19
votes
HELP: Suddenly seeing a huge influx of ethernet devices on my network
I noticed today that there are a large number of devices on my home network, all claiming to be ethernet connections. They kind of claimed all free IP addresses from x.x.x.63-253. They are not all on from what I have seen (and they are currently almost all off). Normally, my network should have only a handful of ethernet devices, which are my Fedora desktop, my Proxmox host, my OpenMediaVault VM on Proxmox machine running 24/7, and then the occassional VM I boot up as needed. I searched the occasional MAC address of one of these devices, and nothing came up. Does anyone know what the culprit of this would be or what I could use to diagnose it?
Screenshot of some of the weird devices listed (I blacked out my known devices)
It looks like the last blacked out machine has a similar MAC address as the new ones, from a quick check.
You are correct, that is my OpenMediaVault VM. I did not catch the similarity there. Looking into it further, I also have a Windows VM that has a different MAC address. I will look into my OMV VM to see if anything seems off with it. Thank you
It's probably the Windows VM which is getting a new DHCP address each time you restart it?
It looks like something is misconfigured rather than malicious
I doubt it since it is all listing as these addresses as static, not DHCP
I am thinking that might be the case. It seemed to be causing issues last night where I could not reach some of the devices on my network properly, but once I restarted my Proxmox host, these addresses were no longer in use.
Assuming you're running docker containers, are they networked in macvlan mode?
I am not running docker containers
It looks like you have a lot of entries with the same MAC address and different IPs. And over on the right the allocation type is "static", which is weird if the theory is that something or a bunch of things are showing up and getting a bunch of IPs by DHCP, because that would be called "dynamic".
Are you sure you didn't somehow configure the router to assign dozens of IPs to this MAC? Or is the "static" column lying to you for some reason?
Do you maybe have a device or a VM that keeps releasing and renewing (or not releasing and then still trying to renew) its IP? If the MACs are all the same, and the "static" column isn't to be believed, this could be one device asking for IPs repeatedly, and getting a different one each time (either because the DHCP server is not very clever, or because the device is using the Client ID option to get a bunch of different leases on purpose).
If you fire up Wireshark and tell it to filter for DHCP traffic, you might get some insight into what is being asked by the device. You could also see how frequently it is asking for new addresses and how practical it would be to wander around unplugging things until it stops.
I did not notice that at first, but Liru pointed that out, and they are the same MAC address as my OpenMediaVault VM.
I did notice that they were all static, and that it was just sequential
I have done no configuration on my router
I am starting to think that might be the culprit, once it was pointed out that the MAC was the same as my OMV. I am wondering if there was an issue with it for a bit, since I have not seen those addresses online after a restart of my Proxmox machine.
I for some odd reason did not think of running Wireshark, that would be a useful tool to run so I will plan to do that today
I can’t find this MAC OUI prefix in any database (02:B8:B6) so it means these MAC adresses are generated.
Could it be your proxmox or docker? Check the MAC adresses of containers (
ip lon the host) to see if there is any overlap. It could also be mobile phones, both android and iOS have a privacy mode where they generate a random MAC address to evade tracking (although I think the default setting is to reuse the same fake MAC per AP to avoid having a million leases like you have now)You could also listen to what traffic they’re sending with wire shark (or at least what hosts they’re taking to if it’s encrypted)
I did look into that before posting, and came to the same conclusion.
That is my suspicion
I plan on running Wireshark (it just didn't occur to me last night), but also these addresses have been offline after a restart of my Proxmox host