When I go to iknowwhatyoudownload.com, a bunch of stuff shows up for my IP that’s definitely not being downloaded by anyone in my house (foreign language torrents). Aside from that my router (AT&T Arris BGW210) needs to be restarted about once a week, due to some kind of dhcp issue. The most recent event seemed bad - none of my devices had internet, they could all talk to each other, and my ONT activity light was flickering steadily. During this time I had no access to the router, even plugged in directly to LAN. Fixed by a restart but no idea what was going on.
The DHT torrent thing has been happening for months and the router thing could just be that AT&T sucks. I have no other evidence that something is wrong.
I could buy a firewall and put it downstream of the AT&T equipment.
I could switch internet providers, get a new IP address and router, and see if that fixes it.
Should I try to figure out what’s going on or just keep restarting the router once a week and ignore the DHT hits from my static IP?
Looks like a bit of a learning curve. Depending on where it sits in the network topology I may or may not be able to see the traffic? For instance if the router is compromised, running arbitrary code like a proxy server, it may be completely isolated from my LAN, right?
Yeah, there are a few ways to check for sure. The most effective is to take a device with 2 Ethernet NICs, plug it in between your modem and router, bridge the interfaces, and sniff the bridge. You can also look into ARP poisoning yourself to check whether the modem is compromised, but the likelihood of that would be slim to none (your modem doesn't have storage or enough compute to handle that kind of traffic redirection.) In all likelihood you are on an ISP that uses CGNAT that assigns a few peoples traffic to the same public facing IP address, in that case the traffic could easily be going to a neighbor that uses the same ISP.
I do have a dual Ethernet computer running ProxMox. But if I’m setting it up between the ONT and router, I may as well go all in setting it up as a soft router. Then it would be my firewall, DNS, and DHCP server, and I don’t need to worry about the router.
There isn't really a good reason to not be doing that already just because of the intrusion detection systems Proxmox has to offer. Most of them would alert you immediately if you were compromised told it to look for DHT broadcasts going out of the network.