Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Is it MITM attack?

I am on Linux Mint. I was also using squid proxy. So I had been using a wired connection through LAN port to connect to the internet. Several time I had noted two MAC addresses showing up on same IP address using:

arp -a

So no doubt I was under attack at least arp spoofing. What my question is regarding an incident where I was on a very important webex meeting through my android mobile. The connection sequence was following LAN(30mbps)>Laptop>Hotspot>Mobile So during the webex meeting as soon as I was turning my video on it was immediately turning off. I tried several times. My the other person in the meeting also complaint that my sound was not clear. Otherwise when I attended the same webex meeting other time through same connection there was no such problem. Even on slower 4G Network things worked well. So just after the meeting I kept the the mobile connected and started wireshark to capture traffic.

I found several DUP Ack, TCP ACK unseen segment, malformed packets, suspected re-transmission, RST in TCP and malformed packets in IPX and illegal character found in header name(HTTP). Few are below:

tcp.seq eq 2422

11337   2022-02-04 12:06:10.684662778   Gateway.local   www3.l.google.com           TCP 68  42106 → https(443) [ACK] Seq=2422 Ack=39032 Win=119296 Len=0 TSval=2910797158 TSecr=1576833926

11340   2022-02-04 12:06:10.899973194   Gateway.local   www3.l.google.com           TCP 80  [TCP Dup ACK 11337#1] 42106 → https(443) [ACK] Seq=2422 Ack=39032 Win=119296 Len=0 TSval=2910797374 TSecr=1576834186 SLE=38993 SRE=39032

11680   2022-02-04 12:07:09.592393168   Gateway.local   www3.l.google.com           TLSv1.3 107 Application Data

Also

tcp.seq eq 1

172 2022-02-04 12:02:27.716646107   Gateway.local   Gateway.local           TCP 68  49028 → ndl-aas(3128) [ACK] Seq=1 Ack=1 Win=2769 Len=0 TSval=2006993776 TSecr=2006948421

173 2022-02-04 12:02:27.716675844   Gateway.local   Gateway.local           TCP 68  [TCP ACKed unseen segment] ndl-aas(3128) → 49028 [ACK] Seq=1 Ack=2 Win=3637 Len=0 TSval=2006993776 TSecr=2006948380

1535    2022-02-04 12:03:12.772644810   Gateway.local   Gateway.local           TCP 68  [TCP Dup ACK 172#1] 49028 → ndl-aas(3128) [ACK] Seq=1 Ack=1 Win=2769 Len=0 TSval=2007038831 TSecr=2006993776

1536    2022-02-04 12:03:12.772678417   Gateway.local   Gateway.local           TCP 68  [TCP Dup ACK 173#1] [TCP ACKed unseen segment] ndl-aas(3128) → 49028 [ACK] Seq=1 Ack=2 Win=3637 Len=0 TSval=2007038831 TSecr=2006948380

1697    2022-02-04 12:03:57.828673653   Gateway.local   Gateway.local           TCP 68  [TCP Dup ACK 172#2] 49028 → ndl-aas(3128) [ACK] Seq=1 Ack=1 Win=2769 Len=0 TSval=2007083886 TSecr=2007038831

1698    2022-02-04 12:03:57.828714854   Gateway.local   Gateway.local           TCP 68  [TCP Dup ACK 173#2] [TCP ACKed unseen segment] ndl-aas(3128) → 49028 [ACK] Seq=1 Ack=2 Win=3637 Len=0 TSval=2007083886 TSecr=2006948380

2606    2022-02-04 12:04:33.875741906   Gateway.local   Gateway.local           TCP 4401    [TCP Previous segment not captured] 49028 → ndl-aas(3128) [PSH, ACK] Seq=2 Ack=1 Win=2769 Len=4333 TSval=2007119932 TSecr=2007083886

2607    2022-02-04 12:04:33.875775071   Gateway.local   Gateway.local           TCP 68  [TCP ACKed unseen segment] ndl-aas(3128) → 49028 [ACK] Seq=1 Ack=4335 Win=3637 Len=0 TSval=2007119932 TSecr=2007119932

