I think my home network may be compromised, please advise
When I go to iknowwhatyoudownload.com, a bunch of stuff shows up for my IP that’s definitely not being downloaded by anyone in my house (foreign language torrents). Aside from that my router (AT&T Arris BGW210) needs to be restarted about once a week, due to some kind of dhcp issue. The most recent event seemed bad - none of my devices had internet, they could all talk to each other, and my ONT activity light was flickering steadily. During this time I had no access to the router, even plugged in directly to LAN. Fixed by a restart but no idea what was going on.
The DHT torrent thing has been happening for months and the router thing could just be that AT&T sucks. I have no other evidence that something is wrong.
I could buy a firewall and put it downstream of the AT&T equipment.
I could switch internet providers, get a new IP address and router, and see if that fixes it.
Should I try to figure out what’s going on or just keep restarting the router once a week and ignore the DHT hits from my static IP?
Can you get into your router's admin interface? At the very least assuming you don't have much networking experience I'd do these things in this order:
1 - Check for firmware updates and apply them
2 - Factory reset
3 - Change password
4 - Recheck for updates in case the reset wiped them out
There's a million other things you can do to get more info on what's going on and put in security layers to do this and that. But if you just want the maximum results for the minimum effort this is the best place to start.
Yes I can. AT&T has remote access to their routers, and they apply firmware updates automatically. That by itself is a security risk. I do have the default password which is printed on the side, so I will change it to see if that fixes anything. I’m hesitant to do a factory reset because of some static IP and port forwarding I use. Of course the port forwarding could be a vulnerability passed on to one of my network machines, so I will try that if the password change doesn’t work.
There's some workarounds but they aren't trivial. Basically I have to find a way to extract the certificate from the router, or set up a certificate pass-through with another router. If I switch ISPs, I could bring my own device.
The factory reset idea is mostly to clear out any unauthorized customization that may have been made. If you can confirm that hasn't happened then it wouldn't be necessary. I have a router that's not supported by my ISP so I feel your pain. Fortunately I only had to figure out how to tag a particular vlan on the WAN to get it working and someone else had posted a guide that got me most of the way there.
It’s a good idea, and easy enough to do. I can’t confirm anything going on in the router without hacking it myself. But even if that fixes the problem temporarily, it wouldn’t patch any vulnerabilities in the router so it could be a short term fix.