Unknown devices connecting to my network

TheMegaMan
TheMegaMan Member Posts: 6
Name Dropper Photogenic First Comment
edited January 31, 2022 in Devices & Security #1
I've seen a few threads on here about this, so I *think* it's not something I need to worry too much about, but I'm hoping someone can help me trace the cause.

I'm getting very frequent reports from Fing about unknown devices connecting to my network. By 'frequent', I mean I've had around 10 of these requests today!

They all have a MAC address with '00' and the first byte, and most have a description of 'Computer / Windows'. None are being assigned an IP address (Fing shows this as '0.0.0.0' or 'Not in network'). I assumed this was because I'd configured Fing to block unknown devices, but I've experimented with turning this off and the same applies. Looking at my (Asus) router logs, it appears they are offered a DHCP address, but don't appear to be accepting it. An example:

Jan 31 20:37:35 dnsmasq-dhcp[4261]: DHCPDISCOVER(br0) 00:0e:db:33:82:e2<br>Jan 31 20:37:35 dnsmasq-dhcp[4261]: DHCPOFFER(br0) 192.168.1.142 00:0e:db:33:82:e2


...and no corresponding DHCPACK.

This particular MAC address is being identified as a generic device, with 'XiNCOM' as the MAC vendor. I assume this actually a random MAC address from something, and it just happens to match with XiNCOM's assigned range.

So my question is whether there's any way to track the actual source of this request?

I already reset my wifi SSID and passwords, just in case it was a genuine hack attempt, but the connections persist. So they are either coming from a wired device, or a wifi device that I've already acknowledged as one of my own devices, but has since decided to randomise it's MAC address. I do have quite a few devices, but I'm not aware of anything that's actually missing! I don't believe I have any VM on any machines, either.

Any hints or tips on how to trace this would be very much appreciated. I'd like to stop these false alarms, so I can more easily see any real attempts.

Cheers!

Comments

  • Pixel
    Pixel Devon, U.K.Member, Moderator, Beta Tester Posts: 346
    100 Likes 25 Answers 100 Comments 25 Agrees
    ✭✭✭✭
    Hi @Robin_from_Fing & @Dylan_From_Fing do you have any thoughts on this post?
    Also, probably unrelated but, when devices are blocked there is very little, if any, information available to establish what is attempting to connect? Is there a method of identifying blocked/new devices (especially when more than one are identified).
    TheMegaMan
  • Linuxbox1
    Linuxbox1 Member Posts: 25
    Second Anniversary 10 Comments 5 Likes Photogenic
    ✭✭

    Every time my Asus reboots there's a moment where I'm notified of fingbox blocking an unknown device with a seemingly random MAC. That's short lived and everything clears to normal and there's an entry under devices showing 0.0.0.0 left over. I'm thinking it's just the NIC reaching out while rebooting and it's always a new MAC until it broadcasts it's actual MAC and IP... Maybe this is similar to what you've noticed? Try rebooting a few times after deleting those 0.0.... entries and see if you experience the same. Good luck.

  • TheMegaMan
    TheMegaMan Member Posts: 6
    Name Dropper Photogenic First Comment
    @Linuxbox1 Thanks for the comment, but I don't think I'm seeing the same behaviour as this. I'm getting these rogue connections appearing throughout the day, even when the router hasn't been restarted....even after an uptime of several days.

    I'm actually seeing 25 'new devices' reported as having connected today, although these do only appear to be one at a time, ie. a MAC will leave the network before another one joins a few minutes later.

    I've avoided deleting all the devices with a listed IP address of 0.0.0.0, but I guess there's not actually a lot of point in this. I'll purge them all...around 200 of them.

    Just rebooted the router...and unfortunately no rogue MAC addresses appearing just yet (after 20 minutes). I'll see how long it takes before they start to appear again.
  • Linuxbox1
    Linuxbox1 Member Posts: 25
    Second Anniversary 10 Comments 5 Likes Photogenic
    ✭✭

    Wow! That's a large number. If you have the fingbox and not just the app you could try the digital fence feature. Try to generate a list of all known, allowed devices including their respective MAC and IP for reference as a baseline. When you've seen a new device then run the digital fence feature and, by cross referencing, you could see if any device is missing as well as if it's appeared on the new list with a different MAC. I only mention this because, although the situation is much different in volume, I have noticed in the past some devices reporting a generic 00:00:xxxxxxx MAC for a very short period. This MAC always reported a Xerox NIC btw. I never figured out the why but through this, I was able to nail down the device for peace of mind at the very least.

  • TheMegaMan
    TheMegaMan Member Posts: 6
    Name Dropper Photogenic First Comment
    Today has been better...only 3 new MAC addresses have appeared. I also turned off  'block new devices' in the hope I may get an IP address I could try and connect to, but the IP address is still 0.0.0.0/Not on network, so it looks like whatever this thing is, isn't not actually interested in connecting to the network at all. Hmmm....

    As a matter of interest, I got a new device ping just a few minutes after sending that message yesterday, so around 30 minutes after rebooting the router. I get a feeling that the new MAC addresses are appearing independently of the router up-time.

    DigitalFence sounds interesting. Yes, I have a physical Fingbox, but using the Android app, I can't see how to get to it to use it. The web site suggests I should have a 'Fence' button on the People tab. I can't see such a thing...and I can't actually find a Fence button anywhere. Does it need to be enabled somehow?