Having random devices show up on my network. Any ideas how to identify them?

Joedavis44
Joedavis44 Member Posts: 26
10 Comments First Anniversary Name Dropper Photogenic
✭✭
I run a FingBox on my home network, which uses a Fiber ISP into the house which has many devices hardwired to a switch, but also has 7 WAPs to give coverage throughout the house.  I installed the FingBox in October and started noticing about a month ago that once or twice a day I get a new device attaching to my network.  At first I thought someone had hacked my Wifi password, but when I looked at this carefully, I saw that the devices were able to get a IP address from my router without going through my WAPs.  So it would appear that these devices are hardwired in my house or coming in through my fiber to my ISP.  The MAC addresses are all pretty random and when I search on them they all say "Not found."  The only piece of data that Fing identifies on these devices is vendor as "udhcp1.22.1" which isn't that helpful over than saying this is likely an IoT device.  Sometimes the devices appear, connect and then disconnect a short time later.  Other times they stay connected for a few days.  My usual response when I spot them is to Block them using that functionality on my FingBox.  My initial bet was these are IoT devices that we installed and forgot where on the network, but I have spent a lot of time identifying every device on the network.  Plus if this was something in the house, I would expect it to keep showing up with the same MAC address.  These are all unique MAC addresses and in the last month 47 new devices have joined the network.  This is a puzzle I would love some help in solving.  Thanks,

Joe

Answers

  • kltaylor
    kltaylor Member, Beta Tester Posts: 1,231
    1000 Comments 500 Likes 50 Answers 100 Awesomes
    ✭✭✭✭✭✭
    Hi @Joedavis44, welcome to our community.

    Something that you can do is obtain the MAC address and then issue a search for that information to determine who the manufacturer is.  Fing has such a tool that can accomplish that for you.

    Also, my preferred method would be to block the said device and then wait to see who 'yells'.  By yells I mean to see if someone asks why they can no longer access the internet, or even when you attempt the same.

    On my network, if I do not recognize the device, even after looking up the MAC address and doing some sleuthing, blocking it has the effect that I need.  Turn it off and when you encounter a device that cannot access the internet, you've likely found the culprit.
    "There's a fine line between audacity and idiocy."
    -Warden Anastasia Luccio, Captain
  • Joedavis44
    Joedavis44 Member Posts: 26
    10 Comments First Anniversary Name Dropper Photogenic
    ✭✭
    Thanks.  That's what I have been doing.  But I would still like to understand how 40+ devices have gotten into my network
    kltaylor
  • kltaylor
    kltaylor Member, Beta Tester Posts: 1,231
    1000 Comments 500 Likes 50 Answers 100 Awesomes
    ✭✭✭✭✭✭
    That many?!  Let's see if we can identify some from their MAC addresses, something's amiss if it's that sizable of an amount.
    "There's a fine line between audacity and idiocy."
    -Warden Anastasia Luccio, Captain
    Joedavis44[Deleted User]
  • Eman
    Eman Member Posts: 4
    First Comment

    I have some unknown mac addresses on my network and after checking open ports on them im getting "8888 sun answerbook" and "1080 socks"..Does anyone know what that means?

  • Robin_Ex_Fing
    Robin_Ex_Fing Member Posts: 5,293
    5000 Comments 250 Answers 500 Likes 100 Awesomes
    ✭✭✭✭✭✭✭
    Hi @Joedavis44 & @Eman
    Thanks for your post. Can you confirm if you have multiple access points in your network like multiple extenders/routers?

    Robin (Admin at Fing)
    Getting Started? Please refer to Community guidelines & Community User Guides. HAPPY POSTING!!!
    [Deleted User]
  • kltaylor
    kltaylor Member, Beta Tester Posts: 1,231
    1000 Comments 500 Likes 50 Answers 100 Awesomes
    ✭✭✭✭✭✭
    @Eman:
    Doing a Google search provided me with the following information:

    Port 8888 TCP

    Sun Answerbook - DWhttpd Server

    Sun Answerbook server, or more commonly an alternative HTTP port

    Sun Answerbook is a documentation system built by Sun Systems, allowing on-line retrieval of documentation such as Administration, Developer and User manuals for their software.

    However, the protocol is depreciated by Sun and no longer in use, more commonly TCP/8888 is actually used as an alternative port to HTTP which runs on port TCP/80. Usually this is done as either a very crude and basic form of security, or something like a web server is already running and bound to Port 80, and therefore an easier to remember alternative port must be used. 