Illegal Character found in header name

2693    2022-02-04 12:04:34.507851731   Gateway.local   Gateway.local           TCP 1486    ndl-aas(3128) → 49028 [PSH, ACK] Seq=19495 Ack=9906 Win=3637 Len=1418 TSval=2007120564 TSecr=2007120556
Hypertext Transfer Protocol
 [truncated]h��2�G$$\023\177}BK�j\036U��b�jeg�3?�F��\032��\b��<9_�\006��n3�ɟ#�\005�p�+�/���\031�/�wFv3\000�xH���ۣ�8m��h\\016I�q_�8\f~�\027}T��-�4�\U000E
[Expert Info (Warning/Protocol): Illegal characters found in header name]
[Illegal characters found in header name]
[Severity level: Warning]
[Group: Protocol]
Data (518 bytes)
Data: 1593557f7f2b153d74788d9babc36b71d22bc5dff873058009c9afed58a279eab34f72fb…
Text [truncated]: \025�U\177\177+\025=tx����kq�+���s\005�\t���X�y��Or�[�\002��^L\025�jPu�}.9\037��W�?��P\toM���J�\001��=O\f,-��Ld������ML�(v��nI$�\0
[Length: 518]

[1 bytes missing in capture file].............?.WVf}.!...}q.d<...:..y.=N...b37..%t8.....p$r!...L].[........~.......j..v;

I want to know if it is a signature of man in the middle attack. And what should I check further. Please also suggest me a source that can help me dig deeper.

Is it MITM attack?

I am on Linux Mint. I was also using squid proxy. So I had been using a wired connection through LAN port to connect to the internet. Several time I had noted two MAC addresses showing up on same IP address using:

arp -a

So no doubt I was under attack at least arp spoofing. What my question is regarding an incident where I was on a very important webex meeting through my android mobile. The connection sequence was following LAN(30mbps)>Laptop>Hotspot>Mobile So during the webex meeting as soon as I was turning my video on it was immediately turning off. I tried several times. My the other person in the meeting also complaint that my sound was not clear. Otherwise when I attended the same webex meeting other time through same connection there was no such problem. Even on slower 4G Network things worked well. So just after the meeting I kept the the mobile connected and started wireshark to capture traffic.

I found several DUP Ack, TCP ACK unseen segment, malformed packets, suspected re-transmission, RST in TCP and malformed packets in IPX and illegal character found in header name(HTTP). Few are below:

tcp.seq eq 2422

11337   2022-02-04 12:06:10.684662778   Gateway.local   www3.l.google.com           TCP 68  42106 → https(443) [ACK] Seq=2422 Ack=39032 Win=119296 Len=0 TSval=2910797158 TSecr=1576833926

11340   2022-02-04 12:06:10.899973194   Gateway.local   www3.l.google.com           TCP 80  [TCP Dup ACK 11337#1] 42106 → https(443) [ACK] Seq=2422 Ack=39032 Win=119296 Len=0 TSval=2910797374 TSecr=1576834186 SLE=38993 SRE=39032

11680   2022-02-04 12:07:09.592393168   Gateway.local   www3.l.google.com           TLSv1.3 107 Application Data

Also

tcp.seq eq 1

172 2022-02-04 12:02:27.716646107   Gateway.local   Gateway.local           TCP 68  49028 → ndl-aas(3128) [ACK] Seq=1 Ack=1 Win=2769 Len=0 TSval=2006993776 TSecr=2006948421

173 2022-02-04 12:02:27.716675844   Gateway.local   Gateway.local           TCP 68  [TCP ACKed unseen segment] ndl-aas(3128) → 49028 [ACK] Seq=1 Ack=2 Win=3637 Len=0 TSval=2006993776 TSecr=2006948380

1535    2022-02-04 12:03:12.772644810   Gateway.local   Gateway.local           TCP 68  [TCP Dup ACK 172#1] 49028 → ndl-aas(3128) [ACK] Seq=1 Ack=1 Win=2769 Len=0 TSval=2007038831 TSecr=2006993776

