Ask Your Question
0

Strange packets captured

asked 2022-04-26 19:27:48 +0000

adri0907 gravatar image

Hello, I think I'm victim of DoS. I'll explain you why I think that below.

First, you must know that the problem is on my personal device. I use it at home and at work and I have the problem in both places.

The problem is that I'm receiving a lot of packets, even though I'm doing absolutely nothing on my laptop.

You cand find a capture I've done on my PC for 1 hour while I was doing nothing (the only application that was open on my laptop was wireshark) there

So, on this capture, my private IP adress is 192.168.1.24 and you can see that I'm continually receiving packets from various IP adresses. When you search on the Internet who owns these adresses, you discover that they come from various companies, mostly companies that provide cloud services, such as Akamai, Cloudflare, Fastly, etc.

Generally, between the reception of these packets, I also receive many packets using the SSDP protocol. I'm not sure if this is linked and I'm genuinely surprised there's no trace of it in this capture.

I want to insist on the fact that I've received all these packets while only wireshark was running. Because of that, my laptop has received 15 Go of data in 2 days with wifi, altough I've just sent 2 emails... It's clearly not normal.

Don't hesitate to let me know what you think and and how you think I can stop being flooded. Thanks in advance!

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-04-27 06:03:20 +0000

Guy Harris gravatar image

the only application that was open on my laptop was wireshark

No Web browsers? Note that "open" means "running", not "displaying its window in the front on the screen" - if a window is in the background behind the Wireshark window, or has been minimized (this being Ubuntu, I'm not sure what GUI you're using, but, with GNOME, you minimize by clicking the "-" button in the upper-right corner, and it goes to the sidebar, with the icon for the app showing an orange dot to its left, by default), it is open, in that it's running, and possibly doing stuff on the network.

Note also that not everything that interacts with sites on the Internet is an application that shows up on your screen; it could also be a background process. Not even everything that ''uses http or https to interact with sites on the Internet'' is an application that shows up on your screen.

Statistics > Protocol Hierarchy shows that the majority of the packets are TCP packets, and about 3/4 of them are not using TLS.

Statistics > Conversations shows most of the TCP packets being port-443 (https) packets between Adrien-Aspire-A515-51G.local and objects.githubusercontent.com, with most of the data being from GitHub to your machine. Is there any GitHub project from which you might, for example, be doing a git clone, or other data fetch?

There are also some Boring Old HTTP Without TLS sessions going to connectivity-check.ubuntu.com; that's something Ubuntu does by default. A Web search for "connectivity-check.ubuntu.com" found, for example, Ubuntu's documentation on the connectivity check and an article on how to disable connectivity checking.

The same is true for traffic between your machine and "pki-goog.l.google.com", using the Online Certificate Status Protocol. A search for "pki-goog.l.google.com" found this discussion of traffic between Windows and that site, but it probably applies to other OSes as well - "You have something installed that has Google as their intermediary cert or is using a Google domain for their hosting. LSASS is likely checking the revocation list from Google to make sure the cert is still valid."

I also receive many packets using the SSDP protocol. I'm not sure if this is linked and I'm genuinely surprised there's no trace of it in this capture.

I applied a display filter of "udp" and saw a lot of SSDP traffic. A display filter of "ssd" shows IP multicast traffic from 192.168.1.* devices (although at least some of it appears to be directly sent, at the link layer, to your machine), and some devices with IPv6 addresses; those are probably devices on your network announcing their existence to everything else on your network (NOTIFY), or asking about devices on your network (M-SEARCH). There's also a bunch of other broadcast and multicast stuff, either at the IP or link layers (MDNS, IGMPv2, ARP, ICMPv6 Neighbor Discovery). All of this is network ... (more)

edit flag offensive delete link more

Comments

Thank you for you answer.

The only application that was running was indeed Wireshark (and the terminal with which I've opened wireshark). There was no other application in the background or minimized.

I have some github repositories on my computer but I wasn't doing anything (clone, fetch or whatever) when I was doing the capture so it doesn't seem normal to me.

I'll investigate on ubuntu connectivity check and Google.

However, this doesn't explain why I receive some packets from companies that provide cloud services, such as Akamai, Cloudflare, Fastly, while I was doing nothing. I mean: I just launched the capture with only wireshark running. Then I had dinner and when I came back 1 hour later, my computer had received 5 Go of data. That's the amount of data my PS4 has received in 2 days when I'm watching Youtube all ...(more)

adri0907 gravatar imageadri0907 ( 2022-04-27 06:34:21 +0000 )edit

There was no other application in the background or minimized.

What about system daemons?

Guy Harris gravatar imageGuy Harris ( 2022-04-27 20:20:18 +0000 )edit

This is what I get with ps -A while these applications are running: wireshark, a terminal, gnome monitor system, mozilla firefox and mozilla thunderbird

adri0907 gravatar imageadri0907 ( 2022-04-28 20:51:05 +0000 )edit

However, this doesn't explain why I receive some packets from companies that provide cloud services, such as Akamai, Cloudflare, Fastly, while I was doing nothing.

The Akamai traffic is Online Certificate Status Protocol (OCSP) traffic, so it's probably the same checking that was being done with Google.

Then I had dinner and when I came back 1 hour later, my computer had received 5 Go of data.

The majority of the TCP traffic in your capture is from objects.githubusercontent.com. The rest is just tens of Ko to and from various other services.

Guy Harris gravatar imageGuy Harris ( 2022-05-01 03:00:51 +0000 )edit

What does

apt-cache policy | awk '/http.*amd64/{print$2}' | sort -u

print? Does it mention anything connected with GitHub as an APT repository?

Guy Harris gravatar imageGuy Harris ( 2022-05-01 04:10:02 +0000 )edit
see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2022-04-26 19:27:48 +0000

Seen: 849 times

Last updated: Apr 27 '22

Related questions

Is this a Webstresser or a DDoS attack?

Is this a DDoS?

I captured what I believe is an unpatchable attack [closed]

Help With Linux Kernel To Patch An Attack [closed]

Is this a Webstresser or a DDOS attack or a fake one?

I have same Transaction ID for all packets in DNS. Is there possibility of DNS flood or DNS amp attack?

How can I patch a DDoS attack with a pcap?

How to differentiate between DDoS communications and benign communications?

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2