When I go to iknowwhatyoudownload.com, a bunch of stuff shows up for my IP that’s definitely not being downloaded by anyone in my house (foreign language torrents). Aside from that my router (AT&T Arris BGW210) needs to be restarted about once a week, due to some kind of dhcp issue. The most recent event seemed bad - none of my devices had internet, they could all talk to each other, and my ONT activity light was flickering steadily. During this time I had no access to the router, even plugged in directly to LAN. Fixed by a restart but no idea what was going on.

The DHT torrent thing has been happening for months and the router thing could just be that AT&T sucks. I have no other evidence that something is wrong.

I could buy a firewall and put it downstream of the AT&T equipment.

I could switch internet providers, get a new IP address and router, and see if that fixes it.

Should I try to figure out what’s going on or just keep restarting the router once a week and ignore the DHT hits from my static IP?

  • Cheradenine@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    20
    ·
    edit-2
    8 months ago

    I didn’t know that site. It shows my IP being in a different country from either where I actually am, and where I say I am. It’s laden with trackers from Google, Twitter, and Bootstrap. UblockOrigin blocked that garbage.

    Trying it two times it changed continents (I have not). Seems like bs to me.

    Try deviceinfo.me , it’s much more accurate.

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      7
      ·
      8 months ago

      Mine was accurate in terms of IP, network, etc (I checked on my phone’s data plan), but the torrents made no sense. I clicked on one and it had a list of IPs, and none were associated with mine.

      I’m guessing it’s all made up nonsense, outside the IP address itself. Granted, it’s possible people are torrenting large files on my carrier’s data plan, I just don’t think it’s likely so much has been downloaded in the last day or so with this IP.

      Your site looks more reasonable, OP’s looks kinda sketchy.

    • antlion@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      3
      ·
      8 months ago

      I know what my public IP is, and it’s static, and listed correctly on IKWYD. The premise of the site is that torrent magnet links use distributed hash tables (DHT), which gives a public list of IP addresses who have participated in a particular torrent. Given that I have a static IP address, I’m not sure how it would be possible for my IP to show up, unless somebody is using my router as a proxy.

      • peto (he/him)@lemm.ee
        link
        fedilink
        English
        arrow-up
        3
        ·
        8 months ago

        I don’t know how the tech works, but could the DHTs be deliberately polluted with false data to make this kind of snooping useless?

        • antlion@lemmy.dbzer0.comOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          8 months ago

          The DHT is what the torrent client uses to connect to peers. Any invalid IP entry should make that peer unreachable. But maybe some clients have a way to start a download connection, while providing a false IP for the upload connection. I’m not sure how it works exactly.

    • antlion@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      4
      ·
      8 months ago

      Looks like a bit of a learning curve. Depending on where it sits in the network topology I may or may not be able to see the traffic? For instance if the router is compromised, running arbitrary code like a proxy server, it may be completely isolated from my LAN, right?

      • Almrond@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        ·
        8 months ago

        Yeah, there are a few ways to check for sure. The most effective is to take a device with 2 Ethernet NICs, plug it in between your modem and router, bridge the interfaces, and sniff the bridge. You can also look into ARP poisoning yourself to check whether the modem is compromised, but the likelihood of that would be slim to none (your modem doesn’t have storage or enough compute to handle that kind of traffic redirection.) In all likelihood you are on an ISP that uses CGNAT that assigns a few peoples traffic to the same public facing IP address, in that case the traffic could easily be going to a neighbor that uses the same ISP.

        • antlion@lemmy.dbzer0.comOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          8 months ago

          I do have a dual Ethernet computer running ProxMox. But if I’m setting it up between the ONT and router, I may as well go all in setting it up as a soft router. Then it would be my firewall, DNS, and DHCP server, and I don’t need to worry about the router.

          • Almrond@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            8 months ago

            There isn’t really a good reason to not be doing that already just because of the intrusion detection systems Proxmox has to offer. Most of them would alert you immediately if you were compromised told it to look for DHT broadcasts going out of the network.

