Log in

View Full Version : How do I tell if someone is leaching off my Wireless Router?


67stang
02-03-2003, 09:42 AM
Well tonight i noticed i had someones elses "shared docs" come up on my Network Places (on my desktop pc). I first thought.... hmm maybe my router sniffed out someones wifi.

I proceeded to download a bunch of mp3's from this person... but thats besides the point :D

Then I got to thinking... why would my desktop, which is hard wired to the Linksys router, sniff out a wifi... it wouldn't, it doesnt have a wireless card in it.

Ok, light bulb is starting to come on...

I turn on the Toshiba e740, go into Settings, to see if it lists two wifi connections... nope, just One...mine.

Okay, now it's coming together. I'm the dumb one! Someone has sniffed ME and is using my connection and has decided to network with my computer!!!

I have an idea who, as this is a small neighboorhood, and he gives a hint in how he names the shared directory.

But my question in all this is... one) I "think" i am safe because my shared drives require a password. I dont know for sure.

but more importantly... how do I prevent such leaches?

thanks in advance
(powering down the wireless router for the night!)

FredMurphy
02-03-2003, 11:20 AM
The way to protect your WiFi setup is:

1. Turn on WEP - not uncrackable if you're really determined but good enough for most cases.
2. Turn on MAC filtering. This only allows certain network cards to connect to your AP.

If it's a neighbour that you know this may be overkill. Why not mail him (or leave a note in his Shared Docs folder)? You could agree to share the cost of your broadband connection with him, etc.

Andy Whiteford
02-03-2003, 01:25 PM
Just turn on MAC filtering and you should be good, just remember to give yout PDA access.
You should be able to see how many connected clients you have to your router so you can tell when he is connected and your router may also list the MAC address, I'm not sure if they normally do this or not.
It's possible your neighbour doesn't even realise he is connected to you but then again, he may know full well!

DrtyBlvd
02-03-2003, 01:31 PM
...(or leave a note in his Shared Docs folder)? You could agree to share the cost of your broadband connection with him, etc.

What a lovely suggestion!

Two people can share a 1M line for the same price as having an individual 512k connection! Brilliant! Why didn't I think of that?

Oh Yes. Now I remember. My neighbour is 92. :cry: :lol: :wink:

Sooner Al
02-03-2003, 02:01 PM
...that detail guidelines for securing wired/wireless SOHO networks.

http://www.cert.org/tech_tips/home_networks.html
http://www.extremetech.com/article2/0,3973,34635,00.asp
http://www.microsoft.com/windowsxp/expertzone/columns/bowman/december03.asp

Personally, I use...

* WEP (the key is changed weekly)
* Changed the default SSID (the SSID is changed weekly)

Note for the first two I use this generator to generate random keys and SSID values...

http://www.warewolf.net/portfolio/programming/wepskg/wepskg.html

* Changed the default access point administrator password and now use a strong password
* Turn OFF the SSID broadcast
* Use MAC Address Authentication

Near future plans are to isolate my wireless network from my wired network using a LINUX firewall.

http://www.zelow.no/floppyfw/

Nothing is fail-safe, but it all helps to keep the barbarians outside the gates...

Saaby
02-03-2003, 02:39 PM
Possible that the neighbor thinks they're on their own wireless network?? :wink:

GoldKey
02-03-2003, 03:02 PM
Another suggestion, make your SSID something like Do Not Enter or Authorized Use Only or No Tresspassing. That should make it clear to anyone browsing that it is not a public access point and should not be used. Question, why change the SSID on a periodic basis? I understand changing the WEP key, but since on most home equipment you are broadcasting the SSID and can't shut that off, why bother changing it?

Steven Cedrone
02-03-2003, 03:14 PM
Question, why change the SSID on a periodic basis? I understand changing the WEP key, but since on most home equipment you are broadcasting the SSID and can't shut that off, why bother changing it?

Most equipment does come with the ability to turn off SSID broadcast. If your WAP doesn't, check your manufacturers website for updated versions of your firmware...

Steve

GoldKey
02-03-2003, 03:53 PM
Question, why change the SSID on a periodic basis? I understand changing the WEP key, but since on most home equipment you are broadcasting the SSID and can't shut that off, why bother changing it?

