How can I stop an authorized user from consuming all the bandwidth on my home network?

Me and my neighbours share a home network managed by me, paid for by the land lord.

This person overloads the bandwidth on the regular, jitter spikes up to the 300s,down speed fluctuates, overall shit time.

Can’t get rid of them/ block them from the network, inspite having admin access.

Is it possible to restrict their access to bandwidth/stop them from screwing the internet up for the other users?

Note:I have a second router at my disposal, Accountant by trade, little network knowledge but highly motivated.

Is it a Bad Idea™ to open all IPv6 ports for devices in an isolated guest network?

At home I have a dual-stack IPv4/IPv6 broadband connection, and I also have a wireless access point. The access point currently bridges all traffic into my LAN, which is not segmented in any way, so all visitors that use my wireless network have the full run of my LAN.

While I certainly do not doubt my friends’ good intentions I do see the possibility of their smartphones being compromised, and I’d rather not have compromised devices in my private LAN if I can help it. This, and also the fact that being in my private LAN does not gain my friends any benefits, makes me want to set up a separate wireless guest network, which I would then also use with my own smartphone.

I am currently considering opening all ports for incoming IPv6 TCP and UDP traffic for the devices in this separate guest network.

My reason for doing so is vastly improved service reliability. As a practical example, I use the Conversations XMPP chat app that does support sharing e.g. pictures, but this doesn’t work very well while both me and the other person are in our respective home LANs, presumably because neither of us has any ports open (IPv6) or forwarded (IPv4) for our smartphones.

Just to verify this hypothesis I opened all IPv6 ports for my smartphone only. And voilá, sharing pictures has been working flawlessly ever since.

The general implications of opening a router’s IPv6 firewall has been extensively discussed here, however I think my situation with the guest network for smartphones and other mobile devices is not quite comparable, because

  • Smartphones are designed for being directly connected to the internet any odd way, and therefore should not have problems with open IPv6 ports
  • It would only pertain to the totally separated guest network, any device in which would, from the view of a device in my LAN, just be any other device out there in the public internet

Is this sound reasoning, or is there something important I am not seeing?

Is “Hidden Network” just Wizard in System Tray [closed]

I was wondering if “Hidden Network” located in available networks when you click on WiFi in the system tray is just a set up wizard or an actual network not displaying its SSID?

For instance if there are multiple hidden networks in your area will there only be one hidden network listed under available networks or multiple under available networks?

Is there a security vulnerability when using the option Hidden Network to find your home network if it is hidden? There might be several hidden networks in your area and the hidden network wizard under available networks could just put the SSID and Password until it finds the correct hidden network, is that how it works?

Would it be safer to just use the manual connection set up under the sharing and network center in windows 10?

This is the website I was looking at: https://www.google.com/amp/s/www.digitalcitizen.life/how-connect-hidden-wireless-networks-windows-10

Hijacking samsung tv on same network

Yesterday i did nmap scan on my network and found two port open in my samsung led 32 inch tv. Which uses lan wire to operate. I tried to find out the ways i can exploit those port 7676 and 8080. So Does anybody knows how can i successfully exploit the tv and broadcast whatever i want to that tv without having physical access ?

Preventing automated attacks on Tokens without relying on Firewall or Network Infrastructure

Our concern is more on application side prevention automated attacks. Although the firewall does it part to help prevent this, it has been mandated in our development team’s security practices that we need a 2nd level of protection. Solutions such as MFA and CAPTCHA are solutions to a different issue. They help reduce the chances an attacker has to possibly bypass authentication and guess the credentials. What we want here is just basically to detect an automated attack and stop it (or realistically, delay it).

The attack the penetration tester did was this:

http://ourapplication.com/passwordreset&token=AAAAAAbbbbCCCCDDDD####3333KkOoBvVNNJIKGDDVL

This is a link sent to email addresses for password reset. They tried automated enumeration of the token to be able to guess a correct one. Although they were not successful guessing a valid one, they still filed this as a vulnerability since our application failed to catch this automated attack and was not able to block the requests. So, we now have been in a dead end finding solutions for this.

Some solutions we have come up with:

  1. IP Address blocking – seems problematic since requests go through a number of servers and components (firewall –> web server –> app server etc.), it would be extremely difficult to get the source ip address of the requester. Sometimes attacks still could be behind proxies.

This would be doable if the enumeration was something like username and password. We can come up with a logic that detects enumeration of usernames with the same password and start blocking next requests using the same password. In this case, only a token in the input.

Running out of reasons to solve this issue. Can anyone help us on this?

Can I intercept DNS-over-HTTPS (DoH) or -TLS (DoT) in my home network?

Right now I am redirecting all local network DNS traffic to my Pi-hole install, since some device do or may in the future use hardcoded DNS servers to bypass filtering.

Since DNS-over-HTTPS and DNS-over-TLS are becoming more common, I would like to know if it is possible to intercept that kind of traffic to redirect it to my Pi-hole install for filtering purposes.

If that is not possible (as I would expect), I wonder whether it’s possible to at least drop said connections so that said devices will obtain errors and hopefully fall back to the DHCP-advertised (local) DNS server.

Network of 45 Real Estate, Car, and Finance Websites & Domains

For sale is a network of 45 websites each with high quality domain names in the real estate, car, and also finance industry.

I'm a 13 year member here on DigitalPoint.

We have already started a NO RESERVE auction which can be found here: Auction for Network Of 45 Websites For Sale

See the auction description for the full details of everything included. Most of the 45 websites have great .com domain names.

Some websites use…

Network of 45 Real Estate, Car, and Finance Websites & Domains

Is HTTPS required for local network server to server communication

I am building web applications for my customer’s company. At the server side, there will be 2 kinds of server to server network communication.

  1. Separated REST API servers making requests among each other.
  2. Communication from application load balancers (AWS ALB specifically) to their auto-scaling EC2 instances.

Currently all of these communications use HTTP protocol. Only the customer-facing nodes (such as the load balancer or the web server reverse proxy) will serve HTTPS with valid certificates.

The customer’s security audit tried to enforce us to change them all to HTTPS.

The audit cannot provide a practical reasoning behind this except he believe that it is the modern best practice to always use HTTPS instead of HTTP anywhere.

In my view, I think the purpose of HTTPS protocol is for being a trusted channel in an untrusted environment (such as the Internet). So I cannot see any benefit of changing the already trusted channel to HTTPS. Further more, having to install certificates to all servers make it difficult to maintain, chances are, the customer will find their application servers broken someday in the future because some server has certificate expired and no one know.

Another problem, if we have to config all the application server, apache for example, behind the load balance to serve HTTPS, then what is the ServerName to put inside the VirtualHost? Currently we have no problem using the domain name such as my-website.example.com for HTTP VirtualHost. But if it were to be HTTPS we have to install certificate of my-website.example.com to all instances behind the load-balancer? I think is weird because then we have many server claiming to be my-website.example.com.

I would like advice from security community if my view above is correct and can be used as valid reasons to dispute the security audit’s enforcement.