Technical Discussion
  >> Technical Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | (show all)   Print Thread
Standard User meditator
(fountain of knowledge) Sat 04-Mar-17 21:22:44
Print Post

What's the significance of the 'Internet' indicator?


[link to this post]
 
Irrespective of whether we Internet subscribers are on ADSL, VDSL or some other variant service, all of us have a router-modem equipped with at least a basic set of monitoring lights to indicate: power present; the active Ethernet port(s) (if wired), DSL status, and the rather nebulous 'Internet' indicator.

Clearly, when accessing the Web in any reasonable bursts one expects to see quite a bit of activity (sympathetic blinking) of the Internet indicator and of the Ethernet port indicator(s). But when not accessing the Web and the computer(s) is turned off or is in sleep mode, what sort of activity - if any - should one expect to see of the Internet indicator? I've recently changed from ADSL to VDSL, and whereas with ADSL the Internet indicator on my router-modem in the 'Web-not-accessed' state (ie. computer turned off) used to blink lazily about once every 4 or 5 seconds, it now blinks quite furiously, at about twice every second - constantly. It's really noticeable.

What is this showing? Is this my ISP or some other faction pinging my WAN address constantly? Or are there perhaps some other continuous, legitimate test packets zinging back and forth, down the line, to/from the Internet, in all our cases? Why is the Internet indicator running so much more more rapidly now, with a VDSL connection, compared to the previous situation with ADSL? In the general case, is the Internet indicator merely saying to the user's router-modem "Hey, I'm your higher-order connection with your ISP's network, and I'm alive and present!"?
Administrator MrSaffron
(staff) Sun 05-Mar-17 16:01:57
Print Post

Re: What's the significance of the 'Internet' indicator?


[re: meditator] [link to this post]
 
With out access to logs showing the traffic over your WAN port one can only speculate as to what the traffic might be

The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.
Standard User Michael_Chare
(fountain of knowledge) Sun 05-Mar-17 17:20:57
Print Post

Re: What's the significance of the 'Internet' indicator?


[re: meditator] [link to this post]
 
If there is a failure in the ISP's backhaul network, then very likely there will be a DSL connection from your router to the DSLAM in the exchange (or cabinet equipment) but no connection to the Internet, so the corresponding indicator on the router would likely be off.

Some ISPs require a userid and password to be entered to establish the internet connection. If these are incorrect, the indicator would again likely be off.

Depending on the router hardware, flashing may indicate activity.

The Technicolor routers have quite a nice diagnostic page which clearly shows the status.

Michael Chare

Edited by Michael_Chare (Sun 05-Mar-17 17:30:11)


Register (or login) on our website and you will not see this ad.

Standard User XRaySpeX
(eat-sleep-adslguide) Mon 06-Mar-17 02:39:37
Print Post

Re: What's the significance of the 'Internet' indicator?


[re: meditator] [link to this post]
 
Even with all your devices off the router is live & connected to Net all the time, having been authenticated some time ago.

Even if it is not transmitting any data, empty packets are being transmitted all the time at the sync rate. The VDSL sync rate is usually considerably faster than the ADSL sync rate.

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC
Standard User caffn8me
(knowledge is power) Mon 06-Mar-17 11:09:10
Print Post

Re: What's the significance of the 'Internet' indicator?


[re: meditator] [link to this post]
 
Have you set up a TBB Broadband ping minotaur? That will result in your web activity light flashing as described.

You may also find that your 'internet' indicator flashes as a result of external malicious activity scanning your connection for vulnerabilities.

At the moment, telnet port probes are at a very high level indeed as hackers try to exploit published vulnerabilities in numerous internet connected devices, particularly routers and CCTV systems

My firewall at home is currently showing 475 different IP addresses which have tried to connect to blocked ports in the last half hour or so. Many of those IP addresses will have made numerous connection attempts looking for different vulnerabilities. Each will generate traffic which is shown on the 'internet' indicator.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User meditator
(fountain of knowledge) Mon 06-Mar-17 11:57:53
Print Post

Re: What's the significance of the 'Internet' indicator?


[re: XRaySpeX] [link to this post]
 
To caffn8me and XRaySpex in particular,

Yes, I'm knowledgeable of quite a lot of aspects of Web connectivity and operation and so appreciate that, although my devices may be off, the DSL connection and the WAN side of the router itself are still active, and that there's still a connection to the Internet and its higher orders. But when I changed from ADSL to VDSL I didn't expect 'null traffic' (for want of a better description) coming through from the Internet to be quite as intense as I now observe.

