About flatlander3

Another thing you can do with the little cheap $24 Roku is use a really short USB cord and plug it into the TV USB port.  (most TV's with HDMI will have a USB port).   The TV can usually only source about 500mA according to the specs on my TV's, but it seems to be enough.  The Roku will tell you if it isn't enough with a "Low Power" warning screen.  Try to use the shortest cable that will reach.   Then, TV Off will kill power to the Roku and you won't have to worry about it at idle at all, or if there's an app open.  Won't work for the larger Roku base station.  You're going to need to source an amp or more inrush current at startup for that. ... View more

@RobertWy    I've got a few little $24 Roku devices and an Amazon Fire Stick.    The Roku phones home on a powerup, but doesn't seem to talk any time else unless you're using it.  When it hits the default screen saver, unless you changed it to another screen saver like a live remote camera viewer, it seems to sleep and doesn't check for updates from what I've seen.  It will when you wake it up.   The Amazon Stick phones home pretty much every 20-30 minutes or so, but that data is in the kb range and short little burst traffic.  I'm not sure what it's doing.  Maybe refreshing the home page movies/tv show icons, or the ad banner.   A Mac will try to talk to a shadowy company called Akamai Technologies, Inc.  It's a cloud and big data provider.  It's also actually a curl information leak.  That's for face time, messages, iTunes store for updates....etc.   A Microsoft PC jabbers meta-data to the outside in the kb range too.  I find a lot of stuff like this that my Snort firewall blocks.  It's also phoning home to check for updates frequently: ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent ET INFO Windows OS Submitting USB Metadata to Microsoft   None of these will be data that burns big amounts except perhaps for automatic updates if you allowed that on Windows, or have a backup program running.     ... View more

When I switched from a DSL provider to Xfinity, two things that did catch my eye immediatly.   1. The ability to reboot your router from your account page. 2. And what is this, right under that option?  "We cannot display your network name and password because you are using an unsupported Xfinity or personal device."   Yes, it's a customer owned "Gateway"  and is one of the models the approved list, so neither option works.  Good.  I would be extremely concerned if either option actually worked.   No, I'm not concerned about Xfinity knowing a password. It would be better if you couldn't see it on a web accessible page though.  That implies an Internet facing web front end with direct database access to passwords.  What could possibly go wrong.......   That's not a traffic issue though.   What I am concerned with is that there is a backdoor people can't close.  That implies a port or service that can't be closed on devices they provide, or a port that may advertize itself as something other than "filtered" on a port scan.  There exists "some method" of communication for this to happen.    If you respond to a packet, you are a big ole ripe target for other intrusion attempts.  Might explain the overages.   Judging by the amount of stuff that hits my dedicated firewall, I'd say it's not a "feature", it's a bug, and possibly an exploit waiting to happen, plus a potential traffic generator.   If it's a UDP punch or some other such nonsense, I wouldn't be particulary happy about that either.  I have a couple of foscam cameras that try to do that 24/7 looking for myfoscam.com so you can configure or connect to them.  It's not a problem if you have a real firewall, I just block them from doing it with a lan rule.  That wouldn't be possible on the Gateway itself.   What method does Xfinity use for the reset feature? ... View more

@EG    True!  Plain Jane 'cable modems' do not have most of these features, although some will offer several features I listed above, including remote access, and a built in firewall.   Without a specific model, it's generic advice for $0.  Ignore at your own peril.   If we're being picky, they are all DOCSIS devices, with different features and hardware options, but if anyone is to blame, it's marketing for making generic use of the terms "cable modem" as well as "cable wifi router" in all of the descriptions on the packaging.   Xfinity likes to call it a "Gateway".  Nobody else does. ... View more

