I had an interesting security incident on my home network today which will appeal to readers interested in security.
This morning I noticed that my DSL connection was running very slow. (It’s provided by Megapath and they’re normally very good.) A bit of sleuthing on my home server revealed that somebody was downloading all of the web pages. Some kind of robot called “Web Copy,” it seemed. This is the third time it’s happened this month, so I threw up a rule on the firewall to block their IP address, then I wrote a small program to prevent this from happening again. (Briefly, the program monitors a particular page on my web server — a page that nobody should ever access — and if the page is accessed, the web server automatically adds a rule to the firewall to block all access from that IP address. Simple and effective.)
Strangely though, the network didn’t get any better. A bit more checking revealed that some computer on my internal network was scanning the Internet, looking for vulnerable computers, and then trying to break into them. Sounded like an unpatched Windows computer that was infected with one of those worms, but I don’t have any unpatched Windows machines. I scanned my internal network and discovered that a computer at the internal IP address of 192.168.1.220 was to blame. Now things were getting interesting
Sitting down at my network patch panel, I started unplugging cables one by one, trying to figure out where 192.168.1.220 was coming from. Turns out it was coming from the Apple AirPort in my kitchen. One of my neighbors was using it!
(Normally this sort of thing would be hard to find out, because most people run their wireless access points as routers. This effectively hides all of the computers in the wireless cloud behind a single IP address that’s used by the wireless router itself. For just that reason, I run my wireless access points as bridges. This makes it easy for me to see all of the computers that are connected to them.)
Around this time I got an email from Megapath saying that a computer on my network was infected with the nachi computer worm. I’m not quite sure how they found out — they claim that somebody complained about me. From the looks of my MRTG traffic tab (see below), it seemed that the computer must have been infected at around 2:15am. Anyway, Megapath told me that they would disconnect me unless I dealt with this immediately. Cost for reconnection: $100
I did some port scans against the computer at 192.168.1.220 and discovered that it was running that Kazaa file trading program. Kazaa will helpfully give you the person’s registered Kazza username, and the name looked suspicious — that is, it looked like the name of my neighbor’s grade school son.
Now everything was beginning to fall into place. I like to keep my wireless network open, so that people visiting me can use their handheld devices without having to ask me for the password. As it turns out, my generosity was turned against me: the neighbor’s son had been using my network connection for file trading (possibly because his father monitors their DSL connection?). In the process, he had gotten infected with a worm, eaten up my outbound bandwidth, and nearly cost me my DSL service!
I did what I had to do: I reconfigured my wireless access points to use encryption. It’s not the strongest encryption, but it should be good enough to keep the grade school kids at bay. Then I called up my neighbor and left a message on their answering machine
All in all, an interesting story. But tracking down this guy was hard. Most people couldn’t do it. I’m increasingly concerned about the impact of open wireless connections in the hands of non-technical users.