this post was submitted on 24 Apr 2024
27 points (96.6% liked)

networking

2811 readers
1 users here now

Community for discussing enterprise networks and the ensuing chaos that comes after inheriting or building one.

founded 1 year ago
MODERATORS
 

When I go to iknowwhatyoudownload.com, a bunch of stuff shows up for my IP that’s definitely not being downloaded by anyone in my house (foreign language torrents). Aside from that my router (AT&T Arris BGW210) needs to be restarted about once a week, due to some kind of dhcp issue. The most recent event seemed bad - none of my devices had internet, they could all talk to each other, and my ONT activity light was flickering steadily. During this time I had no access to the router, even plugged in directly to LAN. Fixed by a restart but no idea what was going on.

The DHT torrent thing has been happening for months and the router thing could just be that AT&T sucks. I have no other evidence that something is wrong.

I could buy a firewall and put it downstream of the AT&T equipment.

I could switch internet providers, get a new IP address and router, and see if that fixes it.

Should I try to figure out what’s going on or just keep restarting the router once a week and ignore the DHT hits from my static IP?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 16 points 6 months ago* (last edited 6 months ago) (2 children)

Time to crack out Wireshark and see what is chatting on your network.

[–] [email protected] 7 points 6 months ago

OMG thank you. I had used that a long time ago, lost it and forgot what it was called.

[–] [email protected] 4 points 6 months ago (2 children)

Looks like a bit of a learning curve. Depending on where it sits in the network topology I may or may not be able to see the traffic? For instance if the router is compromised, running arbitrary code like a proxy server, it may be completely isolated from my LAN, right?

[–] [email protected] 5 points 6 months ago (1 children)

Yeah, there are a few ways to check for sure. The most effective is to take a device with 2 Ethernet NICs, plug it in between your modem and router, bridge the interfaces, and sniff the bridge. You can also look into ARP poisoning yourself to check whether the modem is compromised, but the likelihood of that would be slim to none (your modem doesn't have storage or enough compute to handle that kind of traffic redirection.) In all likelihood you are on an ISP that uses CGNAT that assigns a few peoples traffic to the same public facing IP address, in that case the traffic could easily be going to a neighbor that uses the same ISP.

[–] [email protected] 1 points 6 months ago (1 children)

I do have a dual Ethernet computer running ProxMox. But if I’m setting it up between the ONT and router, I may as well go all in setting it up as a soft router. Then it would be my firewall, DNS, and DHCP server, and I don’t need to worry about the router.

[–] [email protected] 3 points 6 months ago

There isn't really a good reason to not be doing that already just because of the intrusion detection systems Proxmox has to offer. Most of them would alert you immediately if you were compromised told it to look for DHT broadcasts going out of the network.

[–] [email protected] 1 points 6 months ago

Yes that is correct.