Security question possible malicious traffic?

hello guys i have this problem im sharing internet with a neigbor, the problem is, i by curiosity was watching the traffic on my router and found out a big data flow when i go to analize deeper the traffic i see there is a ton of ports open coming from the client pc of my friend, like 40 ports from his pc pointing to the port 53 of various randoms ip, what it intrigued me is the fact it is pointing even the local ip 192.168.1.1 as :53 which is weird cause looks like he is trying to scan ports or do dns poisoning / rebinding, can someone more tech savy tell me what im seeing here? may this be some kind of attack? why so many ports pointing to dns? even unexistent dns ports? most weird thing is, when i see that router active lights blinking, my other router conected to the same lan starts to blink crazily (the tx transmit data light like as if it were pulling data from my phone or pc and both lights blink synchronizedly, yes i set custom blinking lights to blink only when upload tx on wan or lan are happening)


can someone more tech savy tell me what im seeing here? may this be some kind of attack? why so many ports pointing to dns? even unexistent dns ports?

install is latest release and fresh install had to redact the ips for security purposes.

thanks

if 192.168.1.1 is your router, then he's talking to the DNS server on the router, that's pretty normal.

every query is a new connection.

if you own the connection, put your neigbor on a separate subnet, disallow all access to your own LAN subnet, he doesn't need it.

but why 41 connections pointing to dns? isnt that dns poisoning, dns rebinding? or something like that?

is there somewhere a tutorial you could recommend me?

al my routers are on 23.05.5

why not ?
you masked the interesting part, were they all coming from the same IP/MAC ?

do you have data pointing towards it ?

run a tcpdump on one of your own devices, see how many queries they produce ...

basically you want a guest or IoT lan/wlan.

yes, from his pc

interesting i will try it, thanks

Is there any way you can share a tcpdump file with the traffic capture?

how do i run a tcpdump on one of my routers?

tcpdump -nn -i br-lan src host 192.168.x.x and port 53 and udp

1 Like

so i telnet the router and in ssh inside do tcpdump -nn -i br-lan src host 192.168.x.x and port 53 and udp ?

ssh, then use the correct IP, yes.

thank you, will try

There are two sides of this.

You as the owner of the internet connection will be responsible for the data usage to your address, this included the neighbors data flow.

Running 40 or more normally a couple of 100 DNS lookups isn’t really the problem (especially if the neighbor have one or more windows computers). The problem or the most interesting is the DNS answer the lookup return?
And then the question arrises if you really want to know what your neighbor actually look at and do on the internet?

And if your neighbor have his own router on your shared line with masq you will only see one mac and ip address.

1 Like

It's not uncommon nowadays for a single webpage to download resources (stylesheets, scripts, images, ...) from a dozen of different domains. And each requests to a different domain requires a DNS request. A couple of those webpages, two devices browsing the internet, and 50 DNS requests are "normal".

1 Like

Pleasepost output of

ubus call system board

from your system. We need some space to get tools for processing text outputs.

Set up DNS query log, UDP states linger for long after connection,s work is over because of no strict "disconnect now" semantic in protocol.

1 Like

but my question is why so many ports pointing to 53 for just 1 computer? is not that synthom of a dns attack?

he is using a repeater connected to my router, and my worry is he is possibly trying to dns attack me or steal my passwords,

Grow up. Your ISP survived decades answering 1 DNS query per second, or more accurately by magnitudes more.

1 Like

impressive, im a cybersecurity enthusiast and i just want to understand better everything, while phasing out thieves

What worries you, the ports, or the amount of queries?

If he's using a repeater, are you seeing more IPs than the repeater's ?

You can always tell them to use some public DNS, if it worries you.

That will not reduce contrack entries with 2 packets stealing OPs wifi passwords.

No need to steal it, they've already got it in the repeater...