  • stom@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    11
    ·
    8 months ago

    I don’t trust the results shown on that site. I have a seedbox with static IP and it shows some torrents that I have downloaded, but also a tonne of porn and games that I haven’t.

    Ip hasn’t changed in years, the box isn’t shared, I don’t allow anyone else access, and yes I have a working carbon monoxide detector.

    There’s nothing on my box to indicate that someone else is using it: no weird access history, no extra entries in transmission, nothing to suggests someone is downloading things through it except for the erroneous entries on IKWYD. Pretty sure half of it is bullshit.

  • pe1uca@lemmy.pe1uca.dev
    link
    fedilink
    English
    arrow-up
    10
    ·
    8 months ago

    Are you sure your IP is only used by you?
    AFAIK ISPs usually bundle the traffic of users to a few public IP addresses, so maybe the things you see are just someone else in your area going out from the same IP your ISP provides.

    But I’m not actually sure if this is how it works, I might be wrong.

    • antlion@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      1
      ·
      8 months ago

      I don’t pay for a static IP, but it never changes. I have some dns entries pointing home and I never need to update them in the past 4 years at least.

      • Almrond@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        8 months ago

        That makes it incredibly likely you are behind a NAT that runs multiple people’s traffic through the same public IP. If your ISP supports IPv6 you can always check that address, that shouldn’t be shared.

        • Markaos@lemmy.one
          link
          fedilink
          English
          arrow-up
          2
          ·
          8 months ago

          Do CGNATs nowadays support port forwarding? Because my understanding was that most CGNAT setups make incoming connections nearly impossible and the few exceptions work by reserving a few port numbers for each customer. But OP doesn’t seem to have any trouble with port forwarding.

          • Almrond@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            8 months ago

            CGNAT uses RFC 6598 and a particular type of NAT, not all are created equal. Port forwarded public address space doesn’t mean you aren’t sharing the address, just that you can bind one of the ports in the space and expect that traffic to reach you. Thats what most ISPs do, if your server is being a router at home you are going through a minimum of a single NAT layer, usually 2. That’s literally what port forwarding is, forwarding traffic from one address and port to another on a different subnet (or a different machine on the same subnet. You see this often with separate DNS and DHCP servers in enterprise networks.) CGNAT specifically messes with port forwarding because it assigns traffic somewhat arbitrarily and the user has no control of the routing. That’s why you have to use reverse connections to get around them: you can establish an outgoing connection then use it to serve data, you just don’t have a public address that can be guaranteed to point to your machine.

            Not all NAT is CGNAT, and not all NAT disallows incoming connections. I don’t understand how everyone thinks it’s reasonable to assume that A. your whole network has been compromised or B. that it would benefit the attacker in any way to use your connection to download movies. They use a crap modem, that’s why it crashes often, and using IKWYD without knowing how DHT and IPv4 addressing works is just causing paranoia through ignorance.

            • Markaos@lemmy.one
              link
              fedilink
              English
              arrow-up
              1
              ·
              8 months ago

              Alright, I didn’t know ISPs use other types of NAT for the “few to many” mapping of public IPs to customers - all I’ve seen in my limited experience were plain old static public IPs, dynamic public IPs assigned on each connection, and what I assume to be a CGNAT (the router was assigned an IP in the 100.64.0.0/10 range from the ISP). So that’s good to know, thanks.

              I don’t understand how everyone thinks it’s reasonable to assume that A. your whole network has been compromised or B. that it would benefit the attacker in any way to use your connection to download movies. They use a crap modem, that’s why it crashes often, and using IKWYD without knowing how DHT and IPv4 addressing works is just causing paranoia through ignorance.

              This has literally nothing to do with my comment.

      • HReflex@yiffit.net
        link
        fedilink
        English
        arrow-up
        2
        ·
        8 months ago

        AT&T Fiber gives out static IPs from what I’ve seen. Mine has never changed either.

  • Possibly linux@lemmy.zip
    link
    fedilink
    English
    arrow-up
    5
    ·
    8 months ago

    IP address change periodically. It probably was just someone else with your IP previously.

