Security issue in my network somewhere...?

[hat]

I've been having some strange things going on lately. Long story short - someone just earlier tonight made an account here at TPU and tried to stir up some trouble... but their account appears to be logged in with my own IP address! My fiancee also says she's had issues in the past on Facebook with other people getting strange messages coming from her with our IP address, but it wasn't her sending them. Apparently, she took it up with Facebook and they dug deeper on that issue and they found out it was actually coming from Wisconsin. If there's a security issue somewhere, I'm not sure where it could be. Whatever it is, it's not something as glaringly obvious as an unsecured Wi-Fi network. What should I do to look for security issues?

 

[W1zzard]

What's your network and computer setup like?

Try changing Wifi passwords

 

[sam_86314]

Could probably use a packet sniffer like Wireshark to see where on your network the traffic is coming from.

 

[hat]

What's your network and computer setup like?

Try changing Wifi passwords

I'm thinking my wifi password would be pretty hard to crack, and damn near impossible to just guess, but I suppose it's something worth doing.

I've got a modem (modem only, not a modem/router combo) connected to my own wifi router (RT-N66R, flashed with Tomato). As I've mentioned before, the wifi has a strong password that would be pretty hard to crack... other than that, I've got ethernet running to a few PCs and game consoles and such.

Could probably use a packet sniffer like Wireshark to see where on your network the traffic is coming from.

I can try to take a look at that, but I've never used a tool like that before.

Still, none of this explains to me how someone could appear to be sending messages on Facebook from our IP, but actually being in Wisconson. Obviously, there's no way our wifi reaches all the way over there...

 

[sam_86314]

I can try to take a look at that, but I've never used a tool like that before.

It's been a while since I've used it. I'd say look for traffic from a device with a MAC address that none of your devices have.

Your router probably has a feature to log things that happen on your network too.

 

[W1zzard]

from our IP, but actually being in Wisconson

IP to location mappings are hand-crafted databases that can be out of date or inaccurate. What makes you think "Wisconsin"?

 

[hat]

IP to location mappings are hand-crafted databases that can be out of date or inaccurate. What makes you think "Wisconsin"?

No idea. She said she contacted Facebook about the issue (that is, people getting messages from her that she didn't send) and they initially said it came from our IP, but then they dug deeper and they said it came from Wisconsin. That's all I know about it. This happened quite a while ago, and I'm always hearing things about people having trouble with Facebook, so I just chalked it up to Facebook weirdness. Strange accounts connecting to TPU with our IP address has me more concerned.

 

[Athlonite]

could be a case of IP address spoofing where they haven't actually penetrated your network but are using your IP address in the form of spoofed packet headers

 

[hat]

It's been a while since I've used it. I'd say look for traffic from a device with a MAC address that none of your devices have.

Your router probably has a feature to log things that happen on your network too.

You mean in the "Source" tab, right? This should expose a device on my network that shouldn't be there. However, I should be able to see this information in my router, anyway.

could be a case of IP address spoofing where they haven't actually penetrated your network but are using your IP address in the form of spoofed packet headers

I'm not sure how one would do this, but if this were the case (and probably likely if I am indeed being attacked) that probably means there isn't anything I can do about it, and my own network itself remains intact, correct?

 

[Athlonite]

Try asking your ISP to give you a new IP address that should stop spoofing in its tracks if that's what is happening but I'd also change the Pword for your network wifi and modem login

 

[hat]

Try asking your ISP to give you a new IP address that should stop spoofing in its tracks if that's what is happening but I'd also change the Pword for your network wifi and modem login

I can change my own IP all day my changing my router's MAC address... but then that wouldn't explain where it came from in the first place. If they got me the first time, "they" can just as easily do it again, no?

 

[ne6togadno]

in the wifi router under status you have logs tab. check there for info about events for the router (connected devices, logins to router etc.)
also add mac filtering and ip reservation for lan/wifi and then limit available ips for dhcp only to the range needed for your devices.

 

[Jetster]

Could someone have your IP and be out to cause you problems using a proxy ?

 

[Athlonite]

I can change my own IP all day my changing my router's MAC address... but then that wouldn't explain where it came from in the first place. If they got me the first time, "they" can just as easily do it again, no?

wouldn't that only change the IP your modem gives your router and not the actual IP address the internet see's

 

[DeathtoGnomes]

in the wifi router under status you have logs tab. check there for info about events for the router (connected devices, logins to router etc.)
also add mac filtering and ip reservation for lan/wifi and then limit available ips for dhcp only to the range needed for your devices.

to add to this, current routers can send the log to you via email, but they dont make it easy to do. I still havent got mine to work (netgear).

 

[hat]

wouldn't that only change the IP your modem gives your router and not the actual IP address the internet see's

Nah, it gives me a whole new IP address. I've done it long ago and verified success with whatismyip.

Could someone have your IP and be out to cause you problems using a proxy ?

Seems the most likely scenario (or just some random troll)... seems nearly impossible to prevent, from what I can tell. I can change my IP, but that only works until it happens again. They had to have some way to get it in the first place.

