Ask HN: Was I Pwned?

A few days ago, I noticed that my home network performance would degrade substantially to the point of being unusable. I would just power-cycle all my switches, and the issue would resolve for a while. It happened again this morning, so I decided to try to look closer at what could be causing the issue. That’s when I noticed that my Linux desktop was doing a lot of traffic, and here’s what I observed: – My desktop has a private IP address, let’s say 10.0.0.2. – Running `iftop`, I saw all the traffic coming from a different source IP address, 10.0.0.3. It was transferring ~300Mbps. – Running `tcpdump`, I saw that all of this traffic was going to a public IP address (AT&T). All of the source port/dest were ipsec-nat-t. – I saw that `10.0.0.3` showed up as a client on my switch with a randomized MAC address (presumably, since I couldn’t find the MAC prefix in a vendor list). – I could not find any references to `10.0.0.3` or the random MAC address on my desktop (looking at kernel logs, system logs, ip a, ifconfig). – During this period, my network was degraded (high packet loss across my switches). It was at this point that I decided to try blocking the MAC address from my switch, and performance immediately returned to normal. I tried unblocking the MAC a few minutes later, but it has yet to return. That plus the fact that the issue happens at seemingly random times (especially the middle of the night) makes me think that it’s not automatically connecting and instead being triggered remotely. I’ve since disconnected my desktop from the network and am in the process of rotating keys. I’m especially perplexed at the traffic showing up from a different source IP on my desktop, but I did not see any interface that matched. I tried to look and see if it was potentially a VM running, but I didn’t see anything in virsh. I did have Docker containers running, but I assume I would have seen the IP address show up on one of my interfaces. I’m at a bit of a loss and was wondering if anyone has ever seen anything like this before, and if there is any suggestions for things I should check.
Story Published at: December 1, 2022 at 06:24PM

Ask HN: Was I Pwned?

Leave a Reply Cancel reply

INX to boost its $117M IPO with token listings on global exchanges

Russia’s Gazprombank gets green light for crypto custody in Switzerland

New Huawei smartphone will feature a hardware wallet for digital yuan

Chinese city seeks to power urban governance and more using blockchain tech

Binance CEO denies allegations that the exchange’s US arm is a regulatory decoy

Tax professional explains the most important thing for US crypto holders

Bank of Chain - The Very First DeFi Bank

Finance Redefined: The curious case of Harvest Finance, Oct. 21-28

Winklevoss’ Gemini exchange to count crypto taxes in real time