    Also I would not trust that site in the least

    • antlion@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      4
      ·
      8 months ago

      But I have a static IP (unchanged for years) and the site shows torrents downloaded within the past 10 days.

        • antlion@lemmy.dbzer0.comOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          8 months ago

          I have 4 IoT appliances, and 3 cameras. None of them have really high WiFi traffic. I’m looking into what kind of logging I can get from the router, as I’m primarily concerned with internet traffic rather than LAN traffic. I have two Linux servers that are always on, so it could be software running on one of those too. Also it seems the router itself isn’t the most secure device so I have to check that somehow too.

  • sandman2211@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    3
    ·
    8 months ago

    Can you get into your router’s admin interface? At the very least assuming you don’t have much networking experience I’d do these things in this order:

    1 - Check for firmware updates and apply them

    2 - Factory reset

    3 - Change password

    4 - Recheck for updates in case the reset wiped them out

    There’s a million other things you can do to get more info on what’s going on and put in security layers to do this and that. But if you just want the maximum results for the minimum effort this is the best place to start.

    • antlion@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      8 months ago

      Yes I can. AT&T has remote access to their routers, and they apply firmware updates automatically. That by itself is a security risk. I do have the default password which is printed on the side, so I will change it to see if that fixes anything. I’m hesitant to do a factory reset because of some static IP and port forwarding I use. Of course the port forwarding could be a vulnerability passed on to one of my network machines, so I will try that if the password change doesn’t work.

        • antlion@lemmy.dbzer0.comOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          8 months ago

          There’s some workarounds but they aren’t trivial. Basically I have to find a way to extract the certificate from the router, or set up a certificate pass-through with another router. If I switch ISPs, I could bring my own device.

          • sandman2211@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            1
            ·
            8 months ago

            The factory reset idea is mostly to clear out any unauthorized customization that may have been made. If you can confirm that hasn’t happened then it wouldn’t be necessary. I have a router that’s not supported by my ISP so I feel your pain. Fortunately I only had to figure out how to tag a particular vlan on the WAN to get it working and someone else had posted a guide that got me most of the way there.

  • Prison Mike@links.hackliberty.org
    link
    fedilink
    English
    arrow-up
    2
    ·
    6 months ago

    Just off the top, the Arris router is probably trash. Even if you’re stuck with their modem, be sure that they’re separate (no modem/router combo box mess but if so, bridge mode) and you’re using your own (preferably high-end) router.

    Bonus points if you ditch what we colloquially call a “router” and get a network switch, a real router, and WiFi handled by a separate access point (AP).

    • antlion@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      6 months ago

      I’d really like if there was a high end router and switch without WiFi. I already have all my wireless handled by 3 access points. Is there a high end router/switch with 4 ports?

      • Prison Mike@links.hackliberty.org
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        6 months ago

        Probably not, the closest I’ve come is ASUS gear but I moved to Ubiquiti a few years ago. The router is just an EdgeRouter X and the switch is Gigabit with 24 ports that I landed absurdly cheap. The nice thing about it though is that to upgrade WiFi standards I’ve only got to replace the access point. I’m in an apartment so just one is more than enough.

        Edit: I misread, you said without WiFi. I don’t think it’s common to have a router/switch combo in one box (without WiFi).

        • antlion@lemmy.dbzer0.comOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          6 months ago

          Thanks it looks like the Edgerouter X would meet my needs. I’m not sure I would need a switch though since it has 4 ports.

      • Almrond@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        8 months ago

        75.0.0.0/8 is the ARIN range for commercial businesses. Just because it’s outside of the 100.0.0.0/8 range doesn’t mean it isn’t an address held by a NAT. If I remember correctly it’s used by either Comcast or Charter, both of which will put you behind a NAT unless you are paying for a static IP on a business account (and you mentioned you aren’t)

          • Almrond@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            8 months ago

            Not necessarily the same thing, it could easily be a small leased block using NAT to offer service to more customers in that case. The reseller has a commercial account, yes, but that doesn’t mean you get exclusive access to an address in that block (very unlikely unless you are dropping big money.) Nothing you have said so far rules out being behind a NAT.