@LoveZCatZ    I feel for ya on that $50 nonsense (up to hosing you $200), but there's a couple things you can check that will cost you $0 and may actually help.   1st thing everyone omits for these is the cable modem.  What model specifically and what firmware.  Exploits come out every week.  Its useful for anyone trying to debug the problem.  US-CERT (US government) actually is useful for looking for known exploits on hardware.   Now while your in there looking for the model number and firmware, check some stuff and we're going to disable some stuff commonly used to expolit cable modems (and everything else).   1. Any type of remote admin access.  Make SURE it's off. 2. ICMP.  Allowing external machines to "ping" your external address is horrid. 3. Change the modem's admin password (not just wifi) to something other than default 4. Disable any port forwarding or port triggering.  If you are running any kind of server, you need a seperate hardware firewall. 5.  If it's a Netgear, disable readyshare -- a modem isn't a file server and shouldn't try 6. Disable UPnP -- nothing should blow holes in your firewall on it's own and act like a server.  It was a bad idea when it came out, it's still a bad idea. 7. Make SURE your modem's firewall is enabled, and set to the highest setting if you only have limited low/med/high settings.  If there is a portscan block option, use it. 8. Dynamic DNS is a really bad idea unless you know what you're doing and have a firewall appliance. 9. DO NOT enable features like VPN or any kind of desktop sharing software on the cable modem if it's an option.  A cable modem IS NOT a VPN appliance, and is not fit to be any kind of server. 10. Disable any type of "USB attached to the modem" setting.  You don't want that stack running on top of your modem's OS. 11. Disable email notifications from the modem.  A cable modem shouldn't try, and is not an email client.  Logging is fine.  Look at it that way.    Wait a day, see if it helps. ... View more

I've been looking at this seriously since June last year when I had a problem with unexpected traffic bringing me to the brink of overage.   I gotta tell ya.  Never has there been a more wretched hive of swine and villainy as the comcast network. I have over six months of log files, packet traces, usual suspects, known exploit attempts, other really weird TCP/UDP/ICMP traffic with frags, runts, sync requests and packets with bogus flags right down there in the TCP/IP spec mud (invalid packets/crafted packets). Also hostile local subnet traffic from my neighbors virus encrusted machines. In other words, typical internet traffic.   I have extensively banged on my cable modem from remote servers with intrusion software. Flipped settings. Enabled for capture. Redirected for dynamic firewall rules to capture, then analyze. Features on the modem enabled/disabled. There’s only one conclusion.   The firewall on my modem will mask traffic from external sources, and not tell me anything if the remote source is half way clever about it. Its counter will also not report any traffic for intrusion attempts that are outside of what it can report in the log files (full and valid TCP/IP/ICMP packets). Frags/sync/modified runt for example aren’t reported as data. I’d consider the counter on my customer owned netgear router helpful, but not particularly useful.   Two ways to solve it. Pass all traffic from the internet to an internal actual firewall appliance (separate box/laptop/PC), then dynamically block it with adaptive rule sets, or plan B. Plan B is using the modem firewall and it’s “features” such as portscan blocking, but enable port forwarding to an internal firewall low numbered port on a firewall appliance (separate box/laptop/PC) that will dynamically blackhole the external request and hang the offending side script that is port scanning you or otherwise trying an intrusion. When you analyze the traffic, you’ll notice the remote side hangs, their script moves on, and doesn’t target you again for as many as 3 days typically, but they always pop up again.  Such is the weberverse.   With traffic shaping on my side internally, I can get down to under 250G typically with no changes in my usage and I stream stuff heavily. With Xfinity gear, running their firmware, I’m sorry. You’re on your own. I’m not looking at it. I’ve posed suggestions in the past about settings you can look at and how to achieve an internal firewall appliance.   Your problem or theirs? I conclude it’s yours since its your network you are stuck with the bills. Welcome to IT and network administration. ... View more

@Annapolismike wrote: The xfi app internet usage activity is live IMO. I see these usage spikes and reser the modem. The next hour the activity is back to low. Something is happening which is using data outside is my devices. So I ended up soving my issues first with a commercial firewall appliance, and then with an old laptop running a pfsense firewall (free) and a wifi router (cheap one).  All the cable modem does is the coax to ethernet.  Wifi is disabled on my cable modem (netgear), along with the usual ICMP/remote access/UPnP etc.....  Old PC works great too for a firewall.  Doesn't have to be anything special.  You just need two network ports, or a USB dongle and one port.   Goes like this:   Internet <--> cable modem <--> Laptop port 1 (firewall) <--> Laptop port 2 (Internal lan) <--> wifi router (internal lan) <--> Inside lan/wifi clients.   Wifi router (internal lan) is an access point only.  Network configuration is done with DHCP on the internal port of the firewall.   The default setup in pfsense will keep you out of trouble.  It's just a BSD based OS.  Web interface you can see from the inside.  Snort is an adaptive firewall (free) add on you can do later that creates dynamic rules you can switch on and off.  You'll find it helpful, but if you turn everything on, it's a bit draconian and you'll have to disable some of the rules.  You can also see graphically, and via command line what everything is doing on your network if you want to get into that, as well as capture traffic to analyze with wireshark (ntopng add on).   Still a problem after that?  Dump the Xfi gateway and get a cable modem.   I'll also say that pfsense doesn't have great support for USB dongles.  You'll probably have to disable TCPIP offload -- hardware/segmentation and large frame to get one to work, but some work out of the box.  USB is slower too, but you probably won't notice anything.  PC with two ports if you need the speed.  Tiny hard drive is fine.  I'm using a 40G ssd and barely use 5Gigs with logging everything.   No changes in my usage cut bandwidth from going over, to only using 350 Gb/month, and some throttling took me under 300Gb ... View more

