Security issue in my network somewhere...?

[moproblems99]

Always the possibility of ip spoofing but not likely considering the impersonation aspect.

Other than full network scans, I would revoke everyone's license and setup Mac filtering. Mac is an annoyance but this would be temporary while you see if there effects.

And, to be honest, WiFi passwords are relatively moot. The protocols themselves are the problem followed by the router firmware. Provided you aren't backdoored, which is somewhat a lot of work for friend to be pranking you, the Mac filter should let you know what it is going on.

 

[R-T-B]

TW, RR, and Cox.

I'm pretty sure 2 outta 3 of those are now owned by comcast.

Comcast's dhcp doesn't care so much about account, it threw that stuff away with the IPv6 push. It's now mac based, or based on some entropy bits if the mac is already found in the db.

Anyhow, way OT sidenote... I'll see myself out.

The protocols themselves are the problem followed by the router firmware.

This is true. If you are using a bad protocol, password length ceases to matter.

I'd go mac filtering as well.

 

[moproblems99]

I'm pretty sure 2 outta 3 of those are now owned by comcast.

RR is owned/partnered with TW who was bought by Comcast Charter. I would be curious to know how dissimilar their networks are and if they chose to keep them dissimilar or adopted the 'better' one. By 'better', I mean the one that is cheapest.

Edit: Changed Comcast to Charter. Also, I am unsure what level of co-op TW and RR were but I do know they are connected. I suppose I also don't know the exact purchase agreement anymore because I was a TW/RR customer and am now a Charter/RR customer. No idea what happened to TW.

I'd go mac filtering as well.

As Bill pointed out, mac filtering isn't necessarily going to stop his problem. But it will definitely tell him if someone is in his network remotely or locally. I also know you know this.

But RR, TW and Cox typically assign the same IP to it.

I can assure you that RR/TW/Charter don't do that. At minimum, I have a subnet of ips that are possible assignments. At best, it is random.

 

[newtekie1]

IPSs don't have an infinite number of IP addresses to give out. In fact, the ranges of IP addresses are limited.

Wait, do you think when an ISP assigns someone an IP address, that address can never be used again even if the IP isn't assigned to the person anymore?

Seriously, look how IP pools work, its like networking 101.

I've not worked with Comcast but have with TW, RR, and Cox. And while they use the modem's MAC address to configure the authorize the connection, it is still tied the owner's account #. If you get a new modem, yes you get a new MAC. But RR, TW and Cox typically assign the same IP to it.

The only time the IP is tied to the account is when the customer has a static IP address, which is extra and usually only available to business accounts not residential. Otherwise, the ISP uses DHCP to assign an available IP from the "non-static" pool. The IP address is assigned randomly from the pool when the modem connects to the ISP's network. The modem's MAC is used to establish the initial connection, but the router's MAC is used to assign the IP and the router's MAC is bound to the assigned IP. Changing the router's MAC changes the person's public IP. It is like this on AT&T, Frontier, Comcast and TW(and maybe the others, but I don't have experience with them). Each ISP has a different DHCP lease times that determine how long before an IP is returned to the available pool.

 

[silkstone]

I've been having some strange things going on lately. Long story short - someone just earlier tonight made an account here at TPU and tried to stir up some trouble... but their account appears to be logged in with my own IP address! My fiancee also says she's had issues in the past on Facebook with other people getting strange messages coming from her with our IP address, but it wasn't her sending them. Apparently, she took it up with Facebook and they dug deeper on that issue and they found out it was actually coming from Wisconsin. If there's a security issue somewhere, I'm not sure where it could be. Whatever it is, it's not something as glaringly obvious as an unsecured Wi-Fi network. What should I do to look for security issues?

You're not using TOR or anything like that on any of your devices? Past IP spoofing, to do anything as complex as you describe would require a VPN or a huge amount of effort. Even if you had a smart device that was compromised, you wouldn't see that happening.
Do you have your router (and modem) with nnon-default admin passwords? Is your router admin page closed to the internet?
How do you know that the TPU IP address was your own IP?

 

[Easy Rhino]

I've been having some strange things going on lately. Long story short - someone just earlier tonight made an account here at TPU and tried to stir up some trouble... but their account appears to be logged in with my own IP address! My fiancee also says she's had issues in the past on Facebook with other people getting strange messages coming from her with our IP address, but it wasn't her sending them. Apparently, she took it up with Facebook and they dug deeper on that issue and they found out it was actually coming from Wisconsin. If there's a security issue somewhere, I'm not sure where it could be. Whatever it is, it's not something as glaringly obvious as an unsecured Wi-Fi network. What should I do to look for security issues?

Maybe I am just too old and grizzled, but this is not a "tech" issue and I am fairly certain your fiancee is not telling you the entire truth. I do wish you the best of luck.

