High data usage - how to check the network for unauthorised devices?

GregorR1 · December 22, 2020, 9:40am

Hi,

I have a couple of Balena devices running on the other side of the country and are connected to the internet via a 3G dongle that creates a wifi hotspot.

Over the last couple of months, this dongle has been using around 5x the expected amount of data. My initial feeling is that someone has gained access to the network. So far the dongle has used a total of 3GB this month - normal usage is around 600MB per month.

We have no access to the dongle itself to make any changes, so are trying to use the balena device to scan the network for unauthorised devices.

I read online about using nmap to check connected devices, but as these are remote, and I am not the most confident with command line operations, I thought it would be best to post here for some guidance.

What are the recommended steps for debugging high network usage?

Thanks,
Gregor

Razikus · December 22, 2020, 12:52pm

Hello.

What do you mean that you have no access to the dongle?
Your device definitely have access to this router, am i right?

You can forward connection between your device and router, via SSH remote port forwarding for example
Command FROM ssh on your device:

ssh -R 33333:192.168.43.1:80 root@YOUROTHERPUBLICACCESSABLESERVER

Then you can access your router over http://YOUROTHERPUBLICACCESSABLESERVER

So you can expose port 80 of the router to the other server via ssh connection to your device

If you really dont have access to the router you have to build container with nmap and check services for example with command

nmap -sP 192.168.43.0/24

GregorR1 · December 22, 2020, 1:43pm

Hi @Razikus,

We have no direct access to the dongle(router), but the device does have access to it. The port forwarding method you suggested sounds like it could be a viable solution.

Can I ask what the “33333:” is for?

Thanks,
Gregor

Razikus · December 22, 2020, 2:12pm

Hi

This will expose 192.168.43.1:80 on YOUROTHERPUBLICACCESSABLESERVER:33333
Sorry i missed the port path

Command will forward 80 of 192.168.43.1:80 to YOUROTHERPUBLICACCESSABLESERVER:33333, so you can access then YOUROTHERPUBLICACCESSABLESERVER:33333

You can still have problems with redirect (you can be redirected to 192.168.43.1 in browser, but if so - i can help also)

anujdeshpande · December 23, 2020, 8:11am

Hi

I personally use nmap when I am working with non-balena devices. You could push a container that has the right network access (perhaps network_mode: host will be required. Read more about it here) that runs something like nmap -sP 192.168.2.1/24 assuming that’s the subnet for your access point. This command will scan for all the available devices connected to your ap and give you an idea about what devices are connected to it.

I’d recommend that you try this locally on a development device, before pushing it over 3G to your devices in the field. That way you’d be able to test it without using additional data