Possible network intrusion

asked 2021-09-05 16:56:22 +0000

aks gravatar image

I was looking for any intrusion through wireshark data. I followed instructions given on this post:

My laptop is connected to internet through wired LAN. Many POE LAN devices are connected in upstream cable as many other connections distributed by service provider.(giving detail here If it is important) It is a 15mbps connection.

The post says: (1) ARP Scanning: arp.dst.hw_mac==00:00:00:00:00:00 If we see many of these ARP requests in a short period of time asking for many different IP addresses, someone is probably trying to discover alive IPs on our network by ARP scanning (e.g. by running arp-scan -l).

In my wireshark data a single IP address showing up 5-10 times in a minute sometimes every 203 seconds in this filter including other IP addresses.

(2) ICMP ping sweeps: icmp.type==8 or icmp.type==0 If we see too many of these packets in a short period of time targeting many different IP addresses, then we are probably witnessing ICMP ping sweeps. Someone is trying to identify all alive IP addresses on our network (e.g. by running nmap -sn -PE <subnet> ).

In my wireshark data a the same single IP address showing up every 0.5 seconds Echo (ping) in this filter for 2 minutes.

(3) TCP Connect() scan: tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size > 1024 Post says : If we see too many packets of this kind in a short period of time, someone is most likely doing:

SYN scans in our network (e.g. by running nmap -sS <target> )
SYN port sweeps across the network (e.g. by running nmap -sS -pXX <subnet> )
SYN floods (denial of service technique)

In my wireshark data intermittently 0.1% packets are seen with this filter.

(4) UDP port scan: icmp.type==3 and icmp.code==3 The post says: If we see a high number of these packets in our network in a short period of time, it most likely means someone is doing UDP port scans (e.g. by running nmap -sU <target> ).

In my wireshark data 31 packets seen in 2 minutes.

(5) Unexplained packet loss: tcp.analysis.lost_segment or tcp.analysis.retransmission The post says If we see many packet re-transmissions and gaps in the network communication (missing packets), it may indicate that there is a severe problem in the network, possibly caused by a denial of service attack.

Seeing such a situation in Wireshark certainly merits further investigation..

In my wireshark data for 30 minute 1055 packets seen. This problem of retransmission I was also facing in last wifi conection that is why I changed internet service provider. Now problem is less than that. At that Time I know someone hacked my laptop. Hence I wants to leave no doubt. Please suggest me if it is normal or I need to investigate further and how. Thanks

edit retag flag offensive close merge delete

Comments

I am trying to understand your statement: "My laptop is connected to internet through wired LAN." Do you mean your laptop is connected directly to the Internet with a public IP or behind a firewall with a private IP?

BigFatCat gravatar imageBigFatCat ( 2021-09-06 03:38:23 +0000 )edit

It is my private Connection. As I only need this connection for my laptop so I directly used LAN. I am using UFW. I mentioned it because 1 POE+LAN box is installed by service prorivider at my end and there is another box at roof from where one another connection is provided along with me. I mentioned this because 2-3 MAC addresses continuously show up in the Wireshark Data show doubted that that MAC addresses may be of those distribution devices.

aks gravatar imageaks ( 2021-09-06 04:34:14 +0000 )edit

Is the laptop using a public or private IP address? If it is a public IP address, then what you are describing is a port scan. It is searching for open ports (ping to find an open IP address, then port scan). Scanning is 7/24. It may help to firewall ping requests because then won't make sense to do a port scan

You can try to report the source MAC address and IP address to your service provider. I have found service providers won't do anything. I resolved the issue with a router and required IoT to tunnel.

BigFatCat gravatar imageBigFatCat ( 2021-09-06 07:42:51 +0000 )edit