I think my home network may be compromised, please advise
I think my home network may be compromised, please advise
When I go to iknowwhatyoudownload.com, a bunch of stuff shows up for my IP that’s definitely not being downloaded by anyone in my house (foreign language torrents). Aside from that my router (AT&T Arris BGW210) needs to be restarted about once a week, due to some kind of dhcp issue. The most recent event seemed bad - none of my devices had internet, they could all talk to each other, and my ONT activity light was flickering steadily. During this time I had no access to the router, even plugged in directly to LAN. Fixed by a restart but no idea what was going on.
The DHT torrent thing has been happening for months and the router thing could just be that AT&T sucks. I have no other evidence that something is wrong.
I could buy a firewall and put it downstream of the AT&T equipment.
I could switch internet providers, get a new IP address and router, and see if that fixes it.
Should I try to figure out what’s going on or just keep restarting the router once a week and ignore the DHT hits from my static IP?
I didn't know that site. It shows my IP being in a different country from either where I actually am, and where I say I am. It's laden with trackers from Google, Twitter, and Bootstrap. UblockOrigin blocked that garbage.
Trying it two times it changed continents (I have not). Seems like bs to me.
Try deviceinfo.me , it's much more accurate.
20Mine was accurate in terms of IP, network, etc (I checked on my phone's data plan), but the torrents made no sense. I clicked on one and it had a list of IPs, and none were associated with mine.
I'm guessing it's all made up nonsense, outside the IP address itself. Granted, it's possible people are torrenting large files on my carrier's data plan, I just don't think it's likely so much has been downloaded in the last day or so with this IP.
Your site looks more reasonable, OP's looks kinda sketchy.
7I know what my public IP is, and it's static, and listed correctly on IKWYD. The premise of the site is that torrent magnet links use distributed hash tables (DHT), which gives a public list of IP addresses who have participated in a particular torrent. Given that I have a static IP address, I'm not sure how it would be possible for my IP to show up, unless somebody is using my router as a proxy.
-1
Time to crack out Wireshark and see what is chatting on your network.
16OMG thank you. I had used that a long time ago, lost it and forgot what it was called.
7Looks like a bit of a learning curve. Depending on where it sits in the network topology I may or may not be able to see the traffic? For instance if the router is compromised, running arbitrary code like a proxy server, it may be completely isolated from my LAN, right?
4Yeah, there are a few ways to check for sure. The most effective is to take a device with 2 Ethernet NICs, plug it in between your modem and router, bridge the interfaces, and sniff the bridge. You can also look into ARP poisoning yourself to check whether the modem is compromised, but the likelihood of that would be slim to none (your modem doesn't have storage or enough compute to handle that kind of traffic redirection.) In all likelihood you are on an ISP that uses CGNAT that assigns a few peoples traffic to the same public facing IP address, in that case the traffic could easily be going to a neighbor that uses the same ISP.
5Yes that is correct.
1
I don't trust the results shown on that site. I have a seedbox with static IP and it shows some torrents that I have downloaded, but also a tonne of porn and games that I haven't.
Ip hasn't changed in years, the box isn't shared, I don't allow anyone else access, and yes I have a working carbon monoxide detector.
There's nothing on my box to indicate that someone else is using it: no weird access history, no extra entries in transmission, nothing to suggests someone is downloading things through it except for the erroneous entries on IKWYD. Pretty sure half of it is bullshit.
11Good to know. Your seed box isn’t shared with others at the same IP? I wonder if newer “anonymous” BitTorrent protocols allow bouncing IPs or something.
2the box isn't shared
1
Are you sure your IP is only used by you?
AFAIK ISPs usually bundle the traffic of users to a few public IP addresses, so maybe the things you see are just someone else in your area going out from the same IP your ISP provides.But I'm not actually sure if this is how it works, I might be wrong.
10I don’t pay for a static IP, but it never changes. I have some dns entries pointing home and I never need to update them in the past 4 years at least.
4
IP address change periodically. It probably was just someone else with your IP previously.
Also I would not trust that site in the least
5Can you get into your router's admin interface? At the very least assuming you don't have much networking experience I'd do these things in this order:
1 - Check for firmware updates and apply them
2 - Factory reset
3 - Change password
4 - Recheck for updates in case the reset wiped them out
There's a million other things you can do to get more info on what's going on and put in security layers to do this and that. But if you just want the maximum results for the minimum effort this is the best place to start.
3Yes I can. AT&T has remote access to their routers, and they apply firmware updates automatically. That by itself is a security risk. I do have the default password which is printed on the side, so I will change it to see if that fixes anything. I’m hesitant to do a factory reset because of some static IP and port forwarding I use. Of course the port forwarding could be a vulnerability passed on to one of my network machines, so I will try that if the password change doesn’t work.
1
Just off the top, the Arris router is probably trash. Even if you’re stuck with their modem, be sure that they’re separate (no modem/router combo box mess but if so, bridge mode) and you’re using your own (preferably high-end) router.
Bonus points if you ditch what we colloquially call a “router” and get a network switch, a real router, and WiFi handled by a separate access point (AP).
2I’d really like if there was a high end router and switch without WiFi. I already have all my wireless handled by 3 access points. Is there a high end router/switch with 4 ports?
1Probably not, the closest I’ve come is ASUS gear but I moved to Ubiquiti a few years ago. The router is just an EdgeRouter X and the switch is Gigabit with 24 ports that I landed absurdly cheap. The nice thing about it though is that to upgrade WiFi standards I’ve only got to replace the access point. I’m in an apartment so just one is more than enough.
Edit: I misread, you said without WiFi. I don’t think it’s common to have a router/switch combo in one box (without WiFi).
1
Permanently Deleted
1Permanently Deleted
1Do you have your own static IP?
Otherwise if the IPs are dynamically assigned or you're behind CG-NAT, it makes sense.
1I don’t think they use CG-NAT my IP starts with 75, and it hasn’t changed in years.
1Yeah, sorry, I just missed the last line.
275.0.0.0/8 is the ARIN range for commercial businesses. Just because it's outside of the 100.0.0.0/8 range doesn't mean it isn't an address held by a NAT. If I remember correctly it's used by either Comcast or Charter, both of which will put you behind a NAT unless you are paying for a static IP on a business account (and you mentioned you aren't)
2