Hi,
I have unknown devices with fake MAC addresses in my Majordomo statistics.
My wifi is secured with WPA2 and MAC filter. But still, since December 2016 I have unknown MAC addresses in my Majordomo statistics. Each of them has very low traffic. Just one connection per MAC address, one packet upload, each of them either 102.00 B or 1.41 KB size. There are 1 to 6 of these fake devices per month. MAC address seems to be random. Also, the port of the target seems to be random.
I do not want to be excessively paranoid, but these are the target IP adresses, ports and owners (according to www.iplocation.net):
I assume that “Internet Assigned Numbers Authority” simply means “unknown”. However, the US Navy and the US DoD look suspicious… You know, I do not want Donald Trump browsing through my “golden shower” videos…
My hypothesis is that one of the devices in my LAN is compromised. Either Turris himself (I have the first generation of Turris) or one of my clients (Windows 10, Android, Blackberry).
Did anyone of you have similar problems? What do you think is the source of these fake devices with fake MAC addresses? Any comment and suggestion is appreciated!
Hi,
the MAC addresses are completely random. So macvendors.com does not say anything. Today MAC address no longer serves as hardware signature. It is a software issue. You can spoof MAC address on any device. On Android phone, on Windows. You can even spoof MAC address of your Turris router very easily through Luci interface…
The problem persists even if I have MAC address filtering on my wifi. So we can rule out all my “smart gadgets” (Android, Windows, Blackberry…), because they all connect through wifi. If any of these devices tries to connect with fake MAC address, it would be rejected by the router.
This leaves us with only two possible suspects:
NAS (running with custom “Alt-F” firmware)
Turris.
I have three questions, if anyone can help:
Majordomo is fine, but I need more data. Is it possible for majordomo to log through which network interface the connection was made? At the moment, majordomo does not distinguish between devices connected through wireless interface or ethernet port or other interfaces (such as vpn).
Is it possible to set MAC filter on other interfaces then just wireless?
Is it possible to write some script which would alert me whenever there is new (unknown) device (= new fake MAC) establishing connection? I am just a user and my linux skills are limited.
OK, I am pretty sure I have found the source of the suspected traffic. No, it is not a Chinese smart phone with Android. The compromised device is D-Link DNS-320 NAS running alternative firmware called “Alt-F” (https://sourceforge.net/projects/alt-f/).
How I found out? I have turned on MAC filtering on my wifi interface. The suspicious traffic originating from fake MAC addresses in my network continued. Then I simply powered down and disconnected my D-Link NAS (which is the only wired network device connected to router). Suddenly all suspicious traffic stopped. I kept my NAS powered-off for two months… No suspicious traffic. The I turned my NAS and the suspicious traffic resumed within two days.
So if you have D-Link NAS, do not install Alt-F firmware. It is probably compromised.
No, it is not faulty hardware. Faulty hardware does not lead to MAC spoofing. Each packet of data is sent from new MAC address. Almost all packets of data have the same size. This is not some “hardware fault”.
Yes, I am trying to reach the Alt-F developer through private message first. It could be that the firmware or one of the packages within the firmware (SAMBA?) has a hole that got exploited.
Well, the MAC addresses and IPv6 addresses are very random and most IPv6 addresses are invalid (not assigned for general use). It really does smell like corrupted packets. Yes, they could be corrupted by software, but more likely by broken hardware.
Fox is goes from Fort Huachuca. 
