Possible Bonet/MITM/Spam attacks. pcapng analysis
Hello there!
I hope someone can help me here with a possible issue on my private networks (work and home):
So, I ran Wireshark again today (v.3.2.3) during part of my work schedule (about 5h) and noticed there's a repetition of behaviour (packets transmitted/types) from certain devices on my local network(s)(router, laptop, other devices) from previous scans I did that seems to indicate that something is off... Maybe a botnet/spam/DDOS attack, I don't know. Notice that only me and my boss are working together at the office (max 4 devices connected at a time. 2 laptop + 2 smartphones). The office is in the 2nd floor of a building where there are many other small companies located, like ours.
I uploaded the capture and a few more files, please feel free to check:
From the capture we can see there's a big number of TCP out-of-order segments coming and going mainly from/to ports 443/3220 and, likewise, there's a huge number of Duplicate ACK(#1) and errors:
This transmissions seem to be mainly between the router and my laptop (HuaweiTe_0d:48:12 - router, HonHaiPr_31:87:75 - laptop) and many public IPs, some unknown.
Then there is an unknown device that appears to be arp storming the private network:
When I try to ping this it says it's "unreachable":
There's seems to be another device doing the same, which is "unreachable":
https://imgur.com/a/LuvcIzQ https://imgur.com/a/XEzPOg1
Then, my own laptop is constantly sending ARP packets like this:
I opened XARP sometime later to check for ARP poisoning attacks. Somehow there's an host on IP 172.31.32.33 with the same MAC-address as my work router (e8:bd:d1:0d:48:12):
Putting that IP on the browser is the same as accessing the Gateway settings (HG8247H Huawei login page). I researched that IP and found this:
https://cleantalk.org/blacklists/172.... - Reported as spam (checking with IANA on this)
This is just some samples of the alerts given by XARP:
https://imgur.com/a/VWbbv5A https://imgur.com/a/mcTZ4VZ https://imgur.com/a/5mvkyKi
Checked my laptop arp table and the router has dynamic type for MAC:
What might be the issue? How to solve it and track who's doing it?
Best regards!