Unknown hidden synchronization of data on asus RT-AC68U router.

[llarsx]

It has happened a few times and most recently on Sept. 2. As this is on a wireless network, all GB costs. 12.4 GB, respectively 6.2 down and 6.2 up according to the ISP, but they cannot provide more information except that this happened at systematic times (14:33, 16:33, 18:33, 20:33 etc). Less data at the same time the following days. Web log or System log does not show anything unusual. Web log shows zero traffic. I have a web camera, but it has only send 17 mail - each 2 MB that day. I also have VPN, but it was not active that day as I was on a long distance car journey.

The only thing that might have initiated something is that I upgraded the asus router at 0900 the same day (94 MB in 3 minutes). ISP and I agree that this is strange and similar data up and down indicates some synchronization.

Is this a known phenomenon or has the router been hacked?

 

[Mike A.]

I never saw anything like that with my 68U and I tend to watch such things fairly closely. Could have happened I suppose and I didn't notice but kind of doubtful of that. System log wouldn't show much if there were just normal connections between two systems. It might tell you something if you saw some unusual system activity. If you're talking about the statistics and traffic analysis that it has whatever that's called (been a while, I forget now) I didn't find that to be all that reliable and it could be flaky and confuse things at times. There's also the Trend Micro stuff on it but seems like a lot of data for that. That much data I'd more tend to suspect some traffic through the router vs to/from it specifically.

ISP should be able to tell you the endpoint(s) for the connections depending on how long they log and whether they want to bother with it.

What caused you to notice this? That might offer some clues.

 

[llarsx]

Hi Mike,
My wireless broadband is limited and due to lower use in the autumn and winter on my summer cottage I had ordered only 15 GB/Month. When 12,4 GB had been used one day I of course reacted. During the summer months the use can be anything between 10 and 30 GB a day and I might miss such unnormal use.

Somebody recommended wireshark or simular to follow up, but as the problem is on my remote network - only reached now and then with VPN, such solutions which must be installed on a computer in the remote local network, can' be installed.

I can remember something simular happen last april. The use of GB was different, but high and I found no explanation. But also that time I had done upgrading of the asus router some hours before. I suspect some connection between upgrading and the data use. (Upgrading take 3 min. and use 94 MB data).

And it must have be some synchronization, but what can it be with 6,2 GB down and 6,2 GB up - not showing i any log and when nobody use the network. It must have been intiated from the router itself or from the only other with connection - asuscomm.com (which "follow up" any change in ISP ip).

Is there any monitor program that can be installed on the asuswrt-router itself? If not I should consider use a program like wireshark on my computer on place at the same time I upgrade the asus router next time.

PS. I have of course asked asus.com.

 

[Mike A.]

Yeah, not sure what would use that much data at the router level. There's not really that much data on it to sync. That was why I said I'd tend to suspect something other than the router/OS itself.

Are you using the Asus Cloud to sync files on your network? As I said above, there's also the Trend Micro stuff that might be doing some analysis of local machines and sending data back and forth to their outside service. Maybe there's some initial survey or something like that happening after a firmware update. You could turn that off if it's on. That's about all that I can think of in the router that could be driving a lot more traffic. I suppose that there could be some repeated retrying at some level that could cause high data use but seems like too much over a short period of time for that.

The only monitors for the router itself are the same traffic monitors that I think you've seen which aren't all that great. You'd need to replace the firmware for anything beyond that. Merlin can be used on the Asus which extends a lot of functions.

Maybe ask here where there are guys who live for the Asus routers. Information about Merlin is there too:

ASUS Wireless

Discuss ASUS wireless products here

www.snbforums.com

 

[llarsx]

Thanks Mike.

Are you using the Asus Cloud to sync files on your network? As I said above, there's also the Trend Micro stuff that might be doing some analysis of local machines and sending data back and forth to their outside service. Maybe there's some initial survey or something like that happening after a firmware update. You could turn that off if it's on. That's about all that I can think of in the router that could be driving a lot more traffic. I suppose that there could be some repeated retrying at some level that could cause high data use but seems like too much over a short period of time for that.