    Socks Proxy: https://www.socks-proxy.net/

    How do you change a system to get rid of open port 1080?
    What system are you talking about? A PC, a server, a firewall? This question is impossible to answer without more specific information.

    In general, there should be configuration parameters for all the TCP ports. You simply need to find the appropriate file or tool to turn the port off.

    For reference, port 1080 is typically used for SOCKS.

    According to the SOCKS FAQ, "SOCKS is a networking proxy protocol that enables hosts on one side of a SOCKS server to gain full access to hosts on the other side of the SOCKS server without requiring direct IP reachability. SOCKS redirects connection requests from hosts on opposite sides of a SOCKS server. The SOCKS server authenticates and authorizes the requests, establishes a proxy connection and relays data. SOCKS is commonly used as a network firewall that enables hosts behind a SOCKS server to gain full access to the Internet while preventing unauthorized access from the Internet to the internal hosts."


    Do either of these sound familiar in any way?  As in, do you recall systems or protocols being configured for these services?

    "There's a fine line between audacity and idiocy."
    -Warden Anastasia Luccio, Captain
  • Joedavis44
    Joedavis44 Member Posts: 26
    10 Comments First Anniversary Name Dropper Photogenic
    ✭✭
    Robin,
    My topology is this: Fiber into a Juniper box (not sure what to call that, a modem?), connected directly to a single Luxul router.  This router is the DHCP server for everything.  Only devices connected to the Router are a 24 port Luxul switch, and the FingBox.  Off the 24 port switch are most of the hardwire lines throughout the house, and an additional 10 port Luxul Managed switch and a Luxul WAP controller.  There are seven Luxul WAPs managed by the WAP controller, but all seven are plugged into the 24 port switch.  Is that what you are looking for?
    Joe
  • Joedavis44
    Joedavis44 Member Posts: 26
    10 Comments First Anniversary Name Dropper Photogenic
    ✭✭
    Robin,
    Here is the first page of the MAC addresses of the random devices.  I have used online MAC lookup tools and gotten nothing on these.

          Blocked
    Blocked
    null
    DA:B7:96:25:20:80
    Blocked
    Blocked
    null
    5A:57:0C:5C:0E:D1
    Blocked
    Blocked
    null
    2A:75:37:AD:03:87
    Blocked
    Blocked
    null
    4A:E4:0F:93:32:2D
    Blocked
    Blocked
    null
    FA:09:3E:D9:6F:41
    Blocked
    Blocked
    null
    86:D4:70:86:D5:9C
    Blocked
    Blocked
    null
    96:20:57:F9:C6:4F
    Blocked
    BlockedAlerted
    null
    B2:EE:C0:19:EA:5E
    Blocked
    Blocked
    null
    22:99:A9:48:14:41
    Blocked
    Blocked
    null
    1E:7D:AA:8C:68:76
    Blocked
    Blocked
    null
    FA:AD:60:2D:FF:F8
    Blocked
    Blocked
    null
    DE:07:C0:EE:D6:04
    Blocked
    Blocked
    null
    F6:44:02:DB:A4:F1
    Blocked
    Blocked
    null
    26:11:F4:EC:09:D0
    Blocked
    Blocked
    null
    02:32:22:A5:2B:8F


  • Joedavis44
    Joedavis44 Member Posts: 26
    10 Comments First Anniversary Name Dropper Photogenic
    ✭✭
    Robin,
    Here's another page.  I'll stop there.
    Blocked
    Blocked
    null
    66:5E:03:D4:CC:AB
    Blocked
    Blocked
    null
    BE:37:0C:2F:F5:B6
    Blocked
    Blocked
    null
    7E:53:19:AC:3F:01
    Blocked
    Blocked
    null
    3E:C4:36:6D:A3:8F
    Blocked
    Blocked
    null
    96:7E:70:52:8A:5C
    Blocked
    Blocked
    null
    4E:2E:A1:0D:44:7A
    Blocked
    Blocked
    null
    FE:62:5C:E2:7D:7E
    Blocked
    Blocked
    null
    C2:5C:74:46:72:30
    Blocked
    Blocked
    null
    F2:18:BF:04:A3:71
    Blocked
    Blocked
    null
    AE:E8:03:49:D2:57
    Blocked
    Blocked
    null
    FA:F1:61:A9:21:30
    Blocked
    Blocked
    null
    AE:F9:8C:51:8F:CF
    Blocked
    Blocked
    null
    C2:C4:6E:9D:DE:CF
    Blocked
    Blocked
    null
    EE:34:CF:49:A9:BE
    Blocked
    Blocked
    Apple
    00:25:00:36:82:01
  • kltaylor
    kltaylor Member, Beta Tester Posts: 1,231
    1000 Comments 500 Likes 50 Answers 100 Awesomes
    ✭✭✭✭✭✭
    edited January 30, 2020 #11
    Yes @Robin, he has multiple WAP's on the network.

