Possible Bonet/MITM/Spam attacks. pcapng analysis

asked 2020-06-01 20:20:45 +0000

Hello there!

I hope someone can help me here with a possible issue on my private networks (work and home):

So, I ran Wireshark again today (v.3.2.3) during part of my work schedule (about 5h) and noticed there's a repetition of behaviour (packets transmitted/types) from certain devices on my local network(s)(router, laptop, other devices) from previous scans I did that seems to indicate that something is off... Maybe a botnet/spam/DDOS attack, I don't know. Notice that only me and my boss are working together at the office (max 4 devices connected at a time. 2 laptop + 2 smartphones). The office is in the 2nd floor of a building where there are many other small companies located, like ours.

I uploaded the capture and a few more files, please feel free to check:

https://we.tl/t-sqWLanP8kz

From the capture we can see there's a big number of TCP out-of-order segments coming and going mainly from/to ports 443/3220 and, likewise, there's a huge number of Duplicate ACK(#1) and errors:

https://imgur.com/a/oHNkhUV

This transmissions seem to be mainly between the router and my laptop (HuaweiTe_0d:48:12 - router, HonHaiPr_31:87:75 - laptop) and many public IPs, some unknown.

Then there is an unknown device that appears to be arp storming the private network:

https://imgur.com/a/AnIgDgy

When I try to ping this it says it's "unreachable":

https://imgur.com/a/TkrvV7Y

There's seems to be another device doing the same, which is "unreachable":

https://imgur.com/a/LuvcIzQ https://imgur.com/a/XEzPOg1

Then, my own laptop is constantly sending ARP packets like this:

https://imgur.com/a/vMesAut

I opened XARP sometime later to check for ARP poisoning attacks. Somehow there's an host on IP 172.31.32.33 with the same MAC-address as my work router (e8:bd:d1:0d:48:12):

https://imgur.com/a/B0zwo64

Putting that IP on the browser is the same as accessing the Gateway settings (HG8247H Huawei login page). I researched that IP and found this:

https://cleantalk.org/blacklists/172.... - Reported as spam (checking with IANA on this)

This is just some samples of the alerts given by XARP:

https://imgur.com/a/VWbbv5A https://imgur.com/a/mcTZ4VZ https://imgur.com/a/5mvkyKi

Checked my laptop arp table and the router has dynamic type for MAC:

https://imgur.com/a/F2X3azi

What might be the issue? How to solve it and track who's doing it?

Best regards!

edit retag flag offensive close merge delete