I've been wondering whether some of this null traffic or unknown Internet activity could be simply down to the dynamic line management in the DSLAM constantly assessing the operating performance of the copper loop, and passing the resulting stats across to my router. Certainly, one thing that's quite different, now that I'm running with VDSL, is that the xDSL stats page in my router's GUI blanks periodically for about a second, and I presume that's because it's sampling and updating the values of the various line parameters. That didn't used to happen with ADSL to anything like the same degree or in such a blatantly noticeable way. But then it might just be a characteristic of the particular router I'm using.

These aren't steady DSL sync rate pulses, though they could still be benign monitoring packets of some sort. I think they might very well be pings from scanners, but if so they're really 'hammering on the door furiously'. I might add that I've been extra cautious with potential vulnerabilities and have ping response turned off in my router, as well as remote control and one or two other minor features.
Standard User RobertoS
(elder) Mon 06-Mar-17 12:05:29
Print Post

Re: What's the significance of the 'Internet' indicator?


[re: caffn8me] [link to this post]
 
Damn spell-wreckers! smile

Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65258/14193Kbps @ 600m. BQMs - IPv4 & IPv6
Standard User caffn8me
(knowledge is power) Mon 06-Mar-17 12:31:04
Print Post

Re: What's the significance of the 'Internet' indicator?


[re: RobertoS] [link to this post]
 
In reply to a post by RobertoS:
Damn spell-wreckers! smile
My pleasure laugh

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User caffn8me
(knowledge is power) Mon 06-Mar-17 12:48:38
Print Post

Re: What's the significance of the 'Internet' indicator?


[re: meditator] [link to this post]
 
DLM doesn't work at the TCP/IP level so copper line monitoring isn't going to be seen in the internet activity light.

If you have a newly allocated static IP address, it's possible that it was previously active with another user and had exploitable vulnerabilities, running incoming services or monitoring set up. It's possible to set up the TBB minotaur for a remote IP address and I do that to monitor quite a few sites.

Have a search for your IP address at shodan.io to see if it's listed and showing anything interesting. The address is;

https://www.shodan.io/host/x.x.x.x

where x.x.x.x is your IP address.

If your router is clever enough you may be able to look at logs to see all traffic activity, denied or allowed, to see what's going on.

Happy hunting! smile

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User ian72
(eat-sleep-adslguide) Mon 06-Mar-17 13:30:43
Print Post

Re: What's the significance of the 'Internet' indicator?


[re: caffn8me] [link to this post]
 
It's possible to set up the TBB minotaur


And don't forget to take a ball of string into the maze or you risk getting lost and never getting back out again... wink
Standard User meditator
(fountain of knowledge) Tue 07-Mar-17 00:11:02
Print Post

Re: What's the significance of the 'Internet' indicator?


[re: caffn8me] [link to this post]
 
caffn8me,

I've now asked my ISP if they can think of anything that might provide an explanation for what I'm observing but the only thing suggested was that some of the Internet indicator activity might be due to the router's 'keep alive' feature, which is where the router from time to time sends one or more packets in the direction of the Internet during idle periods which effectively say, "this is confirming that I'm still here and so please keep the connection going." But apparently these wouldn't be being sent all the time in the idle situations. Whether or not 'keep alive' signalling actually stretches beyond the exchange and right back to the ISP's network I'm not sure myself; my guess is that it wouldn't, and so wouldn't stimulate the Internet indicator.

My ISP has offered to give me an alternative IP if I wish, but if the problem in hand has arisen through being given an IP that'd previously been hammered and maybe exploited, then what's to say that any new IP might also have had a dubious history, perhaps worse than my present one?

I've had a look in my router's logs. In the system log I found the usual succession of somewhat cryptic messages, but nothing that looked suspicious to me. The security log was a different story - it had absolutely nothing in it - which I reckon is mighty odd. (I did clear both logs about 2 days ago, though).

As for shodan, I've had a brief look at the site. Can you vouch for the site's general integrity? I mean, have you used it yourself in the manner you suggested and, if so, how did you deal with the obvious issue that you'd be doing the one thing you'd never normally dream of ever doing - publishing, or at least leaving, your IP address on a website (regardless of whether it might be publicly viewable)? But there again, isn't someone's IP address quite easily determined from a Who Is- type lookup of their e-mail address?

Perhaps, in my old age, I'm just getting paranoid about Internet security?

Edited by meditator (Tue 07-Mar-17 00:12:39)

Standard User RobertoS
(elder) Tue 07-Mar-17 00:52:25
Print Post

Re: What's the significance of the 'Internet' indicator?