I am using asuswrt merlin last update.
And I have the ASUS router app on my huawei mobil, but I haven't used it the last weeks.
I am NOT using Asus Cloud at all - to my knowledge.
You: "You could turn that off if it's on." Howto?

 

[llarsx]

Maybe ask here where there are guys who live for the Asus routers. Information about Merlin is there too:

ASUS Wireless

Discuss ASUS wireless products here

www.snbforums.com

Thanks. Done.

 

[Mike A.]

Thanks Mike.

I am using asuswrt merlin last update.
And I have the ASUS router app on my huawei mobil, but I haven't used it the last weeks.
I am NOT using Asus Cloud at all - to my knowledge.
You: "You could turn that off if it's on." Howto?

If you log into the router itself (not the app, though it may be there too) in the column to the left on the main screen under General, you should see the selections for AI Protection (the Trend Micro stuff) and AI Cloud. Look within those. May also be some things under Parental Controls. Can't recall now whether any of the Trend Micro is there too but might check.

 

[llarsx]

Hi Mike.
AI Cloud is off and AI protection Malicious Sites Blocking has stopped two attac in june (puwpush.com and getvoltplug.com). Nothing else.
Never used Parental Controls. I have checked everything else on the asus router.

 

[The Automation Guy]

Time to change routers???

While there is no "perfect" solution out there, I'm a big fan of pfSense. You can buy hardware with it preinstalled, or you can install it yourself on real or virtual hardware (there is a free version available). There is a huge online community and tons of resources online to get you started and teach you about the system. As good as Merlin might be, it doesn't come close to touching the capabilities and feature set of pfSense. (The hardware tends to hold back the potential of Merlin devices).

I ran ASUS routers with Merlin for a long time, but made the switch to pfSense maybe 5 years ago. I wish I had made the transition sooner!

 

[mikeynags]

How do you know the traffic is from the router itself? Could something else on your network be generating this traffic? Your ISP will only see the ASUS traffic and not anything else on your network that's generating the traffic.

 

[llarsx]

How do you know the traffic is from the router itself? Could something else on your network be generating this traffic? Your ISP will only see the ASUS traffic and not anything else on your network that's generating the traffic.

1. It happen when the wifi use was zero.
2. I have 3 wired connections: webcamera (which send 17 email each 2 MB), my securty (verisure) and last, a switch with two shelly units which was suspended (not in use). The webcamera has very strong passwords and I quite sure it's not hacked. If so it should have been shown in traffic analyzer.
3. I use OpenVPN but that day I was on journey and the VPN was not in use. (VPN server on this actual asus router).
4. My mobil has an app "Asus router", but not used for weeks.
5. I don't use the AI-cloud.

Can asuscomm.com done some syncronizing?
I have tried to check max memory / storage on the asus router, but can't find it. Enough for 6,2 GB?

 

[wittaj]

webcameras and very strong passwords don't mean squat unfortunately LOL. They all use self-signed certificates and you can do a search here of EVERY camera manufacturer has had bypasses regardless of how strong someones password is, including high end Axis and big names Dahua and Hikvision, along with every no-name brand out there.

 

[Mike A.]

True. Like all good hacks, they don't go directly against the authorization/encryption, they go around it by exploiting some flaw in implementation.

Not saying that's what happened in this case. Not enough information to say what might be responsible. But if actively taken over, then you'd expect to see some other activity/unusual behavior.

 

[Mike A.]

I have tried to check max memory / storage on the asus router, but can't find it. Enough for 6,2 GB?

Memory
128 MB Flash, 256 MB RAM

So, no. Not at least that would be stored on the router. Obviously still could have more traffic back and forth that isn't necessarily stored.

