When I go to iknowwhatyoudownload.com, a bunch of stuff shows up for my IP that’s definitely not being downloaded by anyone in my house (foreign language torrents). Aside from that my router (AT&T Arris BGW210) needs to be restarted about once a week, due to some kind of dhcp issue. The most recent event seemed bad - none of my devices had internet, they could all talk to each other, and my ONT activity light was flickering steadily. During this time I had no access to the router, even plugged in directly to LAN. Fixed by a restart but no idea what was going on.
The DHT torrent thing has been happening for months and the router thing could just be that AT&T sucks. I have no other evidence that something is wrong.
I could buy a firewall and put it downstream of the AT&T equipment.
I could switch internet providers, get a new IP address and router, and see if that fixes it.
Should I try to figure out what’s going on or just keep restarting the router once a week and ignore the DHT hits from my static IP?
I didn’t know that site. It shows my IP being in a different country from either where I actually am, and where I say I am. It’s laden with trackers from Google, Twitter, and Bootstrap. UblockOrigin blocked that garbage.
Trying it two times it changed continents (I have not). Seems like bs to me.
Try deviceinfo.me , it’s much more accurate.
Mine was accurate in terms of IP, network, etc (I checked on my phone’s data plan), but the torrents made no sense. I clicked on one and it had a list of IPs, and none were associated with mine.
I’m guessing it’s all made up nonsense, outside the IP address itself. Granted, it’s possible people are torrenting large files on my carrier’s data plan, I just don’t think it’s likely so much has been downloaded in the last day or so with this IP.
Your site looks more reasonable, OP’s looks kinda sketchy.
Well, you don’t know how many people share that same IP.
Also, I know that in past when I checked it, it did actually show what torrents I participated in.
Does that mean it’s accurate, or that you’re participating in popular torrents?
I know what my public IP is, and it’s static, and listed correctly on IKWYD. The premise of the site is that torrent magnet links use distributed hash tables (DHT), which gives a public list of IP addresses who have participated in a particular torrent. Given that I have a static IP address, I’m not sure how it would be possible for my IP to show up, unless somebody is using my router as a proxy.
I don’t know how the tech works, but could the DHTs be deliberately polluted with false data to make this kind of snooping useless?
The DHT is what the torrent client uses to connect to peers. Any invalid IP entry should make that peer unreachable. But maybe some clients have a way to start a download connection, while providing a false IP for the upload connection. I’m not sure how it works exactly.
Time to crack out Wireshark and see what is chatting on your network.
OMG thank you. I had used that a long time ago, lost it and forgot what it was called.
Looks like a bit of a learning curve. Depending on where it sits in the network topology I may or may not be able to see the traffic? For instance if the router is compromised, running arbitrary code like a proxy server, it may be completely isolated from my LAN, right?
Yeah, there are a few ways to check for sure. The most effective is to take a device with 2 Ethernet NICs, plug it in between your modem and router, bridge the interfaces, and sniff the bridge. You can also look into ARP poisoning yourself to check whether the modem is compromised, but the likelihood of that would be slim to none (your modem doesn’t have storage or enough compute to handle that kind of traffic redirection.) In all likelihood you are on an ISP that uses CGNAT that assigns a few peoples traffic to the same public facing IP address, in that case the traffic could easily be going to a neighbor that uses the same ISP.
I do have a dual Ethernet computer running ProxMox. But if I’m setting it up between the ONT and router, I may as well go all in setting it up as a soft router. Then it would be my firewall, DNS, and DHCP server, and I don’t need to worry about the router.
There isn’t really a good reason to not be doing that already just because of the intrusion detection systems Proxmox has to offer. Most of them would alert you immediately if you were compromised told it to look for DHT broadcasts going out of the network.
Yes that is correct.
I don’t trust the results shown on that site. I have a seedbox with static IP and it shows some torrents that I have downloaded, but also a tonne of porn and games that I haven’t.
Ip hasn’t changed in years, the box isn’t shared, I don’t allow anyone else access, and yes I have a working carbon monoxide detector.
There’s nothing on my box to indicate that someone else is using it: no weird access history, no extra entries in transmission, nothing to suggests someone is downloading things through it except for the erroneous entries on IKWYD. Pretty sure half of it is bullshit.
Good to know. Your seed box isn’t shared with others at the same IP? I wonder if newer “anonymous” BitTorrent protocols allow bouncing IPs or something.
the box isn’t shared
Are you sure your IP is only used by you?
AFAIK ISPs usually bundle the traffic of users to a few public IP addresses, so maybe the things you see are just someone else in your area going out from the same IP your ISP provides.But I’m not actually sure if this is how it works, I might be wrong.
I don’t pay for a static IP, but it never changes. I have some dns entries pointing home and I never need to update them in the past 4 years at least.
AT&T Fiber gives out static IPs from what I’ve seen. Mine has never changed either.
That makes it incredibly likely you are behind a NAT that runs multiple people’s traffic through the same public IP. If your ISP supports IPv6 you can always check that address, that shouldn’t be shared.
Do CGNATs nowadays support port forwarding? Because my understanding was that most CGNAT setups make incoming connections nearly impossible and the few exceptions work by reserving a few port numbers for each customer. But OP doesn’t seem to have any trouble with port forwarding.