@Annapolismike   I think this forum is going about it the wrong way.  You said hard reset of modem.  That's cool, but what modem specifically?  Unplug won't do factory defaults and you might want to do that too if it's been jacked.  Also, factory defaults might not be what you're looking for here.  Sometimes, there are really insecure settings -- you know, to make it easy for people.  They're not good usually.   Wifi passwords.  Sure.  Thats if your neighbor is dogging you which is unlikely with wpa2 unless you're using the SSID for a password, what about the default admin password for the router itself?  Change that too.  Also, while you're in there:   Disable ICMP Disable UPnP Disable Remote Access  to the modem of any kind (ssh, web, hopefully it has no telnet option) Do Not port forward, unless you have that covered by "other means" with a real firewall. If you find port forwards or port trigging -- you've been pawnd already (world accessible).  Reset again.  Change the default modem password (not just the wifi).   Disable any kind of file sharing on the modem (Netgear ReadyShare specifically -- advanced -> setup).   Make sure the firewall is on.  If it's got a portscan block option, turn that on too. Some modems have remote exploits.  Model would help.  What is it?  What firmware does it say.  Maybe there's something else to look at.  Netgear has decided NOT to fix some of them.  Government CERT warnings say not to use them at all.   70G is nuts on wifi in 24 hours unless you're trying to do that.  If you change the settings above, see what it is in the next 24 hours.  Other devices on your network can be exploited too.  Try the above and see if it helps.  Go from there.   ... View more

@sal826   I ran into a similar problem myself.  Wireshark on your LAN is fine for outbound analysis, or inbound if you're intentionally running some kind of "service",  but what you can't see is what is hitting your WAN IP from the cable modem perspective.  Modem might have a firewall that could be partially blinding you.  First, is it enabled, and then, is it responding correctly?  It's a more complex question.  Assuming your cable modem doesn't have a known exploit:   Consider a SYN attack.  If you have ANY port that will respond on your cable modem, a "not very nice" external user can send you a synchronize packet, your open port will respond with SYN-ACK.  Depending on the attack method, that packet from your modem will either go to a bogus IP, or they can discard it quietly on their end with a firewall rule.   In any case, the 3rd part of the handshake, the client ACK your modem expects -- never happens and times out, so your port is left in a half open state.  The object is to either cause a DoS, or exhaust your resources and force a buffer overflow.  Optionally, use the half open port for some other kind of exploit attempt or more complex intrusion attempt.   You'll find this to be a fairly effective method to generate a huge amount of data with limited external resources, and this is only one example.   First thing I'd do us use a utility like nmap from an external location and see if there is ANY response from ANY port on your external cable modem IP address and go from there.  Nmap should tell you "filtered", and not open or closed.  Filtered means zero response.  If you are actually running a service of some kind on your LAN and port forwarding, or using/allowing UPnP from internal devices, I'd be looking at that pretty carefully.  Hide in plain sight too?  Yeah, well....disabling ICMP is always a good idea and that is always another traffic source.  Script kids usually don't use the -Pn option in nmap for portscans so no ping response generally means a pass over, but not all the time.   In my case, I was able to cut traffic by more than half with draconian adaptive firewall rules and routing through a seperate firewall box before the cable modem.  Cable modems are not reliable firewalls.  If you do find a port that doesn't behave or a service you can't disable, sometimes you can forward the port off into the bit bucket (bogus IP), or let it hit an internal firewall directly with a port forward to a firewalled port (preferred).   Now I have another situation where the usage Xfinity reports, is actually LESS than what I honestly know I'm using.  Now where that delta comes from is really unknown.  Averaging error on their end?  Timing thing? Retransmit banking off something.....but only sometimes?  Unknown.  I can see every packet that goes out, or comes into the WAN interface.  I'm still trying to figure that out.  Maybe it's just a firewall artifact on my side.......... ... View more

