Having random devices show up on my network. Any ideas how to identify them?

Joedavis44

I run a FingBox on my home network, which uses a Fiber ISP into the house which has many devices hardwired to a switch, but also has 7 WAPs to give coverage throughout the house.  I installed the FingBox in October and started noticing about a month ago that once or twice a day I get a new device attaching to my network.  At first I thought someone had hacked my Wifi password, but when I looked at this carefully, I saw that the devices were able to get a IP address from my router without going through my WAPs.  So it would appear that these devices are hardwired in my house or coming in through my fiber to my ISP.  The MAC addresses are all pretty random and when I search on them they all say "Not found."  The only piece of data that Fing identifies on these devices is vendor as "udhcp1.22.1" which isn't that helpful over than saying this is likely an IoT device.  Sometimes the devices appear, connect and then disconnect a short time later.  Other times they stay connected for a few days.  My usual response when I spot them is to Block them using that functionality on my FingBox.  My initial bet was these are IoT devices that we installed and forgot where on the network, but I have spent a lot of time identifying every device on the network.  Plus if this was something in the house, I would expect it to keep showing up with the same MAC address.  These are all unique MAC addresses and in the last month 47 new devices have joined the network.  This is a puzzle I would love some help in solving.  Thanks,

Joe

kltaylor

Hi @Joedavis44, welcome to our community.

Something that you can do is obtain the MAC address and then issue a search for that information to determine who the manufacturer is.  Fing has such a tool that can accomplish that for you.

Also, my preferred method would be to block the said device and then wait to see who 'yells'.  By yells I mean to see if someone asks why they can no longer access the internet, or even when you attempt the same.

On my network, if I do not recognize the device, even after looking up the MAC address and doing some sleuthing, blocking it has the effect that I need.  Turn it off and when you encounter a device that cannot access the internet, you've likely found the culprit.

Joedavis44

Thanks.  That's what I have been doing.  But I would still like to understand how 40+ devices have gotten into my network

kltaylor

That many?!  Let's see if we can identify some from their MAC addresses, something's amiss if it's that sizable of an amount.

Eman

I have some unknown mac addresses on my network and after checking open ports on them im getting "8888 sun answerbook" and "1080 socks"..Does anyone know what that means?

Robin_Ex_Fing

Hi @Joedavis44 & @Eman
Thanks for your post. Can you confirm if you have multiple access points in your network like multiple extenders/routers?

kltaylor

@Eman:
Doing a Google search provided me with the following information:

Port 8888 TCP

Sun Answerbook - DWhttpd Server

Sun Answerbook server, or more commonly an alternative HTTP port

Sun Answerbook is a documentation system built by Sun Systems, allowing on-line retrieval of documentation such as Administration, Developer and User manuals for their software.

However, the protocol is depreciated by Sun and no longer in use, more commonly TCP/8888 is actually used as an alternative port to HTTP which runs on port TCP/80. Usually this is done as either a very crude and basic form of security, or something like a web server is already running and bound to Port 80, and therefore an easier to remember alternative port must be used. 

Socks Proxy: https://www.socks-proxy.net/

How do you change a system to get rid of open port 1080?
What system are you talking about? A PC, a server, a firewall? This question is impossible to answer without more specific information.

In general, there should be configuration parameters for all the TCP ports. You simply need to find the appropriate file or tool to turn the port off.

For reference, port 1080 is typically used for SOCKS.

According to the SOCKS FAQ, "SOCKS is a networking proxy protocol that enables hosts on one side of a SOCKS server to gain full access to hosts on the other side of the SOCKS server without requiring direct IP reachability. SOCKS redirects connection requests from hosts on opposite sides of a SOCKS server. The SOCKS server authenticates and authorizes the requests, establishes a proxy connection and relays data. SOCKS is commonly used as a network firewall that enables hosts behind a SOCKS server to gain full access to the Internet while preventing unauthorized access from the Internet to the internal hosts."

Do either of these sound familiar in any way?  As in, do you recall systems or protocols being configured for these services?

Joedavis44

Robin,
My topology is this: Fiber into a Juniper box (not sure what to call that, a modem?), connected directly to a single Luxul router.  This router is the DHCP server for everything.  Only devices connected to the Router are a 24 port Luxul switch, and the FingBox.  Off the 24 port switch are most of the hardwire lines throughout the house, and an additional 10 port Luxul Managed switch and a Luxul WAP controller.  There are seven Luxul WAPs managed by the WAP controller, but all seven are plugged into the 24 port switch.  Is that what you are looking for?
Joe

Joedavis44

Robin,
Here is the first page of the MAC addresses of the random devices.  I have used online MAC lookup tools and gotten nothing on these.