 

[hat]

You're not using TOR or anything like that on any of your devices? Past IP spoofing, to do anything as complex as you describe would require a VPN or a huge amount of effort. Even if you had a smart device that was compromised, you wouldn't see that happening.
Do you have your router (and modem) with nnon-default admin passwords? Is your router admin page closed to the internet?
How do you know that the TPU IP address was your own IP?

Nothing of the sort, that I know of. You can't access my router admin page from the Internet, or even wifi, and the password is not the default password.

W1zzard showed me the troll account was logged in with my IP.

Maybe I am just too old and grizzled, but this is not a "tech" issue and I am fairly certain your fiancee is not telling you the entire truth. I do wish you the best of luck.

It is a tech issue if someone somewhere is up to something fishy... unless, of course, it was her, then it wouldn't be a tech issue. I didn't mention it before because I felt it was irrelevant to tell the whole story, but what happened was someone came here, registered an account, sent me a PM saying "can you send me a private message" and sent her a PM saying something like "is your boyfriend hat cause he's cheating on you and sending me dirty pictures". Now, I'm not sure why she would do something like that, if that's what you're suggesting, but given how ridiculous that sounds considering the situation, I'd prefer to give her a little more credit than that and chalk it up to some random troll trying to cause issues for me.

I don't know how difficult it would be to find my IP and then spoof it, but so far it looks more likely than some glaring security hole in my network. I've got all the basics covered, so it shouldn't be that easy to compromise one of the machines on my network, unless somebody did something that made it easy to be compromised... but everybody's got Windows 10 (with Defender running, of course) and we're behind a not ancient router, so it shouldn't be that easy.

 

[silkstone]

Nothing of the sort, that I know of. You can't access my router admin page from the Internet, or even wifi, and the password is not the default password.

W1zzard showed me the troll account was logged in with my IP.



It is a tech issue if someone somewhere is up to something fishy... unless, of course, it was her, then it wouldn't be a tech issue. I didn't mention it before because I felt it was irrelevant to tell the whole story, but what happened was someone came here, registered an account, sent me a PM saying "can you send me a private message" and sent her a PM saying something like "is your boyfriend hat cause he's cheating on you and sending me dirty pictures". Now, I'm not sure why she would do something like that, if that's what you're suggesting, but given how ridiculous that sounds considering the situation, I'd prefer to give her a little more credit than that and chalk it up to some random troll trying to cause issues for me.

I don't know how difficult it would be to find my IP and then spoof it, but so far it looks more likely than some glaring security hole in my network. I've got all the basics covered, so it shouldn't be that easy to compromise one of the machines on my network, unless somebody did something that made it easy to be compromised... but everybody's got Windows 10 (with Defender running, of course) and we're behind a not ancient router, so it shouldn't be that easy.

Seems odd to do something like that on TPU and not regular social media, if true, it would appear targeted. But why bother spoofing your IP or using your network? Change the wifi passwords anyway, it could be a malicious neighbour maybe? I myself am a fan of Occam's Razor, not that it's always correct.

 

[moproblems99]

I don't know how difficult it would be to find my IP and then spoof it, but so far it looks more likely than some glaring security hole in my network. I've got all the basics covered, so it shouldn't be that easy to compromise one of the machines on my network, unless somebody did something that made it easy to be compromised... but everybody's got Windows 10 (with Defender running, of course) and we're behind a not ancient router, so it shouldn't be that easy.

Setup MAC filtering. It will take an hour and you will know with almost 100% certainty what is happening.

 

[newtekie1]

Seems odd to do something like that on TPU and not regular social media, if true, it would appear targeted. But why bother spoofing your IP or using your network?

Yeah, that seems odd to me too. Why so specific as to create an account here at TPU and cause trouble? And how did the person get hat's IP to spoof it? It's not like IPs that people post from are public here at TPU. And if it is just someone that broke into hat's network, why create an account here and start trouble? That seems so specific, and not what I'd do if I got into someone network. The whole thing seems odd. It just seems like a lot of work just to get someone banned from TPU...

 

[Bill_Bright]

Wait, do you think when an ISP assigns someone an IP address, that address can never be used again even if the IP isn't assigned to the person anymore?

Of course it can. I am saying that is part of the problem. Because there are a limited number of IP addresses, it definitely will be assigned again. But that, in itself creates problems. How do sites like TPU permanently ban JoeBadGuy if he keeps coming back, but with a new username? They ban the IP address, right? So then what happens if you get JoeBadGuy's old IP? You are banned before you can even start here. So ISPs avoid IP addresses getting assigned and re-assigned willy-nilly.

It is just like phone numbers in the US. There is a limited number per area code. There's even a limited number of area codes. I got a new cell phone last year and decided to get a new phone number with it. Big mistake. On the way home from the phone store, I got a spam text from bill collectors for "Meghan" - the previous holder of that phone number! To this day, I get a dozen or so text messages and robo-calls a week for her.

Seriously, look how IP pools work, its like networking 101.

I know how the pools work. I used to manage one. But pools are not bottomless oceans.

