Device with fake MAC address

I have unknown devices with fake MAC addresses in my Majordomo statistics.

My wifi is secured with WPA2 and MAC filter. But still, since December 2016 I have unknown MAC addresses in my Majordomo statistics. Each of them has very low traffic. Just one connection per MAC address, one packet upload, each of them either 102.00 B or 1.41 KB size. There are 1 to 6 of these fake devices per month. MAC address seems to be random. Also, the port of the target seems to be random.

I do not want to be excessively paranoid, but these are the target IP adresses, ports and owners (according to

4073:29f9:d19c:59b:f257:4ea0:7789:ac17 16747/TCP (Internet Assigned Numbers Authority)
573:9bbf:724e:2fb:b132:ed47:7042:f276 63180/UDP (Internet Assigned Numbers Authority)
f17c:b22e:e259:8a86:62fb:8a86:e9a6:bdc9 51133/UDP (Internet Assigned Numbers Authority)
c6ac:bea7:b512:883:1a82:8046:6ca:4100 61514/TCP (Internet Assigned Numbers Authority) 64165/UDP (SoftLayer Dutch Holdings B.V.) 42/UDP (Tim Celular S.A.)
699:3ee7:73a7:c80c:93d:180:bfb9:200b 64768/TCP (Internet Assigned Numbers Authority)
1bb9:4f0a:66b9:cff3:e945:9d2c:11fa:e3a 7720/UDP (Internet Assigned Numbers Authority) 62583/TCP (Navy Network Information Center (NNIC))
a0cb:9fd4:a841:6d91:cf96:aa9f:5299:ec96 35162/UDP (Internet Assigned Numbers Authority) 38546/UDP (Rowan University) 19964/TCP (US Department of Defense Network (USAISC))
926c:ab0f:7142:e531:7890:9788:a40f:b94c 44506/TCP (Internet Assigned Numbers Authority)

I assume that “Internet Assigned Numbers Authority” simply means “unknown”. However, the US Navy and the US DoD look suspicious… You know, I do not want Donald Trump browsing through my “golden shower” videos…

My hypothesis is that one of the devices in my LAN is compromised. Either Turris himself (I have the first generation of Turris) or one of my clients (Windows 10, Android, Blackberry).

Did anyone of you have similar problems? What do you think is the source of these fake devices with fake MAC addresses? Any comment and suggestion is appreciated!

This is fox and she wants small green peas. :upside_down: Fox is goes from Fort Huachuca. :eye:

What is new in your home? December=Christmas gift(smart gadgets) ?

But where are the golden horns? :tired_face:

In fact, the problem started even earlier than December… Smart gadgets? One from China and one from Canada…

Do you have any suggestions how to track the problem?

does fox come with smart gadgets?

What does say about MAC addresses?

the MAC addresses are completely random. So does not say anything. Today MAC address no longer serves as hardware signature. It is a software issue. You can spoof MAC address on any device. On Android phone, on Windows. You can even spoof MAC address of your Turris router very easily through Luci interface…

The problem persists even if I have MAC address filtering on my wifi. So we can rule out all my “smart gadgets” (Android, Windows, Blackberry…), because they all connect through wifi. If any of these devices tries to connect with fake MAC address, it would be rejected by the router.

This leaves us with only two possible suspects:

  1. NAS (running with custom “Alt-F” firmware)
  2. Turris.

I have three questions, if anyone can help:

  1. Majordomo is fine, but I need more data. Is it possible for majordomo to log through which network interface the connection was made? At the moment, majordomo does not distinguish between devices connected through wireless interface or ethernet port or other interfaces (such as vpn).
  2. Is it possible to set MAC filter on other interfaces then just wireless?
  3. Is it possible to write some script which would alert me whenever there is new (unknown) device (= new fake MAC) establishing connection? I am just a user and my linux skills are limited.

Thank you very much for your help!

OK, I am pretty sure I have found the source of the suspected traffic. No, it is not a Chinese smart phone with Android. The compromised device is D-Link DNS-320 NAS running alternative firmware called “Alt-F” (

How I found out? I have turned on MAC filtering on my wifi interface. The suspicious traffic originating from fake MAC addresses in my network continued. Then I simply powered down and disconnected my D-Link NAS (which is the only wired network device connected to router). Suddenly all suspicious traffic stopped. I kept my NAS powered-off for two months… No suspicious traffic. The I turned my NAS and the suspicious traffic resumed within two days.

So if you have D-Link NAS, do not install Alt-F firmware. It is probably compromised.

It think that it might be caused by faulty hardware, e.g. ethernet port in the NAS or the cable between the NAS and your Omnia.

No, it is not faulty hardware. Faulty hardware does not lead to MAC spoofing. Each packet of data is sent from new MAC address. Almost all packets of data have the same size. This is not some “hardware fault”.

That would be probably better discussed on their forum. It could be just that the firmware had a hole that got exploited or something…

Yes, I am trying to reach the Alt-F developer through private message first. It could be that the firmware or one of the packages within the firmware (SAMBA?) has a hole that got exploited.

Well, the MAC addresses and IPv6 addresses are very random and most IPv6 addresses are invalid (not assigned for general use). It really does smell like corrupted packets. Yes, they could be corrupted by software, but more likely by broken hardware.