1536    2022-02-04 12:03:12.772678417   Gateway.local   Gateway.local           TCP 68  [TCP Dup ACK 173#1] [TCP ACKed unseen segment] ndl-aas(3128) → 49028 [ACK] Seq=1 Ack=2 Win=3637 Len=0 TSval=2007038831 TSecr=2006948380

1697    2022-02-04 12:03:57.828673653   Gateway.local   Gateway.local           TCP 68  [TCP Dup ACK 172#2] 49028 → ndl-aas(3128) [ACK] Seq=1 Ack=1 Win=2769 Len=0 TSval=2007083886 TSecr=2007038831

1698    2022-02-04 12:03:57.828714854   Gateway.local   Gateway.local           TCP 68  [TCP Dup ACK 173#2] [TCP ACKed unseen segment] ndl-aas(3128) → 49028 [ACK] Seq=1 Ack=2 Win=3637 Len=0 TSval=2007083886 TSecr=2006948380

2606    2022-02-04 12:04:33.875741906   Gateway.local   Gateway.local           TCP 4401    [TCP Previous segment not captured] 49028 → ndl-aas(3128) [PSH, ACK] Seq=2 Ack=1 Win=2769 Len=4333 TSval=2007119932 TSecr=2007083886

2607    2022-02-04 12:04:33.875775071   Gateway.local   Gateway.local           TCP 68  [TCP ACKed unseen segment] ndl-aas(3128) → 49028 [ACK] Seq=1 Ack=4335 Win=3637 Len=0 TSval=2007119932 TSecr=2007119932

Illegal Character found in header name

2693    2022-02-04 12:04:34.507851731   Gateway.local   Gateway.local           TCP 1486    ndl-aas(3128) → 49028 [PSH, ACK] Seq=19495 Ack=9906 Win=3637 Len=1418 TSval=2007120564 TSecr=2007120556
Hypertext Transfer Protocol
 [truncated]h��2�G$$\023\177}BK�j\036U��b�jeg�3?�F��\032��\b��<9_�\006��n3�ɟ#�\005�p�+�/���\031�/�wFv3\000�xH���ۣ�8m��h\\016I�q_�8\f~�\027}T��-�4�\U000E
[Expert Info (Warning/Protocol): Illegal characters found in header name]
[Illegal characters found in header name]
[Severity level: Warning]
[Group: Protocol]
Data (518 bytes)
Data: 1593557f7f2b153d74788d9babc36b71d22bc5dff873058009c9afed58a279eab34f72fb…
Text [truncated]: \025�U\177\177+\025=tx����kq�+���s\005�\t���X�y��Or�[�\002��^L\025�jPu�}.9\037��W�?��P\toM���J�\001��=O\f,-��Ld������ML�(v��nI$�\0
[Length: 518]

[1 bytes missing in capture file].............?.WVf}.!...}q.d<...:..y.=N...b37..%t8.....p$r!...L].[........~.......j..v;

I want to know if it is a signature of man in the middle attack. And what should I check further. Please also suggest me a source that can help me dig deeper.

Is it MITM MITM/DDoS attack?

I am on Linux Mint. I was also using squid proxy. So I had been using a wired connection through LAN port to connect to the internet. Several time I had noted two MAC addresses showing up on same IP address using:

arp -a

So no doubt I was under attack at least arp spoofing. What my question is regarding an incident where I was on a very important webex meeting through my android mobile. The connection sequence was following LAN(30mbps)>Laptop>Hotspot>Mobile So during the webex meeting as soon as I was turning my video on it was immediately turning off. I tried several times. My the other person in the meeting also complaint that my sound was not clear. Otherwise when I attended the same webex meeting other time through same connection there was no such problem. Even on slower 4G Network things worked well. So just after the meeting I kept the the mobile connected and started wireshark to capture traffic.

