Is it MITM/DDoS attack?

asked 2022-03-16 06:24:08 +0000

wolvo gravatar image

updated 2022-03-18 11:31:24 +0000

I am on Linux Mint. I was also using squid proxy. I am referring this book So I had been using a wired connection through LAN port to connect to the internet. Several time I had noted two MAC addresses showing up on same IP address using: 

arp -a

So no doubt I was under attack at least arp spoofing. What my question is regarding an incident where I was on a very important webex meeting through my android mobile. The connection sequence was following LAN(30mbps)>Laptop>Hotspot>Mobile So during the webex meeting as soon as I was turning my video on it was immediately turning off. I tried several times. My the other person in the meeting also complaint that my sound was not clear. Otherwise when I attended the same webex meeting other time through same connection there was no such problem. Even on slower 4G Network things worked well. So just after the meeting I kept the the mobile connected and started wireshark to capture traffic.

I found several DUP Ack, TCP ACK unseen segment, malformed packets, suspected re-transmission, RST in TCP and malformed packets in IPX and illegal character found in header name(HTTP). Few are below:

tcp.seq eq 2422

11337   2022-02-04 12:06:10.684662778   Gateway.local   www3.l.google.com           TCP 68  42106 → https(443) [ACK] Seq=2422 Ack=39032 Win=119296 Len=0 TSval=2910797158 TSecr=1576833926

11340   2022-02-04 12:06:10.899973194   Gateway.local   www3.l.google.com           TCP 80  [TCP Dup ACK 11337#1] 42106 → https(443) [ACK] Seq=2422 Ack=39032 Win=119296 Len=0 TSval=2910797374 TSecr=1576834186 SLE=38993 SRE=39032

11680   2022-02-04 12:07:09.592393168   Gateway.local   www3.l.google.com           TLSv1.3 107 Application Data

Also

tcp.seq eq 1

172 2022-02-04 12:02:27.716646107   Gateway.local   Gateway.local           TCP 68  49028 → ndl-aas(3128) [ACK] Seq=1 Ack=1 Win=2769 Len=0 TSval=2006993776 TSecr=2006948421

173 2022-02-04 12:02:27.716675844   Gateway.local   Gateway.local           TCP 68  [TCP ACKed unseen segment] ndl-aas(3128) → 49028 [ACK] Seq=1 Ack=2 Win=3637 Len=0 TSval=2006993776 TSecr=2006948380

1535    2022-02-04 12:03:12.772644810   Gateway.local   Gateway.local           TCP 68  [TCP Dup ACK 172#1] 49028 → ndl-aas(3128) [ACK] Seq=1 Ack=1 Win=2769 Len=0 TSval=2007038831 TSecr=2006993776

1536    2022-02-04 12:03:12.772678417   Gateway.local   Gateway.local           TCP 68  [TCP Dup ACK 173#1] [TCP ACKed unseen segment] ndl-aas(3128) → 49028 [ACK] Seq=1 Ack=2 Win=3637 Len=0 TSval=2007038831 TSecr=2006948380

1697    2022-02-04 12:03:57.828673653   Gateway.local   Gateway.local           TCP 68  [TCP Dup ACK 172#2] 49028 → ndl-aas(3128) [ACK] Seq=1 Ack=1 Win=2769 Len=0 TSval=2007083886 TSecr=2007038831

1698    2022-02-04 12:03:57.828714854   Gateway.local   Gateway.local           TCP 68  [TCP Dup ACK 173#2] [TCP ACKed unseen segment] ndl-aas(3128) → 49028 [ACK] Seq=1 Ack=2 Win=3637 Len=0 TSval=2007083886 TSecr=2006948380

2606    2022-02-04 12:04 ...
(more)
edit retag flag offensive close merge delete
add a comment