Network security and reliability

Volume 11, Issue 59; 27 Aug 2008; last modified 08 Oct 2010

Getting a reliable internet connection can lead to some odd discoveries.

For several days, our internet service in the house has been extremely unreliable. The net goes down and stays down for several hours. The primary symptom is that most (but not all) network traffic times out. Click on a web page, and it times out. Hit reload a whole bunch of times and eventually it succeeds. Oddly, if you manage to get to one of the speed test sites, it reports reasonable speads (down at least, not up).

I've replaced the router and the cable modem, mostly out of desperation. It's been an intermittent problem so it's hard to debug and talking to residential customer service at the cable company basically dead-ends at “your running a network, it must be your problem”. And despite the fact that it happens simultaneously on four machines: a Mac, a Linux box, a Windows XP box, and a Windows Vista box, tech support wants to look for a virus.

(Yes, switching to business service is in the works.)

Today, a significant pattern became apparent: the network runs fine until just about 12:15pm, then fails. Deb, over my protestations that it couldn't be, was convinced that it was one of our neighbors hacking into the wireless.

I was (foolish husband) reluctant to consider this a realistic possibility, but being in a seriously desperate frame of mind, I changed the SSID and the (128 bit) WEP key.

And the problem seemed to go away. Time will tell if this is coincidence or solution. (Ironically, if it that was the problem, then the customer service droids at the cable company where right, it was a problem on my network.)

So now the wireless network has a new SSID which it does not advertise, a new key, and forbids all MAC addresses except the four wireless devices in the house.

Does this story sound familiar to anyone?

Comments

Any reason why you're still using WEP instead of WPA(2)?

It's busted, utterly and completely, time to move on.

—Posted by David Magda on 27 Aug 2008 @ 10:56 UTC #

Don't use WEP and MAC addresses. They are easily hackable. Use WPA.

I used to have a problem that seemed to be related to ubuntu bringing down the network. It seemed to go away with Hardy Heron, though.

—Posted by Rob Koberg on 27 Aug 2008 @ 11:23 UTC #

Norm, I've been having this exact problem over the last few days with our home internet service (Comcast) in Seattle. Done quite a bit of troubleshooting but I haven't tried further locking down of the wireless network... my brief glimpses at it didn't show a lot of traffic other than my own.

—Posted by Shawn Medero on 27 Aug 2008 @ 11:35 UTC #

Yes. I eventually just went with an Open Source firmware for the wireless router and have limited connections to specific MAC address.

—Posted by Forest on 28 Aug 2008 @ 12:41 UTC #

If you were in an experimental mood you could have put back the old SSID and then run a packet sniffer to see who it is or what they're doing.

Then there's always all the fun and games with putting a transparent web proxy inline and flipping all their images upside down or other such.

—Posted by Adrian on 28 Aug 2008 @ 12:50 UTC #

Not a lot of security in WEP if you have a determined attacker (it keeps out the neighbors, of course).

I'd suggest putting some sort of bandwidth monitoring on if it starts happening again.

—Posted by dbt on 28 Aug 2008 @ 02:26 UTC #

My use of WEP goes back to the days when either my Linux box didn't support, or I didn't understand how to install, WPA. I suppose now that wouldn't be a problem.

I don't recall seeing any odd traffic or anything, but I didn't try very hard. The problem interferes with Deb's business so I really can't afford to let it keep happening.

—Posted by Norman Walsh on 28 Aug 2008 @ 02:39 UTC #

Norm -

I had a similar problem at my last home. The solution I used was to do the basic lock down of the router with WEP and MAC address filtering, but I also switched to an IPCop firewall between my network and the cable modem. I put the wireless stuff on it's own zone. I then monitored that, determined that a couple of neighbors were ... borrowing ... bandwidth. I blocked their MAC addresses and the problem went away. I also configured it to reject traffic from all except the IP addresses that my wireless systems use.

A bit of work, but the nice part is that I keep the intrusion detection running, so I can watch stuff bouncing off the firewall. I also have the option of setting up QOS and/or OpenVPN, which I've been considering. I occasionally see attempted connections, but they don't stick around.

The other bonus is I have a lot of control over traffic on the network, much to my teenager's frustration some days. :)

As I said, a bit of work, but it's been well worth it.

—Posted by Derek Dees on 28 Aug 2008 @ 12:24 UTC #

Please use WPA on your wireless router. Hiding the SSID and mac filtering are essentially placebos as both can be sniffed and macs can be spoofed.

There are HowTo articles posted on SmallNetBuilder that show how easy it is to break WEP - suppossedly it can be done in as little as 5 minutes.

That said, the pathology of your problem (if it is related to a neighbor vampiring your network connection) does not necessarily indicate a dedicated hacker. BUT, if someone is hacking into your network and you are using windows computers without software firewalls, they might also gain access to your computers as well. Possibly Macs as well.

Just my 2 cents

—Posted by john on 13 Sep 2008 @ 03:28 UTC #

Hm... I have a similar problem with intermittent slow-downs, and similar experience with with the ISP's customer support. I hadn't thought about wireless hacking, since I don't use the wireless much. Most of the time just to bridge my daughters machine to the house LAN and out to the internet. And that machine is turned off most of the time.

What counts against this, is that I use ntop on the machine I have bridging the home LAN and the internet, and I don't see any strange traffic there during slowdowns.

But I guess I'll try turning off the AP the next time this happens and see what happens.

(I'm using WEP as well, because the APs I'm using don't support doing bridging with WPA, but if switching off the AP during a slow-down works, I guess I have to consider throwning them away and use APs that can bridge with WPA encryption. I already lock the MAC addresses, but that's easy to fake)

—Posted by Steinar Bang on 16 Sep 2008 @ 10:29 UTC #

The evidence for wifi hacking is entirely circumstantial, and I still think it's unlikely. There are only four possible neighbors within reach and I find it hard to imagine any of them as malicious. But the problem did stop when I turned off the wifi. It could be entirely coincidental, but that seems awfully unlikely as well.

If I had more networking experience and more time, I'd put back the old setup and look for the culprits. Unfortunately, interrupting Deb's internet traffic brings her business to a grinding halt, so that's not really an option.

In the meantime, I've switched to WPA2 encryption and Charter Business internet service. The same service for twice the price except: (1) the tech support is excellent: clueful technicians interested in the problem and equipped with the tools necessary to attack it and (2) Charter now manages the router, so the bits become their problem before they even leave the house.

(This has the added advantage that Charter can help Deb when I'm on the road.)

—Posted by Norman Walsh on 16 Sep 2008 @ 01:19 UTC #

We use a vpn server on linux,and we don't have any worries till now.I recommend it,works great.It became useful first to distinguish among different kinds of IP vpn based on the administrative relationships, not the technology, interconnecting the nodes. Once the relationships were defined, different technologies could be used, depending on requirements such as security and quality of service.

—Posted by Hessus Hill on 04 Mar 2009 @ 02:41 UTC #