2

Lately I've seen many strange events in the logs of my wifi router / cable modem. Many are linked to the IP address 83.0.68.240 from the ISP, Orange Polanska. Events like "DoS attack: Ping Of Death", "DoS attack: Teardrop or derivative" etc.

However today the situation rose to a new level: The IP address was no longer limited to appearing in the logs of outside attackers. It now appeared to be one of the devices on the Wi-Fi network. See linked photo: http://imgur.com/YFgLBCJ

The Mac address of the device suggests it is an Apple device. At one point the name of the device was the same as the name of a roommate's iPhone. I asked the roommate if he was using a VPN on his phone, and he said no.

Is it possible that person from Poland has in fact enter the network?

If the iPhone was hacked, why would it appear on the Wi-Fi network as a Polish IP address?

FYI, I asked Orange Polanska twice to shut this attacker down and they have not done it.

Zane
  • 21
  • 3
  • Frankly, I'd be looking at the likely case that your roommate's device has been compromised. – schroeder May 06 '16 at 16:56
  • @schroeder could they spoof a MAC address to look like something natural on that network? – Dave May 06 '16 at 17:01
  • 1
    @Dave absolutely, but it is unlikely that an external party would get the MAC of an internal device. More likely that the external attackers were able to social engineer the roommate. – schroeder May 06 '16 at 17:07
  • @schroeder If they broke into the network and noticed that my roommate’s phone had a certain name like “Fred’s iPhone”, they could change the name of their device to that and a typical observer might ignore the device even though the IP address is not a 192.168.x.x. – Zane May 06 '16 at 20:46
  • @Dave it is quite easy to change one's MAC address. it is just: sudo ifconfig en0 ether MAC... – Zane May 06 '16 at 20:47

3 Answers3

2

The reason a computer would be listed in that section with an external IP is that the malicious device wants its traffic to look like it came from that other address. This is commonly done as part of a DDOS of other places, because the false source IP causes all of the returned traffic to head to that other address (in cases like amplification attacks this can be very powerful). Are you noticing anything like poor performance of the network overall? Or a lot of registered traffic even though you are only browsing StackExchange?

There is possibly a compromised device on your network. It may also be that the constant stream of malicious packets finally caused the router to mix up traffic to the point where it looked like some packet outbound had that source IP (no telling how well written that Netgear code is). As a mitigation, (and if possible from that device) you could try blocking all traffic to/from that IP (if its the only one that has been noted to have malicious activity) and see if the strange behavior stops.

Jeff Meden
  • 3,966
  • 13
  • 16
  • Yes, several times a day network will slow to a crawl. What I typically do at that point is you restart the router. Sometimes it is so bad that I cannot even log into the router and I have to cycle the power. Nevertheless when I run tcpdump, it doesn't seem to collect very much. Also a while back I looked into blocking addresses but I don't think this particular router supports that. – Zane May 06 '16 at 20:51
1

You might have at least a compromised device sending packets with spoofed IP addresses in your internal network.

Nowadays there is already malware that will make a device assume several IP addresses, or cycle through several IP addresses, to evade blacklisting/security measures activated from the victims.

I would not blacklist a particular IP address; I would whitelist my valid IP addresses and block everything else. This is in fact recommend by several vendors. Cisco refers as whitelisting your internal networks/ public IP adresses for outgoing connections as egress rules, and blacklisting as the source your public IP addresses and known bad networks for going in your network as ingress rules.

Please note there is also a possibility you do not have an hacked device in your home. Most of the new operating systems, iPhones and Mac included, try to cycle though their previous IP addresses to reclaim a new DHCP IP address; your CPE firmware might be old and confused by this. In the event of this possibility, if you and your workmate are quite sure you have never been to Poland, I would change your wifi password.

The algorithm of several default wifi passwords that come with ISP combo modems/APs have been cracked in the past, and often you can derive the default password from the SSID. This also opens up the possibility a neighbour might be abusing your wifi to conduct more nefarious activities.

Rui F Ribeiro
  • 1,736
  • 8
  • 15
-2

Your router is owned/pwned, I'm afraid. Do a strict MAC filter like "denied unless whitelisted", and - arm some NMAP's to shut the SoB down. If the ISP is not doing anything - help yourself... You have notified them

Alexey Vesnin
  • 1,565
  • 1
  • 8
  • 11