I finally convinced myself of building an opnsense wifi router after years of procrastination. I want to take back control of my network, or at least monitor it properly.
What are the most interesting network analysis tools I should look into? I'm talking more about high-level visualisations. For example, I'd be interested in keeping a list of every device that's ever connected to my network, and maybe get alerts upon detecting it. Or map requests/connections in real-time/historically on a globe in HTML5. Just some fun stuff to actually get a sense of what's going on in my network.
I have used ntopng w/nprobe as collector of netflow data in both work environments and at home. If you have any educational affiliation there's a good chance you can get a pro and Enterprise license for free for both products that renews annually. The community edition is somewhat limited in what it can do but is worth taking a look at.
mitmproxy is what you need. I've installed it on a Raspberry Pi that then acts as a hotspot. mitmproxy allows me to see every bit of data that is being put on the wire. All telemetry, pings, contacts, and more being transmitted home (respective of encryption). A transparent proxy is essential if you want to deep drive into what the apps on your network are actually doing.
Do you happen to know what added latency one can expect from using one of those? (Apologies if my brief googling was off-point and this is a well answered question)
carpie.net has a great set of videos on using a Raspberry Pi as your own home network DHCP/DNS. I set it up relatively quickly and I definitely have a greater sense of control over my home network.
So for people like myself who don't know much about this stuff, I was wondering what we can learn to figure out if the routers we are using are compromised in any way. On a similar tangent, is there any way we can detect any editing being done by an ISP? Like how and where they might be inserting headers into our traffic for example.
I guess the preferred way to discover if your router is compromised would be by network analysis... And you would need to plug it into some other computer for that, what just shifts the problem to the other computer.
I guess you can gain some confidence that it isn't compromised, but can never be sure.
About edit being done by the ISP, once you fix on a not all powerful adversary (not the NSA), it's easy to get some machine it couldn't have tainted.
For non-technical people, or people who just don't know much about this kind of thing, I would suggest just reviewing what the latest firmware version is, and updating if there are new versions. Also, review release history, if available. If your router is getting less than 2 or 3 updates a year, assume there are unfixed bugs or security issues.
For this specific issue? It only affects Mikrotik routers, and the vulnerability has been patched. So if you aren't using Mikrotik, or if you are and have the latest firmware, you're good.
>For non-technical people, or people who just don't know much about this kind of thing, I would suggest just reviewing what the latest firmware version is, and updating if there are new versions.
I think you vastly overestimate how much technical knowledge non-technical people have. A huge swath of non-technical people that use computers won't even know which component the router is, let alone know how to log into the UI and check the firmware.
I'm surprised that neither here, nor in the article 2 days ago, I can find a list of affected routers. Or even a tip on how should I check if my Mikrotik is affected / has been pwnd by either of those attacks.
In hopefully unrelated story, my Mikrotik and/or my ISP has been acting up in the past hour; I've lost the ability to resolve many .com domains for ~30 minutes, even though I have Google's NS configured set up as the first two on the router. Manual queries (Mikrotik: resolve somedomain.com server 8.8.8.8 / Local: nslookup - 8.8.8.8) resolved correctly; it's just defaults that couldn't. Sad to admit this, but I have no clue what's going on -.-
Past edit window, but update on the DNS issue: it seems to have been a coincidence after all.
Apparently, ISP's NS stopped resolving a lot of .com domains, and it must have poisoned my router's cache. After disabling DNS peering (to avoid ISP's NS injecting itself) and flushing cache, the problem seems to be resolved.
After the last one of these articles, I finally flashed my router with OpenWRT, and it's been pretty nice so far. Best feature: Installed `adblock` package, and now I get DNS-level ad blocking, which is simply fantastic. Works on all clients (including mobile) and significantly faster than blocking in browser.
A nice alternative which allows you to keep using your router's own software or routers not compatible with open source software is PI-HOLE (https://pi-hole.net). Provides the same DNS level blocking with a lot more information and features.
I've been thinking of getting a Pi-Hole for a while, but also have a router running OpenWRT. Are there any advantages/disadvantages to using a Pi-Hole vs. using an AdBlock package on the router?
Anyone here used Plume[0]? A friend of mine recently suggested it, and it sounds interesting but also... a bit scary. I suspect it has a centralized attack point (get into the Plume infrastructure, and you can probably automatically roll a virus out to all Plume routers in the world).
If you really need a mesh (you probably don't), there are other solutions. If you know at least a little about home networking and WiFi, just setup a Unifi system and be done with it.