@JBJohnBender    Got a junk PC or an old laptop?  Run everything through a firewall like this one.  https://www.pfsense.org/  Then you can see your bandwidth and devices in real time.  You can also throttle use per device if you want to.   In the mean time, check your cable modem settings.  Change the default admin password, disable ICMP, disable remote access, make sure the firewall is on, disable insecure bonehead  features like Netgear's "readyshare", etc.  Check for firmware updates/exploits on your gear (several came out lately). ... View more

@dshank33418    Comcasteds is helping people with this and has some billing magic that appears to be a neat trick, but lets also help comcasteds, yourself and the rest of the network. There's not a lot the man can do to diagnose home network setups for folks.   I'm hitting attempted traffic from exploited boxes on the comcast customer network pool itself, as well as just about every commercial cloud hosting service, and deliberate hacking attempts from all over the world. Helping you, might help me too.  Working fine, then all of the sudden big data is an indicator of a problem.  So, from my notes and solution on this:   For a sanity check, take a peek at your cable modem settings. At the very least with little effort on your part, check these settings. Now after you change the default admin password like you were supposed to..... 😉   * Disable ICMP (no pings to your external IP address) * Disable UPnP (It was a bad idea when it came out.....it's still a bad idea) * Disable remote modem access, last thing you want is an external facing web server on a cable modem.  Don't try to run services like SSH or VPN with a modem.  That's insane and asking for it.   Should be a firewall on it. Although I trust the built in modem firewall about as far as I can throw my truck, make sure it's on. If you are "port forwarding" to any internal machines, disable that unless you have that protected by "other means".   On Usage: 2.5Mbps (Mega Bit Per Second) = 1.13GB/hour (Gigabytes per hour) 4Mbps = 1.8GB/hour – good for 720p, acceptable for 1080p 6Mbps = 2.7GB/hour – much better for 1080p 50-60 frames/sec. Your 4K TV stream will be here or higher 15Mbps = 6.75GB/hour – Phones can do this. Downloads can too if the server on the other side has a good pipe to Xfinity. It's all about what you're talking to, and the slowest “hop” between you and that.   I stream. A lot, perhaps an excessive amount with Roku boxes. I've also got a couple remote locations I'm talking to 24/7. I'm hard pressed to run over 300GB with my current setup with a decent firewall, throttling, with dynamic firewall rulesets. Still working on that firewall  formula, but bad does exist on the internet.  Shields up.  You need them.   Got a Netgear Router? R6250, R6400, R6700, R6900, R7000, R7100LG, R7300, R7900, R8000, D6220, and D6400 contain an unauthenticated command injection vulnerability that may be executed directly or via cross-domain requests. Your router could be pwned (and world accessible), and currently being used for a botnet. No, it doesn't require anything other than just being connected and people are looking for them. https://www.kb.cert.org/vuls/id/582384/   Plenty of other router exploits out there too. Lots of models. Lots of issues. I used the above for an illustration of why you want to check for firmware updates. Find all the exploits on https://www.us-cert.gov/ or search kb.cert.org. Feds also pump out a weekly exploit list, for everything. The gov site is weak for search capability, but useful anyway. Weekly alerts are something they do well. ... View more

@reddyvabad One of the many reasons why I like a firewall seperate from a cable modem.   As root: # /sbin/shutdown -p now   Cable modem?  If you can get to it remotely and check the settings on your modem, the game is over and would explain 30GB.  Can you? ... View more

@Phillipk86   For the modem, I really don't have much for recommendations. Pretty much, you want to pick one Xfinity says is an 'approved' modem, or they might not provision it for you.   Motorola. Netgear. Doesn't seem to matter much. 150 or 300Mbps? Meh. Best you're going to get for speed is the slowest hop between you and whatever server you are talking to. 30Mbps is probably about as good as you'll ever see on the 'weber-verse'.   For security, like I say. I don't trust any cable modem. All I want that to do is translate from coax, to ipv4/ipv6. I don't even want it to do wifi. Get a different wifi router or access point for that. A good setup includes a separate firewall on separate hardware. I use an old laptop running pfSense(free). 1 USB nic, and the built in ethernet port. Could be an old desktop with 2 ethernet ports. Goes like this:   internet → netgear cable router –> firewall –> Internal network wired |--> Wifi router on the inside   You can do Wifi in a DMZ (on the inside -- keep wifi devices in groups)  too to segregate steaming devices/smart TV's and anything else you may not trust very much, or things with firmware that you can't update that makes outside connections.   Nothing but the firewall touches the cable router, and it's a physical cable. The pfSense “out-of-the-box” setup will keep you out of trouble and it's a point and click interface with a web browser you can only get to on the internal network(configure it that way). You can go advanced and install “Snort”(free) for adaptive firewall rules, but you can always do that later on. Some other tricks too, but maybe another thread.   Anyway, that's how I'm doing it.  Seems effective.  Hope it helps.   ... View more