Each ISP has a different DHCP lease times that determine how long before an IP is

This is true. And 25+ years ago when I first got broadband (Cox cable Internet) in my home, all I had to do to get a new IP address was unplug my modem for 24 hours plus 1 or 2 minutes, plug in the modem again and I got a new IP. Today, I can leave my modem disconnected while away from home for 3 weeks (as I was earlier this year), come back and still have the same IP.

FTR, I am NOT saying my account # with my ISP and my IP address are tied together as part of any network/DHCP "protocol" connecting my network to theirs. My apologies if I was unclear there.

I am saying it is typical SOP (standard operating procedure) or ISP "policy". That is, I am saying in the ISP's "billing" data base, my assigned IP is linked to my account number, which of course is tied to my physical address, my modem and my modem's MAC address. And unless I call up and give them a convincing story as to why I need a different IP address, that IP is mine - permanently until I terminate my service with them.

I buy my own modems (I don't rent from my ISP). And as I noted above, I have upgraded my modem 3 or 4 times over the years. New modems of course have new MAC addresses. Yet after getting my new modems, I still have the same IP address I've had for years - and that was by my ISP's "policy" they use to manage their pool. I don't believe Cox is unique in how they manage their pool.

But I could be wrong. So I would ask those of you who are saying your ISP doesn't assign your IP to your account to give them a call and ask for a new IP address assignment. If they don't have a policy tying them together, it should take all of 60 seconds to get a new one. Let us know how cooperative they are and how easy it is to get a new one. I know for a fact, as someone who was a network manager for a big network, that technically, for someone with the proper admin credentials, it is a simple task that can be done in a few seconds.

But will the ISP's policy allow it? I hope it is as simple as some here are suggesting. But I will not be surprised if not.

Setup MAC filtering.

Getting around that is almost as easy for a fairly talented badguy as getting around disabled SSID broadcasting. MAC filtering certainly can help with limiting the number of connections to your own network. But it is not really a security precaution because it is not an effective barrier at blocking unauthorized access by a knowledgeable badguy determined to get in.

But why bother spoofing your IP or using your network?

Badguys (or mischievous neighborhood whizkids) might do this to hide their own dubious or illegal activities. Or a disgruntled or rejected X might do this to bring unwanted attention on you. As far as using your network - that is a common practice on metered networks. They use your bandwidth instead of theirs. Or perhaps they don't even have Internet.

 

[moproblems99]

Getting around that is almost as easy for a fairly talented badguy as getting around disabled SSID broadcasting. MAC filtering certainly can help with limiting the number of connections to your own network. But it is not really a security precaution because it is not an effective barrier at blocking unauthorized access by a knowledgeable badguy determined to get in.

If you read my posts fully, you would see that I said it wouldn't fix his problem. Only let him know with near certainty what it is. Here, let me requote that for you.

As Bill pointed out, mac filtering isn't necessarily going to stop his problem. But it will definitely tell him if someone is in his network remotely or locally. I also know you know this.

Setup MAC filtering. It will take an hour and you will know with almost 100% certainty what is happening.

Notice I said "it won't fix your problem".

But I could be wrong. So I would ask those of you who are saying your ISP doesn't assign your IP to your account to give them a call and ask for a new IP address assignment. If they don't have a policy tying them together, it should take all of 60 seconds to get a new one.

I get a new IP nearly anytime I instruct my router to renew it's lease. It's not every time but I can usually do it once a month. I presume it happens when leases are available. No leases available, I get the same ip with a new lease

 

[sneekypeet]

They ban the IP address, right?

No we do not.

 

[Bill_Bright]

No we do not.

Thanks, I stand corrected. But then it seems a spammer or troll, as examples, could not be permanently banned. All he or she needs to do is register again with a different user name. Right?

I realize even blacklisting an IP address is somewhat futile with a determined troll. But eventually [hopefully] they will get tired of changing their IPs and move on to another site.

 

[sneekypeet]

Thanks, I stand corrected. But then it seems a spammer or troll, as examples, could not be permanently banned. All he or she needs to do is register again with a different user name. Right?

I realize even blacklisting an IP address is somewhat futile with a determined troll. But eventually [hopefully] they will get tired of changing their IPs and move on to another site.

We have tricks, w1zzard makes it easy to find them.

 

[Bill_Bright]

We have tricks, w1zzard makes it easy to find them.

I understand. I'm on the staff at a couple sites too. So I understand your vagueness.

 

[R-T-B]

As Bill pointed out, mac filtering isn't necessarily going to stop his problem. But it will definitely tell him if someone is in his network remotely or locally. I also know you know this.

That's kind of the reason I'd do it.

Sorry for not clarifying. To really solve a problem like this, you need to identify the entry point. Mac filtering helps you know if it's "inside" or "outside."

 

[stinger608]

Any update on this issue @hat ?

I'm hoping that you resolved this problem my friend.