[re: meditator] [link to this post]
 
In reply to a post by meditator:
As for shodan, I've had a brief look at the site. Can you vouch for the site's general integrity? I mean, have you used it yourself in the manner you suggested and, if so, how did you deal with the obvious issue that you'd be doing the one thing you'd never normally dream of ever doing - publishing, or at least leaving, your IP address on a website (regardless of whether it might be publicly viewable)? But there again, isn't someone's IP address quite easily determined from a Who Is- type lookup of their e-mail address?

Perhaps, in my old age, I'm just getting paranoid about Internet security?
I know nothing about shodan, but every site you visit automatically sees your IP address. As for determining it from your email address, not in the way you put it. Much easier. It is included as part of the header information of every email you send. And the IP address of the sender of emails you receive is in those email headers. Though people can falsify them - that's called spoofing.

Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65258/14193Kbps @ 600m. BQMs - IPv4 & IPv6
Standard User ian72
(eat-sleep-adslguide) Tue 07-Mar-17 08:30:53
Print Post

Re: What's the significance of the 'Internet' indicator?


[re: RobertoS] [link to this post]
 
And the IP address of the sender of emails you receive is in those email headers


Just to add a little more detail. One of the benefits of using webmail in that scenario is that the source IP would be of the webmail server not of the home network - if using a client then you are absolutely correct but many people might use webmail in which case the other end would have no record of the home network IP.
Standard User RobertoS
(elder) Tue 07-Mar-17 08:47:16
Print Post

Re: What's the significance of the 'Internet' indicator?


[re: ian72] [link to this post]
 
That had never occurred to me blush. Thanks.

It's not likely to stop me using a client, but is a thought. Like wanting a static IP address can be considered dangerous, in the same context.

Kindness isn't going to cure the world of all its awfulness but it's a good place to begin. Daisy Ridley.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. Sync 65258/14193Kbps @ 600m. BQMs - IPv4 & IPv6
Standard User caffn8me
(knowledge is power) Wed 08-Mar-17 22:30:32
Print Post

Re: What's the significance of the 'Internet' indicator?


[re: meditator] [link to this post]
 
Good evening, apologies for the slow reply. I've been 'up in the air'.

Shodan is a long-standing and reputable website. It just catalogues 'devices' and services it finds on the internet.

Depending on how you set up your internet security it may or may not find all the services you run which are publicly available. I have used it on all the IP addresses I have control of and for me it is only partially successful. It correctly identifies some services I want to be externally visible but it's worth checking to see if your IP address is associated with any particular ports or services.

Occasionally I'll see something interesting in my own firewall logs and I'll check the source IP address against Shodan. That will often tell me why the activity is happening. It will reveal what services the source IP is running and that will let me see how that host has been compromised to be used as a launchpad for attacks.

As has already been said, unless you use an external proxy, every web site you visit will know your IP address. It doesn't mean your connection is more likely to be attacked.

Certain ISPs which provide particular customer hardware may well be targeted when vulnerabilities in that hardware are discovered. A recent example was the widespread successful hack against TalkTalk routers.

Webmail doesn't always hide your original IP as many webmail providers include an X-Originating-IP header in mail they process.

It's certainly worth using GRC's Shields Up! scan to see what face your router presents to the internet. It's an interactive scanner and as well as the UPnP test, which you really should do, also check the other scan buttons below such as "File Sharing" "Common Ports" "All Service Ports" etc.

If your router logs show nothing interesting, the GRC scans show nothing and you know there aren't any vulnerabilities exploitable on your router you're probably pretty safe. Any information relating to your IP address on Shodan would be related to past users.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User ian72
(eat-sleep-adslguide) Thu 09-Mar-17 08:36:18
Print Post

Re: What's the significance of the 'Internet' indicator?


[re: caffn8me] [link to this post]
 
To be honest even if your IP wasn't seen the fact that all IP address ranges are published if there was a vulnerability on a particular ISP then all attackers would do is scan the whole IP subnet for any vulnerable devices - they don't need a list of active IPs as they don't need to target individual addresses in that way.
Standard User caffn8me
(knowledge is power) Thu 09-Mar-17 15:17:02
Print Post

Re: What's the significance of the 'Internet' indicator?


[re: ian72] [link to this post]
 
Hence my comment about particular ISPs being targeted if they have known vulnerable customer premises equipment.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Pages in this thread: 1 | 2 | (show all)   Print Thread

Jump to