Oh....one more thing.    If you do find any ports that are open/closed, not filtered on your modem when you portscan it externally, it's not the end of the world.  Some "features" of the modem, you might not be able to turn off, but that can be worked around.   There's other "evil" on modems.  Netgear like mine?  Totally awful feature called readyshare.  It's trying to run some kind of file server service.  A cable modem, is not a file server and shouldn't try to be one.  That's just asking for problems.   See if there's a firmware update for it too.  US-CERT warnings include compromised modems frequently.  Maybe there's an update for a known exploit.  Can't hurt to check, but usually production support is 5 years.  After that, none of these companies care about exploits on old hardware. ... View more

@Phillipk86   For kicks and a sanity check, take a peek at your cable modem settings.  * Disable ICMP (no pings to your external IP address) * Disable UPnP (It was a bad idea when it came out.....it's still a bad idea) * Disable remote modem access, last thing you want is an external facing web server on a cable modem   Should be a firewall on it.  Although I trust the built in modem firewall about as far as I can throw my truck, make sure it's on.   If you are "port forwarding" to any internal machines, disable that unless you have that protected by "other means".   In my case,  I thought "normal streaming" usage was around 600GB/month since that's what I ended up with when my service started.   Turns out with a decent firewall, and adaptive firewalling with a couple of traps set, my streaming usage is really only around 200GB/month.  I'm using my own gear, not Xfinity.   Track it for a couple days, see if your usage looks different if you had any of the above enabled.  It's also not a bad idea to portscan your external IP address with a utility like nmap.  See if there is any open port, or any port that responds at all.  The response should be "filtered" on all ports, not open or closed.  Filtered means no response at all -- which is what you want unless you are specifically running a service and know what you're doing. ... View more

@Marcusatx wrote: The most data I’ve ever used in a single month was close to 700 gigs and for some reason I’m over the terabyte by 40 gigs the first five days in December. It’s absolutely impossible. Nothing has changed at the house. Well, actually comcastTed has a point.  Plenty of stuff can go wrong on your network.  My use?  When service started, I was around 650-700 and assumed it was streaming as well.  Just the breaks for streaming right?  Perhaps not.   First high spot almost blew the limit.  Monthly xfinity useage goes like this: 998GB = no way man.....now I'm looking. 915GB = Whoa....time for hardware to analyze this 799GB = Sure, I was doing some remote cam work with a new zoneminder, but still.  My numbers don't match with a framerate/bandwidth calculation.   Also, I noticed a change in routing, and an increase in latency between me and 3 remote locations (yeah, I can graph that too -- call it packet football).  That was Xfinity -- I assume a net nanny of sorts as there is less bot traffic.  Routing change for sure. 448GB = New firewall ruleset.  Latency back to normal.  Remote device changes as well to conserve a bit more data.  I no longer trust my cable modem or it's firewall -- for anything.  Consumer cable modems are junk. 190GB = Adaptive firewall ruleset is in control, no change in my streaming habits or remote gear.  Just set some traps to make the firewall a bit more draconian. 234GB = Yep -- that was me messing with stuff doing backups, otherwise it would be around 200GB.   Do my numbers agree with Xfinity reported?  No.  We still don't agree.  I would expect my numbers and theirs to be within a gig or two...some rounding errors maybe.   Concerned?  Less now, but you should be if you can't see every device on your network, and unsolicited foreign IP contacts.  I pick up a minimum 20 port scans daily and there's other sketchy traffic.  Should any one of them pick up a service or port you are not on top of,  or something your cable modem responds to, you could be getting hammered from multiple locations in a few minutes botnet style.   Should you have to be an IT administrator?  Well.....yeah.  I guess that's a good idea from now on and probably always was in the first place.  ... View more