Blocked	Blocked	null	DA:B7:96:25:20:80
		Blocked	Blocked	null	5A:57:0C:5C:0E:D1
		Blocked	Blocked	null	2A:75:37:AD:03:87
		Blocked	Blocked	null	4A:E4:0F:93:32:2D
		Blocked	Blocked	null	FA:09:3E:D9:6F:41
		Blocked	Blocked	null	86:D4:70:86:D5:9C
		Blocked	Blocked	null	96:20:57:F9:C6:4F
		Blocked	BlockedAlerted	null	B2:EE:C0:19:EA:5E
		Blocked	Blocked	null	22:99:A9:48:14:41
		Blocked	Blocked	null	1E:7D:AA:8C:68:76
		Blocked	Blocked	null	FA:AD:60:2D:FF:F8
		Blocked	Blocked	null	DE:07:C0:EE:D6:04
		Blocked	Blocked	null	F6:44:02:DB:A4:F1
		Blocked	Blocked	null	26:11:F4:EC:09:D0
		Blocked	Blocked	null	02:32:22:A5:2B:8F

Joedavis44

Robin,
Here's another page.  I'll stop there.

	Blocked	Blocked	null	66:5E:03:D4:CC:AB
		Blocked	Blocked	null	BE:37:0C:2F:F5:B6
		Blocked	Blocked	null	7E:53:19:AC:3F:01
		Blocked	Blocked	null	3E:C4:36:6D:A3:8F
		Blocked	Blocked	null	96:7E:70:52:8A:5C
		Blocked	Blocked	null	4E:2E:A1:0D:44:7A
		Blocked	Blocked	null	FE:62:5C:E2:7D:7E
		Blocked	Blocked	null	C2:5C:74:46:72:30
		Blocked	Blocked	null	F2:18:BF:04:A3:71
		Blocked	Blocked	null	AE:E8:03:49:D2:57
		Blocked	Blocked	null	FA:F1:61:A9:21:30
		Blocked	Blocked	null	AE:F9:8C:51:8F:CF
		Blocked	Blocked	null	C2:C4:6E:9D:DE:CF
		Blocked	Blocked	null	EE:34:CF:49:A9:BE
		Blocked	Blocked	Apple	00:25:00:36:82:01

kltaylor

Yes @Robin, he has multiple WAP's on the network.

@Joedavis44 it's interesting that all of the MAC addresses that you posted are listed as 'null' with one exception. (NOTE: the MAC address for the Apple device does resolve when you research it on a MAC vendor site.)  

What are the timelines on those notifications?  How often do they happen in sequence?  Are you receiving notifications every minute, hour, etc?

Joedavis44

I am usually getting one or two new devices a day joining the network.  Interestingly I was just looking at the history on these and almost all of them join the network for 15 minutes, then drop off, then never come back, even if I haven't blocked them.

Joedavis44

Here's a shot in the dark.  I have a QNAP NAS on my network.  As i looked at security issues with my network I noticed that my NAS had opened up a TCP port in my router.  Surprised me so looked a little more and it appears the NAS standard setup is to make the files on your NAS available to you remotely through their QNAP Cloud.  I am a little bit nerdy, but not network techy enough to understand the implications of this.  Was wondering if the device connections I am seeing are coming through this open port and could be either some QNAP diagnostic or someone trying to get into my network through the QNAP cloud.  If that was the case could that manifests as these random connections I am seeing?

Robin_Ex_Fing

Hi @Joedavis44
Can you check the time on which the random device is detected and at the same time if any of your device or NAS was turned on or was active or came back from sleep mode. It will help to isolate if any of your devices are producing this.

Joedavis44

I’ll check the times.  I have completely turned off the NAS and while this closed the Open Port the NAS was using, the devices still keep appearing, so my hope of the NAS being the problem source has been proven wrong.  I believe all other devices in the house have been accounted for, so not sure what might be “waking up” to cause this.

Robin_Ex_Fing

Do you have any Windows Laptop connected to your network or any VPN connection running on your network?

Joedavis44

Times the devices are coming on are completely random as far as I can tell.  No pattern to them.
No Windows devices in my house.
My work laptop is a Mac and does have a VPN to our work network.  Could that be the cause?

Robin_Ex_Fing

Hi @Joedavis44
I believe the VPN could be the reason for this issue. Can you try to assign a static MAC address to the VPN connection and then check if it helps? Thanks

kltaylor

I concur with @Robin, the VPN could have a hand in what you're experiencing, especially if the server that it connects to is geolocated elsewhere.