CGNAT uses RFC 6598 and a particular type of NAT, not all are created equal. Port forwarded public address space doesn’t mean you aren’t sharing the address, just that you can bind one of the ports in the space and expect that traffic to reach you. Thats what most ISPs do, if your server is being a router at home you are going through a minimum of a single NAT layer, usually 2. That’s literally what port forwarding is, forwarding traffic from one address and port to another on a different subnet (or a different machine on the same subnet. You see this often with separate DNS and DHCP servers in enterprise networks.) CGNAT specifically messes with port forwarding because it assigns traffic somewhat arbitrarily and the user has no control of the routing. That’s why you have to use reverse connections to get around them: you can establish an outgoing connection then use it to serve data, you just don’t have a public address that can be guaranteed to point to your machine.
Not all NAT is CGNAT, and not all NAT disallows incoming connections. I don’t understand how everyone thinks it’s reasonable to assume that A. your whole network has been compromised or B. that it would benefit the attacker in any way to use your connection to download movies. They use a crap modem, that’s why it crashes often, and using IKWYD without knowing how DHT and IPv4 addressing works is just causing paranoia through ignorance.
Alright, I didn’t know ISPs use other types of NAT for the “few to many” mapping of public IPs to customers - all I’ve seen in my limited experience were plain old static public IPs, dynamic public IPs assigned on each connection, and what I assume to be a CGNAT (the router was assigned an IP in the 100.64.0.0/10 range from the ISP). So that’s good to know, thanks.
I don’t understand how everyone thinks it’s reasonable to assume that A. your whole network has been compromised or B. that it would benefit the attacker in any way to use your connection to download movies. They use a crap modem, that’s why it crashes often, and using IKWYD without knowing how DHT and IPv4 addressing works is just causing paranoia through ignorance.
This has literally nothing to do with my comment.
IP address change periodically. It probably was just someone else with your IP previously.
Also I would not trust that site in the least
But I have a static IP (unchanged for years) and the site shows torrents downloaded within the past 10 days.
Do you have any IoT devices chewing up a lot more bandwidth than they should be?
I have 4 IoT appliances, and 3 cameras. None of them have really high WiFi traffic. I’m looking into what kind of logging I can get from the router, as I’m primarily concerned with internet traffic rather than LAN traffic. I have two Linux servers that are always on, so it could be software running on one of those too. Also it seems the router itself isn’t the most secure device so I have to check that somehow too.
Can you get into your router’s admin interface? At the very least assuming you don’t have much networking experience I’d do these things in this order:
1 - Check for firmware updates and apply them
2 - Factory reset
3 - Change password
4 - Recheck for updates in case the reset wiped them out
There’s a million other things you can do to get more info on what’s going on and put in security layers to do this and that. But if you just want the maximum results for the minimum effort this is the best place to start.
Yes I can. AT&T has remote access to their routers, and they apply firmware updates automatically. That by itself is a security risk. I do have the default password which is printed on the side, so I will change it to see if that fixes anything. I’m hesitant to do a factory reset because of some static IP and port forwarding I use. Of course the port forwarding could be a vulnerability passed on to one of my network machines, so I will try that if the password change doesn’t work.
Do you have to use their router? Can you buy and configure your own?
There’s some workarounds but they aren’t trivial. Basically I have to find a way to extract the certificate from the router, or set up a certificate pass-through with another router. If I switch ISPs, I could bring my own device.
The factory reset idea is mostly to clear out any unauthorized customization that may have been made. If you can confirm that hasn’t happened then it wouldn’t be necessary. I have a router that’s not supported by my ISP so I feel your pain. Fortunately I only had to figure out how to tag a particular vlan on the WAN to get it working and someone else had posted a guide that got me most of the way there.
It’s a good idea, and easy enough to do. I can’t confirm anything going on in the router without hacking it myself. But even if that fixes the problem temporarily, it wouldn’t patch any vulnerabilities in the router so it could be a short term fix.
Just off the top, the Arris router is probably trash. Even if you’re stuck with their modem, be sure that they’re separate (no modem/router combo box mess but if so, bridge mode) and you’re using your own (preferably high-end) router.
Bonus points if you ditch what we colloquially call a “router” and get a network switch, a real router, and WiFi handled by a separate access point (AP).
I’d really like if there was a high end router and switch without WiFi. I already have all my wireless handled by 3 access points. Is there a high end router/switch with 4 ports?
Probably not, the closest I’ve come is ASUS gear but I moved to Ubiquiti a few years ago. The router is just an EdgeRouter X and the switch is Gigabit with 24 ports that I landed absurdly cheap. The nice thing about it though is that to upgrade WiFi standards I’ve only got to replace the access point. I’m in an apartment so just one is more than enough.
Edit: I misread, you said without WiFi. I don’t think it’s common to have a router/switch combo in one box (without WiFi).
Thanks it looks like the Edgerouter X would meet my needs. I’m not sure I would need a switch though since it has 4 ports.
deleted by creator
deleted by creator
deleted by creator
I don’t think they use CG-NAT my IP starts with 75, and it hasn’t changed in years.
Yeah, sorry, I just missed the last line.
75.0.0.0/8 is the ARIN range for commercial businesses. Just because it’s outside of the 100.0.0.0/8 range doesn’t mean it isn’t an address held by a NAT. If I remember correctly it’s used by either Comcast or Charter, both of which will put you behind a NAT unless you are paying for a static IP on a business account (and you mentioned you aren’t)
AT&T fiber, through a reseller so it is a commercial account.
Not necessarily the same thing, it could easily be a small leased block using NAT to offer service to more customers in that case. The reseller has a commercial account, yes, but that doesn’t mean you get exclusive access to an address in that block (very unlikely unless you are dropping big money.) Nothing you have said so far rules out being behind a NAT.