Most equipment does come with the ability to turn off SSID broadcast. If your WAP doesn't, check your manufacturers website for updated versions of your firmware...

Steve

I am using a SMC2404WBR - Barricade Turbo 11/22 Mbps Wireless Cable/DSL Broadband Router and it does not have this ability. If someone can correct me on this, I would be happy to hear it! It was my understanding that this setup was a little more high-end than the typical linksys or d-link consumer setups and that those did not have the ability to shut off the SSID broadcast either.

Steven Cedrone
02-03-2003, 04:05 PM
I am using a SMC2404WBR - Barricade Turbo 11/22 Mbps Wireless Cable/DSL Broadband Router and it does not have this ability. If someone can correct me on this, I would be happy to hear it! It was my understanding that this setup was a little more high-end than the typical linksys or d-link consumer setups and that those did not have the ability to shut off the SSID broadcast either.

I have a D-Link WAP and it does have the ability to turn off SSID broadcast...

I would email SMC support and see if they plan on adding this in a future firmware update...

Steve

GoldKey
02-03-2003, 04:14 PM
I have a D-Link WAP and it does have the ability to turn off SSID broadcast...

I sit corrected. :oops: Thanks for the info!



I would email SMC support and see if they plan on adding this in a future firmware update...


Already done, will post here when I get a reply.

Sooner Al
02-03-2003, 05:10 PM
...can have the SSID turned off if I use the ORiNOCO Access Point Manager versus the generic RG-1000 Administrative program. Plus I can do MAC Address Authentication which the generic program does not allow.

http://www.proxim.com/support/all/orinoco/software/dl2002_orinoco_ap_75.html

As I noted earlier, not one thing on my list of security practices is completly fail safe, but it all helps...

67stang
02-03-2003, 06:15 PM
The way to protect your WiFi setup is:

1. Turn on WEP - not uncrackable if you're really determined but good enough for most cases.
2. Turn on MAC filtering. This only allows certain network cards to connect to your AP.

If it's a neighbour that you know this may be overkill. Why not mail him (or leave a note in his Shared Docs folder)? You could agree to share the cost of your broadband connection with him, etc.


Thanks guys. Shortly after posting last night (er...early this am) I dug through the Linksys config utility and found the mac addy of the leech. I figured out how to filter his address, and also set the limit to IP addressses issued to three (my desktop, laptop, and PDA).

Actually the bastard even had his printers running of my network, so I sent a document to this printer saying "GOTCHA BIATCH!" (well, ok... i wished I would have, but I didn't think to do this until AFTER i set up the mac filter.) Perhaps all the better, since I like the suggestion about sharing the cost ($42/month)...


Anyway... I guess I'll find out tonight if my measures worked.

Pony99CA
02-03-2003, 06:38 PM
Thanks guys. Shortly after posting last night (er...early this am) I dug through the Linksys config utility and found the mac addy of the leech. I figured out how to filter his address, and also set the limit to IP addressses issued to three (my desktop, laptop, and PDA).

Are you sure he was connected via WiFi? If you have a cable modem attached to your router, my understanding is that you are basically part of a LAN, and any other cable modem user (maybe in a local area) can see your computer if you have sharing on.

Steve

67stang
02-03-2003, 06:48 PM
Thanks guys. Shortly after posting last night (er...early this am) I dug through the Linksys config utility and found the mac addy of the leech. I figured out how to filter his address, and also set the limit to IP addressses issued to three (my desktop, laptop, and PDA).

Are you sure he was connected via WiFi? If you have a cable modem attached to your router, my understanding is that you are basically part of a LAN, and any other cable modem user (maybe in a local area) can see your computer if you have sharing on.

Steve

well, i think the fact that the Linksys config utility was showing his mac addy and showing as assigned IP addy to it, that it confirms he was pulling from my wifi signal.

I'm not up on the lingo of how cable internet signal is split, but i know that about 50 people or so share a line, but it's all setup via mac addresses... i dont think there is a way to share amongst that down stream connection. That would be a huge security risk/liability for the ISP.

Pony99CA
02-03-2003, 09:28 PM
Thanks guys. Shortly after posting last night (er...early this am) I dug through the Linksys config utility and found the mac addy of the leech. I figured out how to filter his address, and also set the limit to IP addressses issued to three (my desktop, laptop, and PDA).