    @Joedavis44 it's interesting that all of the MAC addresses that you posted are listed as 'null' with one exception. (NOTE: the MAC address for the Apple device does resolve when you research it on a MAC vendor site.)  

    What are the timelines on those notifications?  How often do they happen in sequence?  Are you receiving notifications every minute, hour, etc?
    "There's a fine line between audacity and idiocy."
    -Warden Anastasia Luccio, Captain
  • Joedavis44
    Joedavis44 Member Posts: 26
    10 Comments First Anniversary Name Dropper Photogenic
    ✭✭
    I am usually getting one or two new devices a day joining the network.  Interestingly I was just looking at the history on these and almost all of them join the network for 15 minutes, then drop off, then never come back, even if I haven't blocked them.
  • Joedavis44
    Joedavis44 Member Posts: 26
    10 Comments First Anniversary Name Dropper Photogenic
    ✭✭
    Here's a shot in the dark.  I have a QNAP NAS on my network.  As i looked at security issues with my network I noticed that my NAS had opened up a TCP port in my router.  Surprised me so looked a little more and it appears the NAS standard setup is to make the files on your NAS available to you remotely through their QNAP Cloud.  I am a little bit nerdy, but not network techy enough to understand the implications of this.  Was wondering if the device connections I am seeing are coming through this open port and could be either some QNAP diagnostic or someone trying to get into my network through the QNAP cloud.  If that was the case could that manifests as these random connections I am seeing?
  • Robin_Ex_Fing
    Robin_Ex_Fing Member Posts: 5,293
    5000 Comments 250 Answers 500 Likes 100 Awesomes
    ✭✭✭✭✭✭✭
    Hi @Joedavis44
    Can you check the time on which the random device is detected and at the same time if any of your device or NAS was turned on or was active or came back from sleep mode. It will help to isolate if any of your devices are producing this.
    Robin (Admin at Fing)
    Getting Started? Please refer to Community guidelines & Community User Guides. HAPPY POSTING!!!
  • Joedavis44
    Joedavis44 Member Posts: 26
    10 Comments First Anniversary Name Dropper Photogenic
    ✭✭
    I’ll check the times.  I have completely turned off the NAS and while this closed the Open Port the NAS was using, the devices still keep appearing, so my hope of the NAS being the problem source has been proven wrong.  I believe all other devices in the house have been accounted for, so not sure what might be “waking up” to cause this.
  • Robin_Ex_Fing
    Robin_Ex_Fing Member Posts: 5,293
    5000 Comments 250 Answers 500 Likes 100 Awesomes
    ✭✭✭✭✭✭✭
    Do you have any Windows Laptop connected to your network or any VPN connection running on your network?
    Robin (Admin at Fing)
    Getting Started? Please refer to Community guidelines & Community User Guides. HAPPY POSTING!!!
  • Joedavis44
    Joedavis44 Member Posts: 26
    10 Comments First Anniversary Name Dropper Photogenic
    ✭✭
    Times the devices are coming on are completely random as far as I can tell.  No pattern to them.
    No Windows devices in my house.
    My work laptop is a Mac and does have a VPN to our work network.  Could that be the cause?
  • Robin_Ex_Fing
    Robin_Ex_Fing Member Posts: 5,293
    5000 Comments 250 Answers 500 Likes 100 Awesomes
    ✭✭✭✭✭✭✭
    Hi @Joedavis44
    I believe the VPN could be the reason for this issue. Can you try to assign a static MAC address to the VPN connection and then check if it helps? Thanks
    Robin (Admin at Fing)
    Getting Started? Please refer to Community guidelines & Community User Guides. HAPPY POSTING!!!
  • kltaylor
    kltaylor Member, Beta Tester Posts: 1,231
    1000 Comments 500 Likes 50 Answers 100 Awesomes
    ✭✭✭✭✭✭
    I concur with @Robin, the VPN could have a hand in what you're experiencing, especially if the server that it connects to is geolocated elsewhere.
    "There's a fine line between audacity and idiocy."
    -Warden Anastasia Luccio, Captain