26

When I go to iknowwhatyoudownload.com, a bunch of stuff shows up for my IP that’s definitely not being downloaded by anyone in my house (foreign language torrents). Aside from that my router (AT&T Arris BGW210) needs to be restarted about once a week, due to some kind of dhcp issue. The most recent event seemed bad - none of my devices had internet, they could all talk to each other, and my ONT activity light was flickering steadily. During this time I had no access to the router, even plugged in directly to LAN. Fixed by a restart but no idea what was going on.

The DHT torrent thing has been happening for months and the router thing could just be that AT&T sucks. I have no other evidence that something is wrong.

I could buy a firewall and put it downstream of the AT&T equipment.

I could switch internet providers, get a new IP address and router, and see if that fixes it.

Should I try to figure out what’s going on or just keep restarting the router once a week and ignore the DHT hits from my static IP?

all 46 comments
sorted by: hot top controversial new old
[-] Cheradenine@sh.itjust.works 20 points 6 months ago* (last edited 6 months ago)

I didn't know that site. It shows my IP being in a different country from either where I actually am, and where I say I am. It's laden with trackers from Google, Twitter, and Bootstrap. UblockOrigin blocked that garbage.

Trying it two times it changed continents (I have not). Seems like bs to me.

Try deviceinfo.me , it's much more accurate.

[-] sugar_in_your_tea@sh.itjust.works 7 points 6 months ago

Mine was accurate in terms of IP, network, etc (I checked on my phone's data plan), but the torrents made no sense. I clicked on one and it had a list of IPs, and none were associated with mine.

I'm guessing it's all made up nonsense, outside the IP address itself. Granted, it's possible people are torrenting large files on my carrier's data plan, I just don't think it's likely so much has been downloaded in the last day or so with this IP.

Your site looks more reasonable, OP's looks kinda sketchy.

[-] user224@lemmy.sdf.org 4 points 6 months ago

Well, you don't know how many people share that same IP.

Also, I know that in past when I checked it, it did actually show what torrents I participated in.

[-] sugar_in_your_tea@sh.itjust.works 1 points 6 months ago

Does that mean it's accurate, or that you're participating in popular torrents?

[-] antlion@lemmy.dbzer0.com -1 points 6 months ago

I know what my public IP is, and it's static, and listed correctly on IKWYD. The premise of the site is that torrent magnet links use distributed hash tables (DHT), which gives a public list of IP addresses who have participated in a particular torrent. Given that I have a static IP address, I'm not sure how it would be possible for my IP to show up, unless somebody is using my router as a proxy.

[-] peto@lemm.ee 3 points 6 months ago

I don't know how the tech works, but could the DHTs be deliberately polluted with false data to make this kind of snooping useless?

[-] antlion@lemmy.dbzer0.com 2 points 6 months ago

The DHT is what the torrent client uses to connect to peers. Any invalid IP entry should make that peer unreachable. But maybe some clients have a way to start a download connection, while providing a false IP for the upload connection. I’m not sure how it works exactly.

[-] slazer2au@lemmy.world 16 points 6 months ago* (last edited 6 months ago)

Time to crack out Wireshark and see what is chatting on your network.

[-] Kolanaki@yiffit.net 7 points 6 months ago

OMG thank you. I had used that a long time ago, lost it and forgot what it was called.

[-] antlion@lemmy.dbzer0.com 4 points 6 months ago

Looks like a bit of a learning curve. Depending on where it sits in the network topology I may or may not be able to see the traffic? For instance if the router is compromised, running arbitrary code like a proxy server, it may be completely isolated from my LAN, right?

[-] Almrond@lemmy.world 5 points 6 months ago

Yeah, there are a few ways to check for sure. The most effective is to take a device with 2 Ethernet NICs, plug it in between your modem and router, bridge the interfaces, and sniff the bridge. You can also look into ARP poisoning yourself to check whether the modem is compromised, but the likelihood of that would be slim to none (your modem doesn't have storage or enough compute to handle that kind of traffic redirection.) In all likelihood you are on an ISP that uses CGNAT that assigns a few peoples traffic to the same public facing IP address, in that case the traffic could easily be going to a neighbor that uses the same ISP.

[-] antlion@lemmy.dbzer0.com 1 points 6 months ago

I do have a dual Ethernet computer running ProxMox. But if I’m setting it up between the ONT and router, I may as well go all in setting it up as a soft router. Then it would be my firewall, DNS, and DHCP server, and I don’t need to worry about the router.

