I had a pretty bizarre experience where it would work just fine during the day while the computer was on, but when I'd shut the lid of my work MacBook, the network port on that little USB-C hub would just start sending off ACK signals like crazy, killing my network for anything else trying to use it (effectively denial of service myself). It was really hard to track down also because it wasn't "traffic" really, and it didn't happen on the devices that were impacted (i.e. I'd be using my Windows PC in the evening and that was attached to my work computer). Even more perplexing because it was semi-random - turned out it wasn't "random", it was when I shut the lid of my work laptop vs. just leaving it up and walking away. I finally saw the flood of traffic by dumping network traffic and was able to trace it back to that hub (first I thought my laptop was pwned and was doing something like exfiltrating data or mining when I wasn't logged in, but it was very definitely the hub after a bit more digging).
Since discovering that, I have come across others that have written up the same or similar issues. With the power passthrough, the hub still has power, and if the network interface is flaky as many are, it can cause issues, particularly when the machine it's plugged into stops using it.
This post has links to a few various write-ups: https://mjtsai.com/blog/2022/05/11/usb-c-hubs-breaking-ether...
Essentially one of the computers (running ubuntu) on my network started sending a VERY high volume (it measured 20gb for the day, and I think it was all over a 10 minute period) of DNS traffic to my router, which runs an unbound instance for my network. That traffic (or at least I think it was that traffic) brought down my network to the point where I could even ping an external or internal ip address.
Does tcpdump show the destination ip address the traffic was sent to on AT&T's network? Curious if that could be a dns server..
Also, what version of ubuntu is your desktop running, and what software does it have on it? Are you using canonical's livepatch service?
Or perhaps a sync client like syncthing, onedrive, nextcloud, etc. could be to blame.
One option would be to log all traffic on that machine to a .pcap and feed it through some IDS analyzers.
This is speculation, I don't know whether you were owned.
It sounds like it might be part of a DDoS campaign, as well. Hard to diagnose here.
MAC address randomization is enabled by default on iOS: https://www.linksys.com/support-article?articleNum=317709
This is easy to do with a raw socket, you just ARP for the IP. See fantaip in Unicornscan for example an example of software that can do that for you. So, all you need is root.
Or it could be torrent running in background or some sync services for any storage app.
ip ne # show the IP/MAC table
ip rule # show the source routing state
ip netns list # show network namespaces
You could also transfer a trusted "ip" binary from another system in case yours is compromised (kernel could be compromised too)
i agree there have problems.
What's the IP address it was talking to? Maybe we can help find out what it was?