Unknown devices connecting to my network

TheMegaMan

I've seen a few threads on here about this, so I *think* it's not something I need to worry too much about, but I'm hoping someone can help me trace the cause.

I'm getting very frequent reports from Fing about unknown devices connecting to my network. By 'frequent', I mean I've had around 10 of these requests today!

They all have a MAC address with '00' and the first byte, and most have a description of 'Computer / Windows'. None are being assigned an IP address (Fing shows this as '0.0.0.0' or 'Not in network'). I assumed this was because I'd configured Fing to block unknown devices, but I've experimented with turning this off and the same applies. Looking at my (Asus) router logs, it appears they are offered a DHCP address, but don't appear to be accepting it. An example:

Jan 31 20:37:35 dnsmasq-dhcp[4261]: DHCPDISCOVER(br0) 00:0e:db:33:82:e2<br>Jan 31 20:37:35 dnsmasq-dhcp[4261]: DHCPOFFER(br0) 192.168.1.142 00:0e:db:33:82:e2

...and no corresponding DHCPACK.

This particular MAC address is being identified as a generic device, with 'XiNCOM' as the MAC vendor. I assume this actually a random MAC address from something, and it just happens to match with XiNCOM's assigned range.

So my question is whether there's any way to track the actual source of this request?

I already reset my wifi SSID and passwords, just in case it was a genuine hack attempt, but the connections persist. So they are either coming from a wired device, or a wifi device that I've already acknowledged as one of my own devices, but has since decided to randomise it's MAC address. I do have quite a few devices, but I'm not aware of anything that's actually missing! I don't believe I have any VM on any machines, either.

Any hints or tips on how to trace this would be very much appreciated. I'd like to stop these false alarms, so I can more easily see any real attempts.

Cheers!

Pixel

Hi @Robin_from_Fing & @Dylan_From_Fing do you have any thoughts on this post?
Also, probably unrelated but, when devices are blocked there is very little, if any, information available to establish what is attempting to connect? Is there a method of identifying blocked/new devices (especially when more than one are identified).

Linuxbox1

Every time my Asus reboots there's a moment where I'm notified of fingbox blocking an unknown device with a seemingly random MAC. That's short lived and everything clears to normal and there's an entry under devices showing 0.0.0.0 left over. I'm thinking it's just the NIC reaching out while rebooting and it's always a new MAC until it broadcasts it's actual MAC and IP... Maybe this is similar to what you've noticed? Try rebooting a few times after deleting those 0.0.... entries and see if you experience the same. Good luck.

TheMegaMan

@Linuxbox1 Thanks for the comment, but I don't think I'm seeing the same behaviour as this. I'm getting these rogue connections appearing throughout the day, even when the router hasn't been restarted....even after an uptime of several days.

I'm actually seeing 25 'new devices' reported as having connected today, although these do only appear to be one at a time, ie. a MAC will leave the network before another one joins a few minutes later.

I've avoided deleting all the devices with a listed IP address of 0.0.0.0, but I guess there's not actually a lot of point in this. I'll purge them all...around 200 of them.

Just rebooted the router...and unfortunately no rogue MAC addresses appearing just yet (after 20 minutes). I'll see how long it takes before they start to appear again.

Linuxbox1

Wow! That's a large number. If you have the fingbox and not just the app you could try the digital fence feature. Try to generate a list of all known, allowed devices including their respective MAC and IP for reference as a baseline. When you've seen a new device then run the digital fence feature and, by cross referencing, you could see if any device is missing as well as if it's appeared on the new list with a different MAC. I only mention this because, although the situation is much different in volume, I have noticed in the past some devices reporting a generic 00:00:xxxxxxx MAC for a very short period. This MAC always reported a Xerox NIC btw. I never figured out the why but through this, I was able to nail down the device for peace of mind at the very least.

TheMegaMan

Today has been better...only 3 new MAC addresses have appeared. I also turned off  'block new devices' in the hope I may get an IP address I could try and connect to, but the IP address is still 0.0.0.0/Not on network, so it looks like whatever this thing is, isn't not actually interested in connecting to the network at all. Hmmm....

As a matter of interest, I got a new device ping just a few minutes after sending that message yesterday, so around 30 minutes after rebooting the router. I get a feeling that the new MAC addresses are appearing independently of the router up-time.

DigitalFence sounds interesting. Yes, I have a physical Fingbox, but using the Android app, I can't see how to get to it to use it. The web site suggests I should have a 'Fence' button on the People tab. I can't see such a thing...and I can't actually find a Fence button anywhere. Does it need to be enabled somehow?

LostMeMarbles

Understanding pings and trace routing? I don’t get it and are they safe to send out? Because oops. What happens now?

Marc

@LostMeMarbles, pings are just a way to see if something is active on a network and if its alive, how long it takes to reach it.  You ping its IP address or hostname and wait till you get a response.  This is usually the first thing you do when trying to troubleshoot a device that is not responding.  

Trace routing is a way to see what path your system takes to reach another device.  Because networks are complicated and paths can travel via many different routes, this can often be different each time you run it.  But, it's another good tool to use when troubleshooting how you reach a target system.