[-] Almrond@lemmy.world 3 points 6 months ago

There isn't really a good reason to not be doing that already just because of the intrusion detection systems Proxmox has to offer. Most of them would alert you immediately if you were compromised told it to look for DHT broadcasts going out of the network.

[-] slazer2au@lemmy.world 1 points 6 months ago

Yes that is correct.

[-] stom@lemmy.dbzer0.com 11 points 6 months ago

I don't trust the results shown on that site. I have a seedbox with static IP and it shows some torrents that I have downloaded, but also a tonne of porn and games that I haven't.

Ip hasn't changed in years, the box isn't shared, I don't allow anyone else access, and yes I have a working carbon monoxide detector.

There's nothing on my box to indicate that someone else is using it: no weird access history, no extra entries in transmission, nothing to suggests someone is downloading things through it except for the erroneous entries on IKWYD. Pretty sure half of it is bullshit.

[-] antlion@lemmy.dbzer0.com 2 points 6 months ago

Good to know. Your seed box isn’t shared with others at the same IP? I wonder if newer “anonymous” BitTorrent protocols allow bouncing IPs or something.

[-] stom@lemmy.dbzer0.com 1 points 6 months ago

the box isn't shared

[-] pe1uca@lemmy.pe1uca.dev 10 points 6 months ago

Are you sure your IP is only used by you?
AFAIK ISPs usually bundle the traffic of users to a few public IP addresses, so maybe the things you see are just someone else in your area going out from the same IP your ISP provides.

But I'm not actually sure if this is how it works, I might be wrong.

[-] antlion@lemmy.dbzer0.com 4 points 6 months ago

I don’t pay for a static IP, but it never changes. I have some dns entries pointing home and I never need to update them in the past 4 years at least.

[-] Almrond@lemmy.world 2 points 6 months ago

That makes it incredibly likely you are behind a NAT that runs multiple people's traffic through the same public IP. If your ISP supports IPv6 you can always check that address, that shouldn't be shared.

[-] Markaos@lemmy.one 2 points 6 months ago

Do CGNATs nowadays support port forwarding? Because my understanding was that most CGNAT setups make incoming connections nearly impossible and the few exceptions work by reserving a few port numbers for each customer. But OP doesn't seem to have any trouble with port forwarding.

[-] Almrond@lemmy.world 2 points 6 months ago

CGNAT uses RFC 6598 and a particular type of NAT, not all are created equal. Port forwarded public address space doesn't mean you aren't sharing the address, just that you can bind one of the ports in the space and expect that traffic to reach you. Thats what most ISPs do, if your server is being a router at home you are going through a minimum of a single NAT layer, usually 2. That's literally what port forwarding is, forwarding traffic from one address and port to another on a different subnet (or a different machine on the same subnet. You see this often with separate DNS and DHCP servers in enterprise networks.) CGNAT specifically messes with port forwarding because it assigns traffic somewhat arbitrarily and the user has no control of the routing. That's why you have to use reverse connections to get around them: you can establish an outgoing connection then use it to serve data, you just don't have a public address that can be guaranteed to point to your machine.

Not all NAT is CGNAT, and not all NAT disallows incoming connections. I don't understand how everyone thinks it's reasonable to assume that A. your whole network has been compromised or B. that it would benefit the attacker in any way to use your connection to download movies. They use a crap modem, that's why it crashes often, and using IKWYD without knowing how DHT and IPv4 addressing works is just causing paranoia through ignorance.

[-] Markaos@lemmy.one 1 points 6 months ago

Alright, I didn't know ISPs use other types of NAT for the "few to many" mapping of public IPs to customers - all I've seen in my limited experience were plain old static public IPs, dynamic public IPs assigned on each connection, and what I assume to be a CGNAT (the router was assigned an IP in the 100.64.0.0/10 range from the ISP). So that's good to know, thanks.

I don't understand how everyone thinks it's reasonable to assume that A. your whole network has been compromised or B. that it would benefit the attacker in any way to use your connection to download movies. They use a crap modem, that's why it crashes often, and using IKWYD without knowing how DHT and IPv4 addressing works is just causing paranoia through ignorance.

This has literally nothing to do with my comment.

[-] HReflex@yiffit.net 2 points 6 months ago

AT&T Fiber gives out static IPs from what I've seen. Mine has never changed either.

[-] possiblylinux127@lemmy.zip 5 points 6 months ago

IP address change periodically. It probably was just someone else with your IP previously.