Are you sure he was connected via WiFi? If you have a cable modem attached to your router, my understanding is that you are basically part of a LAN, and any other cable modem user (maybe in a local area) can see your computer if you have sharing on.

well, i think the fact that the Linksys config utility was showing his mac addy and showing as assigned IP addy to it, that it confirms he was pulling from my wifi signal.

I don't know about that. My SMC router shows the MAC and IP addresses of my computers connected via DHCP, regardless of whether they are wired or wireless connections.


I'm not up on the lingo of how cable internet signal is split, but i know that about 50 people or so share a line, but it's all setup via mac addresses... i dont think there is a way to share amongst that down stream connection. That would be a huge security risk/liability for the ISP.
Yes, it is a huge security issue. My understanding is that other cable modem users will show up in your Network Neighborhood, which is not the case for DSL and dial-up.

If you're not running your own LAN, you should turn off file sharing for any connection to the Internet -- DSL and even dial-up users can end up sharing, too. However, it takes a more knowledgable hacker to find your machine if it doesn't just show up on their machine. :-)

Steve

Zanne
02-03-2003, 09:43 PM
[quote=67stang]My understanding is that other cable modem users will show up in your Network Neighborhood, which is not the case for DSL and dial-up.

This was only an issue with the earliest of cable modem networks. I remember opening Network Neighborhood in 1998 and seeing 40 other computers near my cable modem. I was able to read stuff from people's CD drives, print on their printers, etc. By 1999 all of the cable modems had been (automatically) flashROM updated and no longer acknowledged each others' existences - and no longer allowed each other to hog large portions of the bandwidth. As far as I can tell cable and DSL are effectively equal in terms of security and performance today.

67stang
02-03-2003, 10:45 PM
I don't know about that. My SMC router shows the MAC and IP addresses of my computers connected via DHCP, regardless of whether they are wired or wireless connections.

right, but it's only showing computers connected through that SMC router.
My linksys is on my desk, and I am 100% certain the only hardwired device to it is MY desktop, not me neighbors :lol:

The linksys also shows how each computer it is assigning an IP address to is accessing the router. My desktop shows up as ethernet I belive, but my laptop, pda, and my neighbors computer were all showing up as wireless.

As the previous person stated, i think the security issues of shared cable connections was resolved a while ago. Unless someone has extensive knowlege of the cable ISP network and nodes, i doubt theyre going to stumble across everyones files and directories.

GoldKey
02-04-2003, 02:12 PM
Got my reply from SMC. Unfortunately, none of their products currently support turning off the SSID broadcast.

Pony99CA
02-04-2003, 02:21 PM
I don't know about that. My SMC router shows the MAC and IP addresses of my computers connected via DHCP, regardless of whether they are wired or wireless connections.

right, but it's only showing computers connected through that SMC router.
My linksys is on my desk, and I am 100% certain the only hardwired device to it is MY desktop, not me neighbors :lol:

No, my SMC is showing my two wireless connections. It shows any connection established with DHCP (and maybe without DHCP).


The linksys also shows how each computer it is assigning an IP address to is accessing the router. My desktop shows up as ethernet I belive, but my laptop, pda, and my neighbors computer were all showing up as wireless.

Well, if the Linksys actually says that the connection is wireless, that's what I was asking. :-) I wish my SMC would tell how devices were connected, but, as I have only one wired connection, I think I can pretty much figure it out anyway. :-D


As the previous person stated, i think the security issues of shared cable connections was resolved a while ago. Unless someone has extensive knowlege of the cable ISP network and nodes, i doubt theyre going to stumble across everyones files and directories.
I'm glad to hear this problem may have been worked out. I knew it was a problem at one time, but hadn't heard that it was fixed.

Steve

Pony99CA
02-04-2003, 02:24 PM
Got my reply from SMC. Unfortunately, none of their products currently support turning off the SSID broadcast.
But did SMC give any indication if they would release a firmware update to allow turning SSID broadcasting off?

Steve

GoldKey
02-04-2003, 03:18 PM
They just said keep an eye on the site for the release of products with that feature. Hopefully, they don't leave those of us who already have their products out in the cold.

