Many years ago, shortly after I bought my present house, I had the very unpleasant experience of a break-in while I was out one evening. Ever since then I have never been quite comfortable about leaving the house.
So when I planned a trip abroad a couple of years ago I decided to install a couple of IP cameras,. one indoors and one outside, so I could keep an eye on things while I was away. I have some very nice neighbours who are very kind to take a look once in a while, but still being able to see it for my self is quite reassuring.
Then, after me and my family returned, I began to wonder if anybody else was able to see what the cameras were looking at, so I started looking at a way to monitor the traffic on my network 24/7. My desktop computer is only on while I use it, so I searched for some kind of small, silent network logger, which could also be used as a firewall if I found some traffic I did not like.
Such boxes exist but are very expensive, far beyond any normal home IT budget, but I found a DIY solution that fit the bill. I ordered a small, fanless PC from AliExpress. It has two LAN ports, 2GB RAM, 16GB SSD, HDMI and a 4-core pentium processor. It came with Windows 7 pre-installed, but I deleted that and installed IPFire instead. IPFire is a Linux system with all unnecessary things removed - but you can add a lot of features. It is very easy to install and I had it running and connected to my network quickly.
IPFire did not have a connection history function, but I managed to make a couple of Perl-scripts to do it and added them to my IPFire installation. After a couple of days I began to see how much traffic there really is on my network and that is quite a lot !!!
I even saw some traffic coming in through my first firewall, i.e. my ADSL modem and router, which I did not expect at all. It was connections apparently coming from home IP addresses all over the world like Greece, Brazil, Ukraine etc. How did those connections manage to get through my outer firewall???
After becoming very paranoid and thinking that my ADSL modem had been severely compromised I began to look more closely at what was going on. It turned out that all the connections were UDP connections trying to reach one specific port. It was a high port number they all tried to reach so it was not a server service. After some searching on the internet for clues about this I finally pinpointed the culprit: Skype!
In the Skype settings I found this IP port that they all tried to connect to, and some articles on the net suggested that it is a part of Skype's P2P protocol, where some Skype clients can act as relays for other P2P connections. So without knowing about it your computer can be involved in Skype conversations that have nothing to do with you!
I then decided to make sure that Skype is never running unless I need it, which is rarely.
So how about all the other traffic on my network? Well, much of it has an innocent explanation. I found many connections going to addresses on a network called 1e100.net. That turns out to belong to Google. Fine, I use that a lot. Another place where I apparently receive a lot of data from is akamaitechnologies.com. It turns out they run a lot of servers for online contents like YouTube, so that makes sense too.
There are still a lot of much less obvious connections, many of which turn out to be related to all sorts of advertising and tracking sites. These I have now blocked in my firewall.
So, are you paranoid? If not, now is a good time to start! There are a lot of places on the internet listening to what you do on your computer, and also on other devices on your network - but more on that in a future blog.