Ask HN: Was I pwned? [resolved]
- My desktop has a private IP address, let's say 10.0.0.2.
- Running `iftop`, I saw all the traffic coming from a different source IP address, 10.0.0.3. It was transferring ~300Mbps.
- Running `tcpdump`, I saw that all of this traffic was going to a public IP address (AT&T). All of the source port/dest were ipsec-nat-t.
- I saw that `10.0.0.3` showed up as a client on my switch with a randomized MAC address (presumably, since I couldn't find the MAC prefix in a vendor list).
- I could not find any references to `10.0.0.3` or the random MAC address on my desktop (looking at kernel logs, system logs, ip a, ifconfig).
- During this period, my network was degraded (high packet loss across my switches).
It was at this point that I decided to try blocking the MAC address from my switch, and performance immediately returned to normal. I tried unblocking the MAC a few minutes later, but it has yet to return. That plus the fact that the issue happens at seemingly random times (especially the middle of the night) makes me think that it's not automatically connecting and instead being triggered remotely.
I've since disconnected my desktop from the network and am in the process of rotating keys. I'm especially perplexed at the traffic showing up from a different source IP on my desktop, but I did not see any interface that matched. I tried to look and see if it was potentially a VM running, but I didn't see anything in virsh. I did have Docker containers running, but I assume I would have seen the IP address show up on one of my interfaces.
I'm at a bit of a loss and was wondering if anyone has ever seen anything like this before, and if there is any suggestions for things I should check.
93 comments
[ 3.2 ms ] story [ 167 ms ] threadOr it could be torrent running in background or some sync services for any storage app.
What's the IP address it was talking to? Maybe we can help find out what it was?
The IP address was 107.122.31.71.
Kill it. Kill it with fire.
There's no obvious connections to any orgs or sites, and no entries in virustotal or abuseipdb, however there is an open port 179 (looks like BGP??).
Drop it in a 35-foot hole in the ground,
Cover it completely, rocks and boulders should be fine...
Or perhaps a sync client like syncthing, onedrive, nextcloud, etc. could be to blame.
One option would be to log all traffic on that machine to a .pcap and feed it through some IDS analyzers.
I do use Dropbox, but the odd part was it seemingly IPsec traffic.
I really should have grabbed a pcap when it was occurring. I only have a screenshot of tcpdump which is not very useful.
Kill your Dropbox process(es) -- there will probably be several, again for no clear reason -- and I'll bet this behavior stops. Whenever my system behaves in an unexpected way, I've learned to start the troubleshooting process by temporarily killing Dropbox.
I'm currently ruling out that it is any other device given I'm seeing the traffic from my desktop, and it shouldn't be acting as a router for another physical device. But I'd like to know if I could be wrong about htat.
If companies can say "our network, our rules", I'll also do the same with mine.
See https://news.ycombinator.com/item?id=33821387
It sounds like it might be part of a DDoS campaign, as well. Hard to diagnose here.
sudo lsof -n -i :4500
Wi-Fi can work the same way, though it sometimes requires an extra step to place your machine's network card into "promiscuous mode" in order to see traffic neither to or from your machine.
There's examples of WiFi calling causing this type of issue, described as a packet storm. For example, here's a reddit post with similar symptoms you're describing. https://www.reddit.com/r/networking/comments/3g31mc/iphone_w...
https://ipinfo.io/107.122.31.71
You need to find out because that is what is happening. Both UniFi and MikroTik switches support BGP.
https://help.mikrotik.com/docs/display/ROS/BGP
This is the issue. The patch either turned on BGP or has a BGP bug.
This is speculation, I don't know whether you were owned.
ip ne # show the IP/MAC table
ip rule # show the source routing state
ip netns list # show network namespaces
You could also transfer a trusted "ip" binary from another system in case yours is compromised (kernel could be compromised too)
MAC address randomization is enabled by default on iOS: https://www.linksys.com/support-article?articleNum=317709
Do you mind sharing what gets you that kind of data usage? Just hours of FaceTime calling or something else?
I am also probably wrong about it being 300Mbps to AT&T. It was probably 300Mbps of multicast traffic internally.
This is why so many people footgun themselves disabling spanning tree, is it seems to work without it... until it doesn't.
Took a loong time and Wireshark for me to find that one.
Wireshark is awesome, but the problem is, I only need to use it about once every five years, which means I have to start the learning curve from scratch every single time. I end up following the same basic troubleshooting steps each time, but the process never gets any easier because I never remember what I did the last time.
If you have icloud backups enabled, check the size of the backup.
This seems to be an issue that comes up from time to time on iOS and the only way to clear it is to temporarily disable backups, remove all backups, then re-enable the backup. If that doesn't clear out the oversized backup, you may need to factory reset. I ended up factory resetting my iPad to resolve my issue.
They also keep changing stuff on each update to make it harder to force the things to disconnect in sleep mode without a lot of fiddling.. so I've resorted to just adding them to a MAC based access control on the router which we toggle on when we want to use the internet for anything that needs more reliability or bandwidth. I also first tried an aluminium foil based Faraday cage/box to chuck them in with some degree of success but the foil can get breaky.
Some devices can respond with errors to the traffic received, but not destined to them.
This is easy to do with a raw socket, you just ARP for the IP. See fantaip in Unicornscan for example an example of software that can do that for you. So, all you need is root.
Essentially one of the computers (running ubuntu) on my network started sending a VERY high volume (it measured 20gb for the day, and I think it was all over a 10 minute period) of DNS traffic to my router, which runs an unbound instance for my network. That traffic (or at least I think it was that traffic) brought down my network to the point where I could even ping an external or internal ip address.
Does tcpdump show the destination ip address the traffic was sent to on AT&T's network? Curious if that could be a dns server..
Also, what version of ubuntu is your desktop running, and what software does it have on it? Are you using canonical's livepatch service?
[0] https://forum.opnsense.org/index.php?topic=31284.0
I'm running Ubuntu 20.04. I don't use livepatch, but I do update/reboot frequently. I'm mostly running Chrome, Firefox, and Docker. Occasionally GIMP and LibreOffice.
I had a pretty bizarre experience where it would work just fine during the day while the computer was on, but when I'd shut the lid of my work MacBook, the network port on that little USB-C hub would just start sending off ACK signals like crazy, killing my network for anything else trying to use it (effectively denial of service myself). It was really hard to track down also because it wasn't "traffic" really, and it didn't happen on the devices that were impacted (i.e. I'd be using my Windows PC in the evening and that was attached to my work computer). Even more perplexing because it was semi-random - turned out it wasn't "random", it was when I shut the lid of my work laptop vs. just leaving it up and walking away. I finally saw the flood of traffic by dumping network traffic and was able to trace it back to that hub (first I thought my laptop was pwned and was doing something like exfiltrating data or mining when I wasn't logged in, but it was very definitely the hub after a bit more digging).
Since discovering that, I have come across others that have written up the same or similar issues. With the power passthrough, the hub still has power, and if the network interface is flaky as many are, it can cause issues, particularly when the machine it's plugged into stops using it.
This post has links to a few various write-ups: https://mjtsai.com/blog/2022/05/11/usb-c-hubs-breaking-ether...