@gthassell wrote: well, I don't think it was Disney+ - Just streamed the latest episode of the Mandalorian (about 45 minutes) - and double checked to see that it was at 1080P (which that AppleTV has always been set at) and in the hour I was watching, the real time data usage for my entire network was 3GB for the inbound port from the Modem to my Security Gateway.   (10PM central time to 11PM Central time).   I'd be very interested to see if there was a higher usage reported by the metering system. I use pfsense for a firewall.  If you do, you can watch it in real time.  Wifi is disabled on the cable modem, put your wifi on the internal network.  Figure your cable modem and it's firewall are compromised -- they're all junk anyway.   What can you realistically pull from a streaming service?  Depends on the pipe you got, but the limitation isn't going to be your cable modem (150Mbps-300Mbps).  It's going to be the slowest "hop" between you and the streaming service.  Use traceroute to see how many machines it passes through.  For me:   SlingTV usually runs around 2.5-3Mbps with burst traffic up to 4Mbps (sometimes higher).  Netflix can run a bit higher with burst traffic up to 6Mbps Amazon Prime video isn't as "bursty" and usually hovers in the 3-4Mbps range, but there's spikes.   2.5Mbps (Mega Bit Per Second) = 1.13GB/hour (Gigabytes per hour) 4Mbps = 1.8GB/hour 6Mbps = 2.7GB/hour 15Mbps = 6.75GB/hour   Now on a mac laptop, I can get bursts up to 12Mbps, but the problem there is the bandwidth isn't sustainable.  I'll get a really good hi-def stream, but then it will downshift streams and the video will be choppy.  When you watch a stream from a service, it's not one stream.  It's broken up to as many as 12 potential streams with various bit rates.   That's where pfsense comes in.  I can throttle bandwidth per device, cut it to a reasonable 5Mbps and then videos will play nicely on my mac.  Streaming devices -- roku/firestick.  I just cut them off at 4Mbps and they'll play just fine at 1080p.  Takes care of the "burstyness" problem.   At the same time, I'm recording "per device" stats (bandwidthD works nicely) and can see what everything has been doing in almost real time, along with months of history -- also logs to a postgres sql server.  Vnstat for quick statistics.  Ntopng has some good capture and real time capabilities -- works welll with wireshark.  Watch what's going on.  Search inbound traffic by IP and capture packets to see what they're doing.  There are a few other programs you can use for monitoring/capturing too.   What should you do on your modem?  Turn of ICMP (no pings allowed to external IP).  Disable UPnP (no device should be able to blow a hole in your firewall).  Fer Ghads sake -- disable remote access!!   Advanced Class:  Install Snort (adaptive firewall).  Pick a low port like 81 and port forward that to your firewall interface.  Now when someone portscans you, the adaptive firewall blocks the machine that did it and messes up the script kid if they don't have timeouts coded -- if anything, you're doing the web a favor by slowing down their port scan.   Lots of "other tricks" too.  Maybe another time.   Now the question:  What does Xfinity count?  It's not traffic.  We do not agree on real traffic vs what they report.  I'd keep tabs on it yourself for any "disputes".   ... View more

@karineh426 wrote: We also are tracking at incredibly high data usage and have no idea why. If I call Comcast, are they actually able to help or would that just be a waste of my time? Can't hurt.  What would help more is installing a firewall that logs every packet, disabling wifi on your router, installing a different wifi router on the inside of your lan and dumping all xfinity equipment.  Use streaming devices instead.   Then you would know what you're actually using, and have a better case for disputes. ... View more

@RSucher wrote: Thank you! I'm glad we finally have an actual answer instead of the random nonsense that flatlander guy has been spewing about botnets causing this problem. Is your actual internet usage reported on Xfinity correct, or you just don't have any means of keeping track?    Seems they are quite happy billing you when it isn't, and they have zero track record for accuracy.  I'm glad they "fixed" their billing issue.  I'll continue to monitor that it is "fixed".     ... View more

Sounds like a good reason not to use X1 boxes and just stream everything.  Run everything through a separate firewall including wifi (don't use wifi on the cable router).   Then you'll know what every device uses, when it used it, and the aggregate.  You can also set bandwidth limits by device if you're worried about it.  Sling doesn't load so much (3-4Mbps) but other apps will pull what they can for streaming in the 6-8Mbps range..  Phones will too -- 25+Mbps if they can. ... View more

