297d ago
False alarm. Really appreciate everyone helping me sanity check this. The randomized MAC is part of iOS' Wi-Fi privacy, and my phone is using Wi-Fi calling for AT&T. The randomized MAC and the fact that I thought I saw the traffic originating from my desktop (it wasn't, it was just multicast traffic) really threw me off.
Sounds like you found the issue but for future reference or for anyone stumbling across this later on, another thing to check is network ports in the "cheap" (i.e. generally most < $100) USB/USB-C hubs/port expanders with a power passthrough and a network port.

I had a pretty bizarre experience where it would work just fine during the day while the computer was on, but when I'd shut the lid of my work MacBook, the network port on that little USB-C hub would just start sending off ACK signals like crazy, killing my network for anything else trying to use it (effectively denial of service myself). It was really hard to track down also because it wasn't "traffic" really, and it didn't happen on the devices that were impacted (i.e. I'd be using my Windows PC in the evening and that was attached to my work computer). Even more perplexing because it was semi-random - turned out it wasn't "random", it was when I shut the lid of my work laptop vs. just leaving it up and walking away. I finally saw the flood of traffic by dumping network traffic and was able to trace it back to that hub (first I thought my laptop was pwned and was doing something like exfiltrating data or mining when I wasn't logged in, but it was very definitely the hub after a bit more digging).

Since discovering that, I have come across others that have written up the same or similar issues. With the power passthrough, the hub still has power, and if the network interface is flaky as many are, it can cause issues, particularly when the machine it's plugged into stops using it.

This post has links to a few various write-ups: https://mjtsai.com/blog/2022/05/11/usb-c-hubs-breaking-ether...

Do you happen to have a mobile phone with AT&T and are near Fremont, CA?
Even though this was a false alarm in the end, the processes taken to investigate this merit an upvote and a save for future reference.
I experienced a somewhat similar issue yesterday on my network that I described in detail here [0].

Essentially one of the computers (running ubuntu) on my network started sending a VERY high volume (it measured 20gb for the day, and I think it was all over a 10 minute period) of DNS traffic to my router, which runs an unbound instance for my network. That traffic (or at least I think it was that traffic) brought down my network to the point where I could even ping an external or internal ip address.

Does tcpdump show the destination ip address the traffic was sent to on AT&T's network? Curious if that could be a dns server..

Also, what version of ubuntu is your desktop running, and what software does it have on it? Are you using canonical's livepatch service?

[0] https://forum.opnsense.org/index.php?topic=31284.0

I think we need more information. Do you run any services on that machine that would be exposed? Do you port-forward to that box? Use a VPN or something like Tailscale?

Or perhaps a sync client like syncthing, onedrive, nextcloud, etc. could be to blame.

One option would be to log all traffic on that machine to a .pcap and feed it through some IDS analyzers.

Do you have a corporate laptop or computer? Things like crowdstrike love to scan your network and phone home.
Older versions of Unifi controller were subject to mining hacks because of the Log4J compromise. I would check to make sure you are running a recent version of the Unifi Controller.
Some cell phones will generate a random MAC address. Is given out from your dhcp server? Maybe a phone syncing video to a cloud service.
Are you running any virtual machines on your desktop? Because "My machine is but there's something on the same physical host communicating as" is what it'd look like if a virtual machine with a "bridged" ethernet interface got its own IP address via DHCP and talked to the Internet.

This is speculation, I don't know whether you were owned.

At least block the external IP and ports where the transfers are happening. Change the router password, some neighbor might be in the network.

It sounds like it might be part of a DDoS campaign, as well. Hard to diagnose here.

How is your desktop connected to the switch (ethernet or wifi)? If the computer is wired, maybe you have a virus on it and that is somehow using the wifi to get another IP? I would suggest you backup your user data and wipe/restore the desktop. If it comes back after that, I'd bet someone has cracked your wifi password and is getting in that way, or some other device on the network is the culprit and reinfecting your desktop.
> - I saw that `` showed up as a client on my switch with a randomized MAC address (presumably, since I couldn't find the MAC prefix in a vendor list).

MAC address randomization is enabled by default on iOS: https://www.linksys.com/support-article?articleNum=317709

Are any of your switches running a BGP service you do not know about? Could it be trying to send or receive a huge routing table?
> I'm especially perplexed at the traffic showing up from a different source IP on my desktop, but I did not see any interface that matched

This is easy to do with a raw socket, you just ARP for the IP. See fantaip in Unicornscan for example an example of software that can do that for you. So, all you need is root.

Is your router patched? Maybe they hacked your router. Not sure why it would need to assign itself a new IP. Maybe there is a docker container running on the router?
Keep it as a honeypot and run the replacement in a vlaned subnet off the currently owned router.
Looks like RAT

Or it could be torrent running in background or some sync services for any storage app.

iproute2 things you could look at:

ip ne # show the IP/MAC table

ip rule # show the source routing state

ip netns list # show network namespaces

You could also transfer a trusted "ip" binary from another system in case yours is compromised (kernel could be compromised too)


  i agree there have problems.
I mean. Yes, you're pwned. You need to reflash all possible firmware, dd your disks to zeros and start again.. I wouldn't even trust it then, personally.

What's the IP address it was talking to? Maybe we can help find out what it was?