I suspect that I am being targeted in a man-in-the-middle attack from the ISP or in-between of the fiber cable transit or the node by sniffer hardware that detects and injects the malicious packets.
I am using a VPN service and it's encrypted end-to-end but whenever I disconnect the VPN for a local streaming service, for example, those attackers are back at it again.
Are they using an ARP-spoofing mechanism for the mac address redirection or some other form of NTP attack? Asking for help in diagnosing the issue and what are the best practices to follow?