % data type used each month...

Highlighted
Frequent Visitor

Re: Internet Data Use

@ComcastTeds from the looks of this thread, you have a common, and very real problem.  Just look at the dates of the messages.....relatively active through April then quiet....suddenly in July the thread picked up in a big way, indicating that something has happened that is making your customers very, very unhappy.  Please elevate this issue and get to the bottom of why people's data usage meters are going off the charts....and give us better tools to monitor our traffic and troubleshoot data vampires. 

Highlighted
Regular Contributor

Re: Internet Data Use

@MattRose,

They turned off the meter and the overage charges from late March through June as part of their COVID response, so people didn't have much to talk about.

Highlighted
Frequent Visitor

Re: Internet Data Use

@joechangI'm assuming that @BobWang must have contacted you offthread, since I did not see any response here that indicated he was a change.

I myself have noticed that for August, my nuimbers are within 2GB between router and Comcast.

As expected, my router numbers are higher, since it collects data in real time.

 

I'll be continuing to monitor my usage, but currently, I'm looking at abour 40GB as of now, which seems to indicate a 15GB per day usage (though it does include two weekend days, which is normally large than my weekday).

Still, at 15GB per day, I shouldn't be hitting the 75% limit at all in any given month.

 

The change I made in the last week of July was to swap out the XFi gateway for my own SB8200 modem.

This was a planned change, since I wanted to save on the rental fee.  It was just accelerated with my frustration at the data count being off.

 

Highlighted
Frequent Visitor

Re: Internet Data Use

@bolohead No side conversation, just referring to a post @BobWang made a few pages back, around 7-19 where he said "Close Enough".  

 

I run specific tools on my linux-based router to monitor specific data coming in/out of my cable modem ethernet connection.  This is the single point where all internet comes in/out my network.

 

In the first few weeks of July, after reinstating bandwidth limits, I saw the Xfinity bandwidth meter be significantly off.  It varied greatly, but did not match my tool output.

 

Around late-July, it seemed to line up better.  For August, it has been spot-on with my personal data usage reporting.  Based on my usage pattern, I expect to be at MAX 80% of data limits.  I've also since adjusted Zoom/camera settings to be lower resolution for WFH, but I don't see significant savings there (most data is used downstream, at a ratio of approximately 6 to 1.

 

I'd suggest somehow getting your own reporting (I think BobWang uses Nest?, I've seen Asus mentioned as well) to ensure numbers are accurate, and then debug from there.  For August so far, I'm now OK with the Comcast/Xfinity meter, but will carefully monitor through the month.

Highlighted
Frequent Visitor

Re: Internet Data Use

@bolohead, I have not been in contact with anyone on this thread.

I did call Xfinity, got the "escalation" spiel, haven't heard back.

I also have an Arris SB8200,

I broke down, and rented an Xfinity XB7 (CGM4331COM) for Unlimited Data.

The first 2 days of August, Usage showed ZERO usage.

I had to call Xfinity to re-activate my SB8200 because the XB7 Upload was only 5 Mbps,

 

instead of the 40 Mbps I was getting with SB8200.

Plan is to periodically re-connect the XB7 and see if that matches more with Xfinity's number.

Usage Meter did kick back in yesterday,

So far, Nest WiFi reports about 10 GB since meter started again.

Xfinity Usage Meter shows 35 GB used.