67stang
02-04-2003, 10:41 PM
I don't know about that. My SMC router shows the MAC and IP addresses of my computers connected via DHCP, regardless of whether they are wired or wireless connections.

right, but it's only showing computers connected through that SMC router.
My linksys is on my desk, and I am 100% certain the only hardwired device to it is MY desktop, not me neighbors :lol:

No, my SMC is showing my two wireless connections. It shows any connection established with DHCP (and maybe without DHCP).

Steve

Steve,
I am confused. How can your SMC possibly show connections that are not achieved via that specific router. i.e. if the router did not assign the IP, either ethernet or wireless, there is no way it can show any other connection!

My point was simply that IF, for example, my neighbor had spliced into the coaxial cable outside my house (i.e. before it reaches the modem and router) there is no way the router would show this.... just not logically possible.

Pony99CA
02-05-2003, 10:35 AM
I don't know about that. My SMC router shows the MAC and IP addresses of my computers connected via DHCP, regardless of whether they are wired or wireless connections.

right, but it's only showing computers connected through that SMC router.
My linksys is on my desk, and I am 100% certain the only hardwired device to it is MY desktop, not me neighbors :lol:

No, my SMC is showing my two wireless connections. It shows any connection established with DHCP (and maybe without DHCP).

I am confused. How can your SMC possibly show connections that are not achieved via that specific router. i.e. if the router did not assign the IP, either ethernet or wireless, there is no way it can show any other connection!

I'm no networking expert, but my understanding is that there are two ways to assign an IP address to a computer -- statically, configured in the computer itself; and dynamically (DHCP), assigned by the router when a device connects.

I don't know if static IP addresses need to be defined in the router, but, if they do, that is something the user (or IT staff) sets up; they are not assigned by the router.

As for how the router could tell what was happening, I think it could easily tell if the traffic was coming from the WiFi or ethernet ports (internal to your LAN) or the WLAN (external to the router) and display the internal ones in a connected device list.

Another way would be to examine the IP address of any traffic and determine if it is in the address space managed by the router.

As I said, I'm no networking expert, so the above are just guesses. Maybe somebody who knows what they're talking about can help. :-D


My point was simply that IF, for example, my neighbor had spliced into the coaxial cable outside my house (i.e. before it reaches the modem and router) there is no way the router would show this.... just not logically possible.

If someone spliced into your cable, they haven't connected with your router; they will appear as traffic on the WLAN, not the LAN.

I wonder if we're using "connected" in two different ways. I just went back and reread your initial post, and realize that's why I asked about the cable modem. If somebody had sniffed your WiFi and connected to your LAN, I'd think they would show up in your router administrator tool somewhere. I figured that if they aren't showing up there, either your Linksys router administrator doesn't work like the one in my SMC, or they're attaching to your LAN some other way (like that cable modem hole I mentioned).

Steve

Janak Parekh
02-05-2003, 07:09 PM
As I said, I'm no networking expert, so the above are just guesses. Maybe somebody who knows what they're talking about can help. :-D
So I'm supposed to be a networking expert, sort of. Let me see if this makes sense...

In a router box, DHCP (Dynamic Host Configuration Protocol) is just a convenience protocol for assigning IPs easily to "clients", and is completely separate from the NAT (Network Address Translation) functionality the box provides. In particular, most routers support dynamic NAT, which takes any incoming IP from a designated range (usually a private IP address range) and maps it to a outbound connection, through the DSL or cable modem connection, and tracks it so that return packets make it back through to the private host. If you have a computer that falls in that designated range (very often 192.168.0.x), irrespective of whether or not it was assigned an address via DHCP, the router box should act as a gateway. It's theoretically possible to build a box that sets up static NAT rules based on DHCP leases, but no SOHO box that I know of does this.

The administration interface of the router box should show two different things: DHCP leases and active NAT sessions. Unfortunately, some boxes are remiss in this regard and just list "clients", which might be one, the other, or a conglomeration of both.

By the way, some router boxes support predefined DHCP leases. This is a cross between statically-assigned addresses and dynamically-assigned addresses: it always gives the same IP to a client that matches the MAC address that is in its table.