I found several DUP Ack, TCP ACK unseen segment, malformed packets, suspected re-transmission, RST in TCP and malformed packets in IPX and illegal character found in header name(HTTP). Few are below:

tcp.seq eq 2422

11337   2022-02-04 12:06:10.684662778   Gateway.local   www3.l.google.com           TCP 68  42106 → https(443) [ACK] Seq=2422 Ack=39032 Win=119296 Len=0 TSval=2910797158 TSecr=1576833926

11340   2022-02-04 12:06:10.899973194   Gateway.local   www3.l.google.com           TCP 80  [TCP Dup ACK 11337#1] 42106 → https(443) [ACK] Seq=2422 Ack=39032 Win=119296 Len=0 TSval=2910797374 TSecr=1576834186 SLE=38993 SRE=39032

11680   2022-02-04 12:07:09.592393168   Gateway.local   www3.l.google.com           TLSv1.3 107 Application Data

Also

tcp.seq eq 1

172 2022-02-04 12:02:27.716646107   Gateway.local   Gateway.local           TCP 68  49028 → ndl-aas(3128) [ACK] Seq=1 Ack=1 Win=2769 Len=0 TSval=2006993776 TSecr=2006948421

173 2022-02-04 12:02:27.716675844   Gateway.local   Gateway.local           TCP 68  [TCP ACKed unseen segment] ndl-aas(3128) → 49028 [ACK] Seq=1 Ack=2 Win=3637 Len=0 TSval=2006993776 TSecr=2006948380

1535    2022-02-04 12:03:12.772644810   Gateway.local   Gateway.local           TCP 68  [TCP Dup ACK 172#1] 49028 → ndl-aas(3128) [ACK] Seq=1 Ack=1 Win=2769 Len=0 TSval=2007038831 TSecr=2006993776

1536    2022-02-04 12:03:12.772678417   Gateway.local   Gateway.local           TCP 68  [TCP Dup ACK 173#1] [TCP ACKed unseen segment] ndl-aas(3128) → 49028 [ACK] Seq=1 Ack=2 Win=3637 Len=0 TSval=2007038831 TSecr=2006948380

1697    2022-02-04 12:03:57.828673653   Gateway.local   Gateway.local           TCP 68  [TCP Dup ACK 172#2] 49028 → ndl-aas(3128) [ACK] Seq=1 Ack=1 Win=2769 Len=0 TSval=2007083886 TSecr=2007038831

1698    2022-02-04 12:03:57.828714854   Gateway.local   Gateway.local           TCP 68  [TCP Dup ACK 173#2] [TCP ACKed unseen segment] ndl-aas(3128) → 49028 [ACK] Seq=1 Ack=2 Win=3637 Len=0 TSval=2007083886 TSecr=2006948380

2606    2022-02-04 12:04:33.875741906   Gateway.local   Gateway.local           TCP 4401    [TCP Previous segment not captured] 49028 → ndl-aas(3128) [PSH, ACK] Seq=2 Ack=1 Win=2769 Len=4333 TSval=2007119932 TSecr=2007083886

2607    2022-02-04 12:04:33.875775071   Gateway.local   Gateway.local           TCP 68  [TCP ACKed unseen segment] ndl-aas(3128) → 49028 [ACK] Seq=1 Ack=4335 Win=3637 Len=0 TSval=2007119932 TSecr=2007119932

Illegal Character found in header name

2693    2022-02-04 12:04:34.507851731   Gateway.local   Gateway.local           TCP 1486    ndl-aas(3128) → 49028 [PSH, ACK] Seq=19495 Ack=9906 Win=3637 Len=1418 TSval=2007120564 TSecr=2007120556
Hypertext Transfer Protocol
 [truncated]h��2�G$$\023\177}BK�j\036U��b�jeg�3?�F��\032��\b��<9_�\006��n3�ɟ#�\005�p�+�/���\031�/�wFv3\000�xH���ۣ�8m��h\\016I�q_�8\f~�\027}T��-�4�\U000E
[Expert Info (Warning/Protocol): Illegal characters found in header name]
[Illegal characters found in header name]
[Severity level: Warning]
[Group: Protocol]
Data (518 bytes)
Data: 1593557f7f2b153d74788d9babc36b71d22bc5dff873058009c9afed58a279eab34f72fb…
Text [truncated]: \025�U\177\177+\025=tx����kq�+���s\005�\t���X�y��Or�[�\002��^L\025�jPu�}.9\037��W�?��P\toM���J�\001��=O\f,-��Ld������ML�(v��nI$�\0
[Length: 518]

[1 bytes missing in capture file].............?.WVf}.!...}q.d<...:..y.=N...b37..%t8.....p$r!...L].[........~.......j..v;

I want to know if it is a signature of man in the middle attack. And what should I check further. Please also suggest me a source that can help me dig deeper.