@jth182 wrote: So not everybody got their data reset?  I'm at almost 200GB used for October already. To tell you the honest truth, a counter reset isn't what I was looking for.  I was looking for an accurate billing cycle.   Is it real data?  Is it not? (I know the answer)  If they "reset" a counter, why?  What's the point of that?  There's zero communication here.   I'm watching the usual weberverse traffic banking off my firewall.  I've got portscans, shell exploits flying by, dns cache poisoning attempts, the usual general virus propagation traffic.  It all counts on your data cap.  Usually, it's not a large amount of data.   What ticks me off is paying $10/50GB when a botnet attack happens on my subnet, and I don't control the upstream hardware to shut it off or mitigate the traffic -- yet they'll bill you for it. ... View more

Yep.  It's the little things.  Then there's a whole lot of little things and bandwidth is flooded with the max pipe of the little things.   That's how the script kids roll.  ... View more

@FlickNFreckles wrote: Same here.   What's confusing is that I did get my courtesy month back (for a day). Then they took it away again. Zero here too.  What Xfinity giveth, I suppose comcast taketh away from the other guy who lost a free month.  Thank you O donor of the free bytes 😛   There is some bot traffic picking up from what I see.  I got two nailing my firewall now.  103.31.12.91 is Japan utility -- some telco, and another one 13.124.235.225 is an Amazon cloud service, Korea based.  SYN Probes.  About 5 hits/sec each.  Probably hijacked virtual machines.    Does it count as data cap traffic?  Probably.  ... View more

@jorti299 wrote:  data spikes are affecting the entire city. Yeah.  That's why I'm wondering if it's bot traffic.  The guy a couple back says his neighbors too, kind of implies the same subnet.  Some kind of broadcast or amplification attack with malformed packets.   We need more people that will packet sniff when it happens, and are willing to install a firewall like pfSense on a separate box so the traffic will be apparent in real time.  Right now, I'm not seeing it.  I'm primed to capture though when/if it does again.    You could just call it a billing mistake, or a database bug, but I suspect it's a bit more complex than that.  ... View more

Just to be clear, the potential bad cable I'm talking about is the coax between your cable modem, and the little box they stuck on your house.  Loose ends.  Frayed ends.  Something along those lines.  Perhaps corrosion.  Splitter in there with water leaking on it......something like that.  You want a clean run to your house from the street, and a clean run right to your cable modem -- well OK, maybe a wall jack connector.  Otherwise, no splitters.     ... View more

They all said that they could see my modem had been restarting 20 times a day  Hay now.  This part is interesting!!   OK, so it's not an xFi or Xfinity cable modem/router.  Perhaps a Netgear of some kind -- Genie/Nighthawk something along those lines?  Got it where you can see it?  Is the Green LED with the Down Arrow blinking from time to time??  Keep an eye out.  That's the modem losing the signal lock timing.  Turn on all logging on the router.  Associated log message will be something like:   SYNC Timing Synchronization failures --->>  Loss of Sync;CM-MAC=YO:UR:xx:MA:C:xx;CMTS-MAC=00:00:00:00:00:00;CM-QOS=1.1;CM-VER=3.0;   Your MAC to a zero or unknown MAC address -- meaning, it couldn't find anything to talk to and sync the signal.   In the Basic --> Cable Connection tab, are there a bunch of correctable and perhaps thousands of uncorrectable packets on the Bonded Channels?  Should be 8 channels.   200+ uncorrectables isn't awful, but thousands and thousands are.    If that's the case, I'd be looking for a bad cable connection.  Not sure why it would flip out the data counter, but it's not right.   The other thing that will tip your modem over is overheating from massive inbound traffic.  Your modem will heat up, then watchdog and reboot/restart on its own.  Look at the logs and look for [Firewall Up].  That's your restarts.    It's why I'm looking at this in the first place.  Are the counters at Xfinity.....counting real data?  Maybe.  I don't have an answer yet.   ... View more

Interesting. I also recently used Readyshare to connect a 8tb drive to my router. I thought about this and uplugged it so no traffic is going to it but I am not sure if it is "disabled" because even after unplugging it last night, I still consumed nearly 49gb by morning.  While you're in there.  Make sure UPnP is disabled.  Devices shouldn't be allowed to create firewall rules/holes.   You want ICMP disabled too.  Make sure nobody can flood ping your IP from the outside. ... View more