 

[Bill_Bright]

Try asking your ISP to give you a new IP address that should stop spoofing in its tracks if that's what is happening

I can change my own IP all day my changing my router's MAC address...

Ummm, that's not how it normally works.

Nah, it gives me a whole new IP address. I've done it long ago and verified success with whatismyip.

"Long ago", you could just unplug the modem from the Internet for 24 hours, connect it again and get a new IP assignment. But times have changed. If you have not verified this recently (like this morning) I would do it again.

Typically, the IP address the world (and the bad guy) sees is assigned by your ISP to your modem, not your router. If not, you could not troubleshoot your local network by isolating your Internet connection by by-passing your router and connecting a PC directly to the modem.

So I agree with Athlonite and give your ISP a call and explain the situation and ask for a different IP assignment. They will likely give you a hard time because available IPv4 addresses for the ISP are limited. so stand your ground. Be nice and polite, but firm.

Also, while the IP address is assigned to the MAC address of your modem, with many ISPs (like mine) they assign that IP to the account which is tied to the billing or street address. I discovered this when I bought a new DOCSIS 3.1 modem to replace my old 2.0 modem. The new modem got authorized and assigned my old IP address.

And I agree to change your wifi passphrase. You (or your fiancée) might have given it to some visitor at some time in the past. HOWEVER, for them to cause problems today, they would have to be physically located close to your network in order to connect - like next door.

And while unlikely, make sure nobody physically connected an unauthorized device on your Ethernet network. This, of course, would require someone had access to your home - a "trusted" house guest. So you would need to inspect all your Ethernet cables and look for an unauthorized device - perhaps hiding in the attic, basement, or closet. And if you find an unauthorized device, it might be time to change your door locks, search for hidden cameras, and call the police too.

What should I do to look for security issues?

Check your router's admin menu. Most (if not all) router's. let you see the connected devices. Verify each one. Sadly, this may not be easy because not all devices nicely and uniquely identify themselves. For example, I have 2 devices connected to my wifi network, both labeled as "network device". I have to click on each one individually to see one is my Sony Android Phone and the other is my Samsung Blu-ray player.

You might also change you local network settings to limit the maximum number of connected devices that can connect to your network at one time. You can set a range of DHCP IP assignments your router can issue to your devices. So, if between you and your fiancée, you have 4 computers, plus a smart TV, smart phones, and smart door bell, you could limit the connections to 8 devices only. You can also enable MAC Filtering to only allow access to the devices with specific MAC addresses.

If you don't need Guest Network, disable it.

 

[W1zzard]

to limit the maximum number of connected devices that can connect to your network at one time

Interesting alternative to MAC address filtering, for which I'm always too lazy

 

[Bill_Bright]

LOL

Well, it really is simple - and a one-time task. In both this Linksys router I'm using now, and in my old Netgear, it is just 1 setting in the admin menu that needs setting. I set mine to 15. I also told my printer to always ask for and use ("reserve") the same IP address, that is above those possible 15 DHCP assigned IP addresses. This is similar to but easier than setting a static address. Doing this prevents the networked printer from grabbing an IP previously assigned to one of my computers when power is restored after an extended power outage. I did the same with my NAS. I used to have to reconfigure Windows on each machine to use the new IP address for the printer and NAS. A real PITA. Now, I never have to.

 

[Athlonite]

I do exactly the same thing Bill but I do it for the printer the TV and the two permanently connected PC's everything else gets a random IP out of what's left of the 15 IP's allowed

 

[remixedcat]

could be a case of IP address spoofing where they haven't actually penetrated your network but are using your IP address in the form of spoofed packet headers

This as well as the following:
People often get apps like Hola or any of those "anonymizer" apps that basically make your system an exit node for anyone to do nefarious actions. They can still do that even if your WAN IP changes

Please see if you got any of those and if you do promptly uninstall them or even better, reformat if you do in fact do.

 

[newtekie1]

Run a virus scan on all your computers to make sure you aren't infected with something.

 

[R-T-B]

Ummm, that's not how it normally works.

Define "normally."

It's indeed MAC based DHCP-IP issuance at the USA's biggest ISP, comcast.

 

[newtekie1]

Define "normally."

It's indeed MAC based DHCP-IP issuance at the USA's biggest ISP, comcast.

Yeah, I was just going to say that changing the MAC of the router's WAN port does change the public IP on Comcast.

 

[Bill_Bright]

But it is simple to spoof (clone) MAC addresses and in fact, it is commonly done for legitimate reasons too. Every router I have owned has had MAC cloning in the admin menu, I can tell the router to use my PC's MAC address. In this way, every device on my network is seen by the ISP as my PC.

I've not worked with Comcast but have with TW, RR, and Cox. And while they use the modem's MAC address to configure the authorize the connection, it is still tied the owner's account #. If you get a new modem, yes you get a new MAC. But RR, TW and Cox typically assign the same IP to it.

IPSs don't have an infinite number of IP addresses to give out. In fact, the ranges of IP addresses are limited.