Part of the improvement is the hardware. The latency improvement is awesome, for example. But part of it seems to legitimately be the optimization that their software is doing re: signal strength, which backhaul to use, auto updates, the level of customer support, and other stuff.
I don't know how it compares, but it seems it may be better than people were initially thinking.
I read their entire website and still have no idea what precisely Plume is or what they're selling.
"What makes Plume different from my traditional Wi-Fi router or extender?
Single router Wi-Fi systems can give you the speed you need as long as you’re close enough to the router. Wi-Fi extenders or repeaters can improve coverage, but are often complicated, unreliable, and degrade performance. Plume is a cloud coordinated Wi-Fi system that replaces your current router and gives you stable and consistent Wi-Fi coverage and speed in every room within your home using blazing fast tri-band SuperPods coupled with auto-channel hop technology."
If I understand this word salad correctly, it's a router which uses a cloud service to auto-configure itself.
Readit News
What are the most interesting network analysis tools I should look into? I'm talking more about high-level visualisations. For example, I'd be interested in keeping a list of every device that's ever connected to my network, and maybe get alerts upon detecting it. Or map requests/connections in real-time/historically on a globe in HTML5. Just some fun stuff to actually get a sense of what's going on in my network.
Any recommendations?
https://www.ntop.org/products/traffic-analysis/ntop/
Basically you want a fast machine with a good switch, running something like OpenWRT. You may also want to play around with OPNsense [2] in a VM.
1: https://omnia.turris.cz/en/
2: https://opnsense.org/
Just curious where to start in this exercise.
I guess you can gain some confidence that it isn't compromised, but can never be sure.
About edit being done by the ISP, once you fix on a not all powerful adversary (not the NSA), it's easy to get some machine it couldn't have tainted.
For this specific issue? It only affects Mikrotik routers, and the vulnerability has been patched. So if you aren't using Mikrotik, or if you are and have the latest firmware, you're good.
I think you vastly overestimate how much technical knowledge non-technical people have. A huge swath of non-technical people that use computers won't even know which component the router is, let alone know how to log into the UI and check the firmware.
In hopefully unrelated story, my Mikrotik and/or my ISP has been acting up in the past hour; I've lost the ability to resolve many .com domains for ~30 minutes, even though I have Google's NS configured set up as the first two on the router. Manual queries (Mikrotik: resolve somedomain.com server 8.8.8.8 / Local: nslookup - 8.8.8.8) resolved correctly; it's just defaults that couldn't. Sad to admit this, but I have no clue what's going on -.-
Apparently, ISP's NS stopped resolving a lot of .com domains, and it must have poisoned my router's cache. After disabling DNS peering (to avoid ISP's NS injecting itself) and flushing cache, the problem seems to be resolved.
Also significantly less effective.
It’s nice for devices/cases where you cannot have an adblocker in your browser. It is unnecessary otherwise.
- Nice for TVs and other devices where you can't control the apps
- Or even in phones or tablets, if you don't have root access , you can block lots of ads in browser or even in apps
- Also, you can reduce the quantity of CPU used by ad blockers on your devices (again, essentially, phones and tablets).
- Also nice for visitors in your network ;)
[0] https://www.plume.com/
If you really need a mesh (you probably don't), there are other solutions. If you know at least a little about home networking and WiFi, just setup a Unifi system and be done with it.
The newer story @ Ars has some updated stats and thoughts: https://arstechnica.com/features/2018/06/exclusive-plumes-ne...
Part of the improvement is the hardware. The latency improvement is awesome, for example. But part of it seems to legitimately be the optimization that their software is doing re: signal strength, which backhaul to use, auto updates, the level of customer support, and other stuff.
I don't know how it compares, but it seems it may be better than people were initially thinking.
"What makes Plume different from my traditional Wi-Fi router or extender?
Single router Wi-Fi systems can give you the speed you need as long as you’re close enough to the router. Wi-Fi extenders or repeaters can improve coverage, but are often complicated, unreliable, and degrade performance. Plume is a cloud coordinated Wi-Fi system that replaces your current router and gives you stable and consistent Wi-Fi coverage and speed in every room within your home using blazing fast tri-band SuperPods coupled with auto-channel hop technology."
If I understand this word salad correctly, it's a router which uses a cloud service to auto-configure itself.
Mmm. Love some word salad with mesh dressing.
In the end, it's just hardware with some online configurator which will most likely render the whole system unusable if the online service shuts down.
Great for anyone that doesn't stop to think for a minute how dumb this idea is.
Deleted Comment
Dead Comment