@RSucher wrote: Glasswire 76GB. Still spiking. Great Data points.  That's a lot of data.  That would be like pulling 7Mbps constantly for a day.  I'm not saying it's NOT an Xfinity issue.  After watching this like a hawk with both Cisco gear, then a pfSense firewall and tracking every packet -- dropped ones too, I've had both Short and OverCounts compared to what Xfinity "thinks" I'm using.  Everything goes throught my firewall, including wifi.   Still, I haven't ruled out botnets on the network completely.  I'm just trying to catch one in the act.  Maybe you can help.  Something to watch for to get setup for debugging.    Check your gear, poke at your router settings, scan with nmap just to make sure -- newer routers can detect port scans, even with the -Pn option and give you false hope.  Scan ports individually from an external address -- ie #nmap -p 443 -Pn targetIP   Got a Netgear customer owned cable router?  So as it turns out, there's something called "ReadyShare" that's supposed to allow you to be able to stuff a USB stick in the router and share content -- Even over the internet.  It's on by default.  It's horrifying.  Yep, it's running ftp, 80-web internally, and 443 externally.  It will be intercepting traffic before you can even see it with Glasswire.  If anyone has it, turn off the built in media server, then go to advanced tab and "port forward" ports 80, 443, 21 to a bogus IP, or if you've got a decent firewall, direct them there to be blocked directly.  Redirect the "remote management" ports as long as you're in there, even if you have remote access disabled.  You don't want your router responding even if it's saying "closed".  All you should get is "filtered" with nmap.   Does an Xfinity Cable Modem have open internet ports or services?  Dunno.  You can reboot it from the web site, and I'm not sure what the mechanism is there.   SNMP?  IPMI?  Web?  Undocumented server??  An employee could help us out with that one.  Whatever it is, that is a backdoor service shouldn't exist.   ... View more

That one's perfect!    My concern is that perhaps there's traffic there and it's not just a metering problem.  Take a peek.   Every use Wireshark?  It's free.  Windows/Mac/Linux Captures packets.  Turn your wifi radio's off.  Connect to the Lan port on your router.  Disconnect anything else on the lan.  We want to cut down on the talking.   Look at your local IP address.  Get a "cmd" box in windows and type ipfconfig.  You want to look at the default gateway address, so if your default gateway is 192.168.0.1, start a packet capture with this filter in the top browser url looking line:   ip.addr == 192.168.0.1/32   Don't surf.  Don't do anything.  Just let the packet capture run.   Get a few thousand packets.  Save it.  Now turn the firewall off on your router temporarily and do it again.   Without knowing a whole lot about packet captures or TCP, you should be able to tell if your IP is getting bombed with a flood of inbound traffic. ... View more

Well OK.  Now that I'm logging every single packet, and every packet size and type dropped by the firewall, how did I end up for the month of Sept?   Now I'm XXG off what is claimed on the usage page.  I'll keep the actual number a mystery for now.  More than 10G and less than 99G.  I'm assuming the usage for Sept won't change now that it's logging Oct, but no matter.  I've got the logs and databases.   Up until Sept 6th, I was getting a mysterious data spike 30% over actual use and on the way to blow the 1TB limit.  Since then, the counter has been "corrected", but it appears they over achieved on the correction factor a bit.  It is actually SHORT of data I know I actually used.   So what's the reported usage?  Is this an "estimate"?  A dynamic rolling average based on......what  and when exactly?  It doesn't appear to be actual data. ... View more

Well, we're not getting very far on this topic other than we know people see random usage spikes.  For the "internet connection only" folks (no X1 or MoCA set top boxes) How about something more constructive?   Ever try any penetration testing on your external IP address?  Check to see if there are ANY open ports on your router.  Port scanning is legit if it's your stuff.  DO NOT portscan Xfinity equipment.  They get all angry about that.   Got a friend with a linux box?  Try nmap.  You can find some online nmap scanners too if you don't.  Try a few different kinds of scans.  Christmas tree and no TCP flag scans too.  See if there's anything open on your router.  Also on your router, disable ICMP (no pings to your external address, scan with the Pn flag in nmap then).  Make sure there's no remote access to your router.  If you are port forwarding, I hope you know what you're doing and throttling your forwarded port with a firewall, or using fail-to-ban or something like that to slow down attacks.  Turn off Upnp.  It's a bad idea to let devices connect to remote locations on their own and punch holes in your firewall.   One thing that looks a bit freaky to me?  The option to "reboot" your router if it's an Xfinity one on the account page.  Why?  That's an open port or SNMP or something.  That needs to be blocked.  It's a bad idea.   See what's there.  Maybe something, maybe nothing.  We'll go from there. ... View more