Is it MITM/DDoS attack?

I am on Linux Mint. I was also using squid proxy. I am referring this book So I had been using a wired connection through LAN port to connect to the internet. Several time I had noted two MAC addresses showing up on same IP address using:

arp -a

So no doubt I was under attack at least arp spoofing. What my question is regarding an incident where I was on a very important webex meeting through my android mobile. The connection sequence was following LAN(30mbps)>Laptop>Hotspot>Mobile So during the webex meeting as soon as I was turning my video on it was immediately turning off. I tried several times. My the other person in the meeting also complaint that my sound was not clear. Otherwise when I attended the same webex meeting other time through same connection there was no such problem. Even on slower 4G Network things worked well. So just after the meeting I kept the the mobile connected and started wireshark to capture traffic.

I found several DUP Ack, TCP ACK unseen segment, malformed packets, suspected re-transmission, RST in TCP and malformed packets in IPX and illegal character found in header name(HTTP). Few are below:

tcp.seq eq 2422

11337   2022-02-04 12:06:10.684662778   Gateway.local   www3.l.google.com           TCP 68  42106 → https(443) [ACK] Seq=2422 Ack=39032 Win=119296 Len=0 TSval=2910797158 TSecr=1576833926

11340   2022-02-04 12:06:10.899973194   Gateway.local   www3.l.google.com           TCP 80  [TCP Dup ACK 11337#1] 42106 → https(443) [ACK] Seq=2422 Ack=39032 Win=119296 Len=0 TSval=2910797374 TSecr=1576834186 SLE=38993 SRE=39032

11680   2022-02-04 12:07:09.592393168   Gateway.local   www3.l.google.com           TLSv1.3 107 Application Data

Also

tcp.seq eq 1

172 2022-02-04 12:02:27.716646107   Gateway.local   Gateway.local           TCP 68  49028 → ndl-aas(3128) [ACK] Seq=1 Ack=1 Win=2769 Len=0 TSval=2006993776 TSecr=2006948421

173 2022-02-04 12:02:27.716675844   Gateway.local   Gateway.local           TCP 68  [TCP ACKed unseen segment] ndl-aas(3128) → 49028 [ACK] Seq=1 Ack=2 Win=3637 Len=0 TSval=2006993776 TSecr=2006948380

1535    2022-02-04 12:03:12.772644810   Gateway.local   Gateway.local           TCP 68  [TCP Dup ACK 172#1] 49028 → ndl-aas(3128) [ACK] Seq=1 Ack=1 Win=2769 Len=0 TSval=2007038831 TSecr=2006993776

1536    2022-02-04 12:03:12.772678417   Gateway.local   Gateway.local           TCP 68  [TCP Dup ACK 173#1] [TCP ACKed unseen segment] ndl-aas(3128) → 49028 [ACK] Seq=1 Ack=2 Win=3637 Len=0 TSval=2007038831 TSecr=2006948380

1697    2022-02-04 12:03:57.828673653   Gateway.local   Gateway.local           TCP 68  [TCP Dup ACK 172#2] 49028 → ndl-aas(3128) [ACK] Seq=1 Ack=1 Win=2769 Len=0 TSval=2007083886 TSecr=2007038831

1698    2022-02-04 12:03:57.828714854   Gateway.local   Gateway.local           TCP 68  [TCP Dup ACK 173#2] [TCP ACKed unseen segment] ndl-aas(3128) → 49028 [ACK] Seq=1 Ack=2 Win=3637 Len=0 TSval=2007083886 TSecr=2006948380

