I think my home network may be compromised, please advise
When I go to iknowwhatyoudownload.com, a bunch of stuff shows up for my IP that’s definitely not being downloaded by anyone in my house (foreign language torrents). Aside from that my router (AT&T Arris BGW210) needs to be restarted about once a week, due to some kind of dhcp issue. The most recent event seemed bad - none of my devices had internet, they could all talk to each other, and my ONT activity light was flickering steadily. During this time I had no access to the router, even plugged in directly to LAN. Fixed by a restart but no idea what was going on.
The DHT torrent thing has been happening for months and the router thing could just be that AT&T sucks. I have no other evidence that something is wrong.
I could buy a firewall and put it downstream of the AT&T equipment.
I could switch internet providers, get a new IP address and router, and see if that fixes it.
Should I try to figure out what’s going on or just keep restarting the router once a week and ignore the DHT hits from my static IP?
Are you sure your IP is only used by you?
AFAIK ISPs usually bundle the traffic of users to a few public IP addresses, so maybe the things you see are just someone else in your area going out from the same IP your ISP provides.
But I'm not actually sure if this is how it works, I might be wrong.
That makes it incredibly likely you are behind a NAT that runs multiple people's traffic through the same public IP. If your ISP supports IPv6 you can always check that address, that shouldn't be shared.
Do CGNATs nowadays support port forwarding? Because my understanding was that most CGNAT setups make incoming connections nearly impossible and the few exceptions work by reserving a few port numbers for each customer. But OP doesn't seem to have any trouble with port forwarding.
CGNAT uses RFC 6598 and a particular type of NAT, not all are created equal. Port forwarded public address space doesn't mean you aren't sharing the address, just that you can bind one of the ports in the space and expect that traffic to reach you. Thats what most ISPs do, if your server is being a router at home you are going through a minimum of a single NAT layer, usually 2. That's literally what port forwarding is, forwarding traffic from one address and port to another on a different subnet (or a different machine on the same subnet. You see this often with separate DNS and DHCP servers in enterprise networks.) CGNAT specifically messes with port forwarding because it assigns traffic somewhat arbitrarily and the user has no control of the routing. That's why you have to use reverse connections to get around them: you can establish an outgoing connection then use it to serve data, you just don't have a public address that can be guaranteed to point to your machine.
Not all NAT is CGNAT, and not all NAT disallows incoming connections. I don't understand how everyone thinks it's reasonable to assume that A. your whole network has been compromised or B. that it would benefit the attacker in any way to use your connection to download movies. They use a crap modem, that's why it crashes often, and using IKWYD without knowing how DHT and IPv4 addressing works is just causing paranoia through ignorance.
Alright, I didn't know ISPs use other types of NAT for the "few to many" mapping of public IPs to customers - all I've seen in my limited experience were plain old static public IPs, dynamic public IPs assigned on each connection, and what I assume to be a CGNAT (the router was assigned an IP in the 100.64.0.0/10 range from the ISP). So that's good to know, thanks.
I don't understand how everyone thinks it's reasonable to assume that A. your whole network has been compromised or B. that it would benefit the attacker in any way to use your connection to download movies. They use a crap modem, that's why it crashes often, and using IKWYD without knowing how DHT and IPv4 addressing works is just causing paranoia through ignorance.