Slice existing bandwidth data in new ways to create new reports

Ransomware started as simple encryption but it now involves stealing data too (exfiltration being the buzzword). I am suggesting that Peplink use data already collected by their routers to create new reports on high bandwidth usage. Unusually high outbound bandwidth may indicate a ransomware problem.

There are already 24 hourly bandwidth reports with details on each router client for the hour. Knowing which hour had the most bandwidth is of limited value. But, if the router could scan through the hourly reports and make a new report of the top ten clients using bandwidth in any recent hour, that, to me, would be more useful.

I could live with just outbound bandwidth (looking for ransomware) but others may disagree.

And, if the report could include the user-friendly name for a router client it would be much more user-friendly :slight_smile: Relating MAC addresses to user-friendly names is a pain point with the existing bandwidth usage reports.

A review of the Daily data should (I assume) also be easy to do. I am not sure how far back to go, but a new report showing the router clients with the most uploaded and downloaded data per day can be helpful. In both cases, there is very little data that needs to be sifted through.

Eventually, I would like to see alarms of some type for excessive bandwidth usage, but these would be first steps.

1 Like

Do you think the reports below from InControl2 meet your requirements?

Device Reports

Bandwidth and Usage Reports

1 Like

Not really. I would expect a ransomware attack that is stealing data to show up as excessive outbound bandwidth by one device over a period of hours. So, the report needs to key off each device on an hourly basis and see those devices/hours with the highest outbound data usage.

Inbound data usage is irrelevant in this case.

2 Likes

Yes. Not to mention that it relies on IC2.

1 Like

A pipeline company in the US was hacked and has been shut down for a couple days. This article says the attackers uploaded close to 100GB of data in two hours.
https://www.bloomberg.com/news/articles/2021-05-09/colonial-hackers-stole-data-thursday-ahead-of-pipeline-shutdown

The new report I am suggesting, focused on hourly outbound bandwidth usage by a single router client would have detected this. How to handle alerting is another issue, but first things first.

Along the same lines, we can already limit bandwidth usage by three groups of router clients. If this could be expanded then it too can be a warning about massive data uploads that are stealing data. No doubt this pipeline company would have benefited from an alert that a router client was using its maximum allowable bandwidth.

2 Likes

@Michael234, just to ensure we are on the same page. Please refer to Bandwidth and Usage Reports here. It does show the data usage for each LAN client at a specific hour. This report also available from the device at Status > Hourly.

The report at Status → Hourly has all the data, yes. But it does not filter it for me. It does not pick out the most extreme cases of hourly outbound data across all clients. For detecting a massive data leak, neither inbound nor total bandwidth are relevant. That is also what makes the IC2 reports unsuited for detecting a massive data leak, they include inbound bandwidth.

1 Like