RT-AX88U maxing out a core and regularly showing 60+ MB/s upload

[jd24]

Beginning to think that just the password change fixed the issue. Should have done that the first moment I saw unusual activity. Shame they don't have some kind of mfa method on this router also.

Also disturbing what kind of data has been leaked from our networks??

 

[bluzfanmr1]

After reading this, I went and checked my Traffic Monitor, which I never look at because I look at the Statistic tab and also because I have vnStat installed. I too have three days of huge spikes each totaling 230-296GB on 10/1, 10/8 and 10/12 that I had never noticed before. I have had a couple of occasions lately when streaming things have frozen for up to 30 seconds or so and I believe it correlates with these spikes. My traffic stats and vnStat stats are normal and as expected. I'm going to have to pay close attention to see if this is related or if it's something odd in the traffic monitor, which I know has been unreliable in the past.

 

[jd24]

After reading this, I went and checked my Traffic Monitor, which I never look at because I look at the Statistic tab and also because I have vnStat installed. I too have three days of huge spikes totaling 230-296GB on 10/1, 10/8 and 10/12 that I had never noticed before. I have had a couple of occasions lately when streaming things have frozen for up to 30 seconds or so and I believe it correlates with these spikes. My traffic stats and vnStat stats are normal and as expected. I'm going to have to pay close attention to see if this is related or if it's something odd in the traffic monitor, which I know has been unreliable in the past.

Those were the dates I had noticed also.
The traffic analyser was correct as my ISP provider have an app and I could see the GB allowance being used up fast hourly on those days corresponding with the spikes on the asus analyser .
hundreds of GB!!

Have you changed your asus login password?

I have my laptop on all day right now, even while watching tv at night, looking at the analyser for now

 

[bluzfanmr1]

Those were the dates I had noticed also.
The traffic analyser was correct as my ISP provider have an app and I could see the GB allowance being used up fast hourly on those days corresponding with the spikes on the asus analyser .
hundreds of GB!!

Have you change your asus login password?

Wow, so the same days? Unfortunately, I have Spectrum for internet and they provide no usage data as it's unlimited.

 

[bluzfanmr1]

Here is what mine looks like:

 

[jd24]

Wow, so the same days? Unfortunately, I have Spectrum for internet and they provide no usage data as it's unlimited.

Appears to be come kind of planned attack I believe. No other explanation really unless someone has another idea.
Lucky you have unlimited data plan.
But main concern is who/what did this and what data have they stolen?

 

[jd24]

Here is what mine looks like:
View attachment 61947

I don't have any history for the last month, most likely because I rollbacked the version of merlin. Is there a setting to keep history also?

 

[bluzfanmr1]

I have not changed the password as it's pretty unhackable, but I think I will change it.

 

[bluzfanmr1]

I don't have any history for the last month, most likely because I rollbacked the version of merlin. Is there a setting to keep history also?

You can choose where to save the data on the Tools - Other Settings tab. I save mine on the attached SSD.

 

[jd24]

You can choose where to save the data on the Tools - Other Settings tab. I save mine on the attached SSD.

Great. New thing learnt.

What's the format for a drive attached to a usb on the router (in my case got a drive on a mesh node)?
USB Application - Network Place (Samba) Share

​

Save history location Directory must end with a '/'.

for example I have my network attached drive as \\192.168.1.160\storage (B)

 

[bluzfanmr1]

Great. New thing learnt.

What's the format for a drive attached to a usb on the router (in my case got a drive on a mesh node)?
USB Application - Network Place (Samba) Share

​

Save history location Directory must end with a '/'.

for example I have my network attached drive as \\192.168.1.160\storage (B)

Mine is ext4 but you can use your preference. When using amtm I believe you can choose.

 

[jd24]

I used this guide to mount a share

Save traffic history on computer shared folder

Hello, I cannot find info about this anywhere including the manual here: https://github.com/RMerl/asuswrt-merlin/wiki/Enhanced-Traffic-monitoring Everything is about saving traffic log to router memory or USB drive. I want to save it to a shared folder on my computer, just like I used to with...

www.snbforums.com

Lets see if anything flows into it

 

[ColinTaylor]

@kknishev @firecracker Can you both disable AiCloud, AiProtection and SSH Port Forwarding (then reboot the router) to eliminate those as a possible cause.

Post the same info as before if the problem still occurs.

 

[jd24]

Mine is ext4 but you can use your preference. When using amtm I believe you can choose.

forget to amend it with '/' at the end. Now the file is recording on the usb storage

 

[kknishev]

Can you both disable AiCloud, AiProtection and SSH Port Forwarding

for now it seems like a miracle.. quite stable! thanks a lot!!

AiCloud - Enables USB-attached storage devices - was ON, turn OFF
AiProtection - was OFF
SSH Port Forwarding- was ON, turn OFF

think to come back on 388_8.2
do you know the real reason?

 

[jd24]

for now it seems like a miracle.. quite stable! thanks a lot!!

AiCloud - Enables USB-attached storage devices - was ON, turn OFF
AiProtection - was OFF
SSH Port Forwarding- was ON, turn OFF

think to come back on 388_8.2
do you know the real reason?

Stable here also for about 20 hours now. Only after changing my password!!! Still got AIProtection ON here though.
OpenVPN recreated with new password also.

I never had SSH Port Forwarding On btw

 

[ColinTaylor]

for now it seems like a miracle.. quite stable! thanks a lot!!

I don't believe in miracles so let's wait and see.

 

[sorachan]

My question might be stupid, but why do you guys who posted netstat -nlp all have lighttpd listening 0.0.0.0? In particular low range port like 443/444?

In fact, you guys have many more processes or threads listening 0.0.0.0 than me which I have absolutely no idea what they do...

Listening 0.0.0.0 is dangerous since such process/thread is exposed to outside network, if they provide any proxy, or somehow can be penetrated, you are totally exposed. Don't underestimate the number of people constantly scanning all the available IPV4 to check for exposed port, especially for ones with a known vulnerability.

 

[ColinTaylor]

My question might be stupid, but why do you guys who posted netstat -nlp all have lighttpd listening 0.0.0.0? In particular low range port like 443/444?

It's AiCloud.

Listening 0.0.0.0 is dangerous since such process/thread is exposed to outside network...

No they're not because the firewall blocks access to them. The use of 0.0.0.0 is common practice (and often a necessity) when dealing with dynamic network interfaces.

But that does raise an interesting point... @kknishev @firecracker If the problem reoccurs can you post the same information as before together with the output of iptables-save. Thanks.

 

[jd24]

I don't believe in miracles so let's wait and see.

very true, I'll be having my laptop open all day until I go to sleep to be alert of any changes in traffic.

Even been considering purchasing a tplink ER7206 omada to handle the firewall/dhcp/vpn etc. docker the controller on my unraid.
Would the 7206 provide any better security layers than the asus rt-ax86u?