Basically, Pony99CA is correct in his assumptions. Unless we're playing with really funky boxes here. :)

Oh, and does any of the above make sense? ;)

And more importantly, belatedly I think I realize that you guys are not arguing this point, so my post was sort of useless. All of this must be behind the router, e.g., machines plugged into the private (LAN) side of the box or connected to the wireless network. Any external connections wouldn't show up (unless, of course, they somehow broke in, which is very difficult with most default configurations on SOHO boxes).

--janak

67stang
02-05-2003, 07:10 PM
Steve,
Ya I think we are saying the same thing... by connected I meant any routing DHCP activity performed by the router... be it hardwired or wifi.
So long as your router is assigning the IP, it will show which IP is assigned and to what device.

My point, in response to your initial comments about cable modems being shared amongst many users on a node, was that your router would have no way of telling you that because the signal is being split and shared much further down stream... i.e. the IP is assigned to those people by a different router (owned by the ISP)

in the same way, if someone tapped into the cable signal outside my garage, no router upstream would show that.

Pony99CA
02-06-2003, 05:56 PM
My point, in response to your initial comments about cable modems being shared amongst many users on a node, was that your router would have no way of telling you that because the signal is being split and shared much further down stream... i.e. the IP is assigned to those people by a different router (owned by the ISP)

I agree with you. That's why I asked if it could be a cable modem issue. Here's the relevant information from your first post:


Well tonight i noticed i had someones elses "shared docs" come up on my Network Places (on my desktop pc). I first thought.... hmm maybe my router sniffed out someones wifi.

Then I got to thinking... why would my desktop, which is hard wired to the Linksys router, sniff out a wifi... it wouldn't, it doesnt have a wireless card in it.

Ok, light bulb is starting to come on...

I turn on the Toshiba e740, go into Settings, to see if it lists two wifi connections... nope, just One...mine.

Now, you said that your Toshiba only showed a single WiFi connection. I assumed it showed that because you looked at your router's list of attached devices (how else could you check what connections are there?).

If the router didn't show another connection, either your router doesn't support displaying WiFi connections or the connection was made some other way -- like by the cable modem security hole.

I believe that, if the connection was made via WiFi, your router would have assigned them an IP address on your LAN and that should have shown up as a connection. Somebody correct me if I'm wrong, please. :-D

Steve

Janak Parekh
02-06-2003, 07:22 PM
I believe that, if the connection was made via WiFi, your router would have assigned them an IP address on your LAN and that should have shown up as a connection. Somebody correct me if I'm wrong, please. :-D
Hmm, what if they didn't use a DHCP address and only used the NAT/local network resources provided by the router? That's bizarre, but much less bizarre than the idea of someone connecting to the machine through the cable network (unless your router is misconfigured...)

--janak (2000th post! :crazyeyes:)

67stang
02-06-2003, 07:30 PM
I turn on the Toshiba e740, go into Settings, to see if it lists two wifi connections... nope, just One...mine.

Now, you said that your Toshiba only showed a single WiFi connection. I assumed it showed that because you looked at your router's list of attached devices (how else could you check what connections are there?).

If the router didn't show another connection, either your router doesn't support displaying WiFi connections or the connection was made some other way -- like by the cable modem security hole.

I believe that, if the connection was made via WiFi, your router would have assigned them an IP address on your LAN and that should have shown up as a connection. Somebody correct me if I'm wrong, please. :-D

Steve


Okay Steve, it's getting impossible to track all these quotes now :lol:

I think I did not describe in proper terms what I meant by "checking for wifi connections on the PPC." Perhaps the correct way to state that is "i checked for available wifi networks, listed by SSID, on my PPC."

My point was that when I first noticed this other persons shared drives on my desktop PC, my first reaction was "am I sniffing out another wifi network in my neighborhood." Of course that would not make any sense, since my desktop is ethernet, no wifi card.. and secondly I would have to join that persons workgroup to even see his shared files... but mind you this was around 2am and I wasn't thinking properly.

So following that train of illogic, i opened my PPC settings to see if it listed two SSID's... i.e. to confirm my initial reaction that there must be another wifi network nearby.

Of course minutes later a Homer Simpson like "DOHHH!" echoed in my head... there is only one wifi network, MINE, and someone else had leached on to it.


As an update.... i stopped broadcasting the SSID, and also changed it and the password to my Linksys router confiugration. So far I dont think he is able to access.