Also I would not trust that site in the least

[-] antlion@lemmy.dbzer0.com 4 points 6 months ago

But I have a static IP (unchanged for years) and the site shows torrents downloaded within the past 10 days.

[-] sandman2211@sh.itjust.works 3 points 6 months ago

Do you have any IoT devices chewing up a lot more bandwidth than they should be?

[-] antlion@lemmy.dbzer0.com 1 points 6 months ago

I have 4 IoT appliances, and 3 cameras. None of them have really high WiFi traffic. I’m looking into what kind of logging I can get from the router, as I’m primarily concerned with internet traffic rather than LAN traffic. I have two Linux servers that are always on, so it could be software running on one of those too. Also it seems the router itself isn’t the most secure device so I have to check that somehow too.

[-] sandman2211@sh.itjust.works 3 points 6 months ago

Can you get into your router's admin interface? At the very least assuming you don't have much networking experience I'd do these things in this order:

1 - Check for firmware updates and apply them

2 - Factory reset

3 - Change password

4 - Recheck for updates in case the reset wiped them out

There's a million other things you can do to get more info on what's going on and put in security layers to do this and that. But if you just want the maximum results for the minimum effort this is the best place to start.

[-] antlion@lemmy.dbzer0.com 1 points 6 months ago

Yes I can. AT&T has remote access to their routers, and they apply firmware updates automatically. That by itself is a security risk. I do have the default password which is printed on the side, so I will change it to see if that fixes anything. I’m hesitant to do a factory reset because of some static IP and port forwarding I use. Of course the port forwarding could be a vulnerability passed on to one of my network machines, so I will try that if the password change doesn’t work.

[-] sugar_in_your_tea@sh.itjust.works 3 points 6 months ago

Do you have to use their router? Can you buy and configure your own?

[-] antlion@lemmy.dbzer0.com 1 points 6 months ago

There's some workarounds but they aren't trivial. Basically I have to find a way to extract the certificate from the router, or set up a certificate pass-through with another router. If I switch ISPs, I could bring my own device.

[-] sandman2211@sh.itjust.works 1 points 6 months ago

The factory reset idea is mostly to clear out any unauthorized customization that may have been made. If you can confirm that hasn't happened then it wouldn't be necessary. I have a router that's not supported by my ISP so I feel your pain. Fortunately I only had to figure out how to tag a particular vlan on the WAN to get it working and someone else had posted a guide that got me most of the way there.

[-] antlion@lemmy.dbzer0.com 1 points 6 months ago

It’s a good idea, and easy enough to do. I can’t confirm anything going on in the router without hacking it myself. But even if that fixes the problem temporarily, it wouldn’t patch any vulnerabilities in the router so it could be a short term fix.

https://www.malwarebytes.com/blog/news/2022/08/millions-of-arris-routers-are-vulnerable-to-path-traversal-attacks

[-] undefined@links.hackliberty.org 2 points 4 months ago

Just off the top, the Arris router is probably trash. Even if you’re stuck with their modem, be sure that they’re separate (no modem/router combo box mess but if so, bridge mode) and you’re using your own (preferably high-end) router.

Bonus points if you ditch what we colloquially call a “router” and get a network switch, a real router, and WiFi handled by a separate access point (AP).

[-] antlion@lemmy.dbzer0.com 1 points 4 months ago

I’d really like if there was a high end router and switch without WiFi. I already have all my wireless handled by 3 access points. Is there a high end router/switch with 4 ports?

[-] undefined@links.hackliberty.org 1 points 4 months ago* (last edited 4 months ago)

Probably not, the closest I’ve come is ASUS gear but I moved to Ubiquiti a few years ago. The router is just an EdgeRouter X and the switch is Gigabit with 24 ports that I landed absurdly cheap. The nice thing about it though is that to upgrade WiFi standards I’ve only got to replace the access point. I’m in an apartment so just one is more than enough.

Edit: I misread, you said without WiFi. I don’t think it’s common to have a router/switch combo in one box (without WiFi).

[-] antlion@lemmy.dbzer0.com 2 points 4 months ago* (last edited 4 months ago)

Thanks it looks like the Edgerouter X would meet my needs. I’m not sure I would need a switch though since it has 4 ports.

this post was submitted on 24 Apr 2024
26 points (93.3% liked)

networking

2776 readers
1 users here now

Community for discussing enterprise networks and the ensuing chaos that comes after inheriting or building one.

founded 1 year ago
MODERATORS