2606    2022-02-04 12:04:33.875741906   Gateway.local   Gateway.local           TCP 4401    [TCP Previous segment not captured] 49028 → ndl-aas(3128) [PSH, ACK] Seq=2 Ack=1 Win=2769 Len=4333 TSval=2007119932 TSecr=2007083886

2607    2022-02-04 12:04:33.875775071   Gateway.local   Gateway.local           TCP 68  [TCP ACKed unseen segment] ndl-aas(3128) → 49028 [ACK] Seq=1 Ack=4335 Win=3637 Len=0 TSval=2007119932 TSecr=2007119932

Illegal Character found in header name

2693    2022-02-04 12:04:34.507851731   Gateway.local   Gateway.local           TCP 1486    ndl-aas(3128) → 49028 [PSH, ACK] Seq=19495 Ack=9906 Win=3637 Len=1418 TSval=2007120564 TSecr=2007120556
Hypertext Transfer Protocol
 [truncated]h��2�G$$\023\177}BK�j\036U��b�jeg�3?�F��\032��\b��<9_�\006��n3�ɟ#�\005�p�+�/���\031�/�wFv3\000�xH���ۣ�8m��h\\016I�q_�8\f~�\027}T��-�4�\U000E
[Expert Info (Warning/Protocol): Illegal characters found in header name]
[Illegal characters found in header name]
[Severity level: Warning]
[Group: Protocol]
Data (518 bytes)
Data: 1593557f7f2b153d74788d9babc36b71d22bc5dff873058009c9afed58a279eab34f72fb…
Text [truncated]: \025�U\177\177+\025=tx����kq�+���s\005�\t���X�y��Or�[�\002��^L\025�jPu�}.9\037��W�?��P\toM���J�\001��=O\f,-��Ld������ML�(v��nI$�\0
[Length: 518]

[1 bytes missing in capture file].............?.WVf}.!...}q.d<...:..y.=N...b37..%t8.....p$r!...L].[........~.......j..v;

Here is another:Note this one is when no application wan running and laptop was connected to wifi router. I am referring this book Indication: repeated TCP DUP Ack packets being sent for seq 89 from my system side and port number is changing

285 2022-03-17 15:02:34.464478  192.168.XXX.XXX 35.224.XXX.XXX          TCP 68  [TCP Dup ACK 283#1] 63626 → http(80) [ACK] Seq=89 Ack=150 Win=30720 Len=0 TSval=1775378270 TSecr=106614914

761 2022-03-17 15:13:00.356730  192.168.XXX.XXX 35.224.XXX.XXX          TCP 68  [TCP Dup ACK 759#1] 63640 → http(80) [ACK] Seq=89 Ack=150 Win=30720 Len=0 TSval=1776004215 TSecr=3296747656

900 2022-03-17 15:18:00.753715  192.168.XXX.XXX 35.224.XXX.XXX          TCP 68  [TCP Dup ACK 898#1] 34126 → http(80) [ACK] Seq=89 Ack=150 Win=30720 Len=0 TSval=2736262130 TSecr=2438097451

1036    2022-03-17 15:23:00.625265  192.168.XXX.XXX 35.224.XXX.XXX          TCP 68  [TCP Dup ACK 1034#1] 62890 → http(80) [ACK] Seq=89 Ack=150 Win=30720 Len=0 TSval=2283015114 TSecr=1951087961

1189    2022-03-17 15:28:00.450750  192.168.XXX.XXX 35.224.XXX.XXX          TCP 68  [TCP Dup ACK 1187#1] 63646 → http(80) [ACK] Seq=89 Ack=150 Win=30720 Len=0 TSval=1776904313 TSecr=963384513

1339    2022-03-17 15:33:00.407191  192.168.XXX.XXX 35.224.XXX.XXX          TCP 68  [TCP Dup ACK 1337#1] 62894 → http(80) [ACK] Seq=89 Ack=150 Win=30720 Len=0 TSval=2283614889 TSecr=2623081054

I want to know if it is a signature of man in the middle attack. And what should I check further. Please also suggest me a source that can help me dig deeper.