 

[mikeynags]

1. It happen when the wifi use was zero.
2. I have 3 wired connections: webcamera (which send 17 email each 2 MB), my securty (verisure) and last, a switch with two shelly units which was suspended (not in use). The webcamera has very strong passwords and I quite sure it's not hacked. If so it should have been shown in traffic analyzer.
3. I use OpenVPN but that day I was on journey and the VPN was not in use. (VPN server on this actual asus router).
4. My mobil has an app "Asus router", but not used for weeks.
5. I don't use the AI-cloud.

Can asuscomm.com done some syncronizing?
I have tried to check max memory / storage on the asus router, but can't find it. Enough for 6,2 GB?

What would have been synchronizing? Not aware of Asus doing that but someone else here may know more. 6.2 gigs sounds like a good chunk of data. There are no other computers on this network? No external storage usage like Google Drive? Those Shelly units talk to their "cloud" - when suspended, do you know if that continues?

 

[wittaj]

Another way to test is to disconnect EVERYTHING from the router - all the wired connections and every IoT in the house.

If absolutely nothing is showing up as connected to the router and you are still getting this, then you know it is in the router.

If not, connect things one by one until you see this happen again and then you narrowed down the device.

Maybe the webcamera or another IoT updated and is now phoning home or passing data thru their servers now?

And you are sure all the MicroTrend stuff is off?

 

[llarsx]

What would have been synchronizing? Not aware of Asus doing that but someone else here may know more. 6.2 gigs sounds like a good chunk of data. There are no other computers on this network? No external storage usage like Google Drive? Those Shelly units talk to their "cloud" - when suspended, do you know if that continues?

IF my computer had been on net, I would expect cloud bussiness, but thats not happen here. The Shelly units may talk to "Shelly cloud" and I'm not sure such data will be in the Traffic History. Any way it should be very small data use. As mentioned I had simular high hidden data use last spring and then there were no Shellys.

I remember extreme data used some years ago. It was in a situation when I was a novice with VPN and had established VPN server and VPN client on both remote and home asus router. Then all use counted a least two times. But that is not the reason now.

 

[llarsx]

Another way to test is to disconnect EVERYTHING from the router - all the wired connections and every IoT in the house.

If absolutely nothing is showing up as connected to the router and you are still getting this, then you know it is in the router.

If not, connect things one by one until you see this happen again and then you narrowed down the device.

Maybe the webcamera or another IoT updated and is now phoning home or passing data thru their servers now?

And you are sure all the MicroTrend stuff is off?

I wonder if the webcamera which sometime use other port than "80" for checking - and can traffic on a port like "37777" slip through the asus without data beeing recorded i Traffic History? There should only be 3-4 ordinary ports available, but may be some hidden - who knows - except the Chinese.
? What are the MicroTrend stuff - in left colomn?
Testing now is hopeless because such high datause only happen very seldon.

 

[Mike A.]

You're kind of chasing your tail at this point without some good information re the traffic and endpoints captured in some way at the time. Not much point in speculating.

If you wanted to test it, you could force another manual firmware update and do as was suggested above as far as isolating the rest of your network from the router. Prior to doing the update, you could point the logging to an external log server to better capture what's happening at that level. Assuming you don't want to run your own, PaperTrail has a free tier with a limited amount of data/month but would be plenty for this and not hard to set up. Pretty sure the external logging setup is preserved through a firmware update. That doesn't give you traffic measurement but should give you endpoints. Overall traffic you'd probably can get as you did above. More detailed would require some other monitoring. Not sure what Merlin offers.

What did the guys there say? If running Merlin, then you need to be looking at what it does too more than just what may be happening in the Asus base.

ETA: I forgot earlier, but somewhere in the Asus there's a page that shows you all of the active connections for your network. If you look there as it's happening, then you should see whatever connections are happening.

 

[llarsx]

Hi Mike, Thanks.
The Merlin offers Skynet which I now try to install on the router. But I might wait until next time I am on the remote (actual) router to do a router update. I agree on prepare all I can before (and run during) such update.
I very often check active connections.
Back to basis, the traffic was not shown in Traffic History, only on the invoice from my ISP (ISP router in bridge).