0

I’m seeing what appears to be strange activity on my Primary router (the only router connected to the ISP modem) from one Android device. It could be that I’ve never seen it before as the day is nearing end and most everybody else is gone and this one maintenance person is the only other person on the network. However, what I’m seeing doesn’t make sense to me in the context of what NAT is supposed to do for client devices, at least as I understand it. This is my first time looking at a NAT table mind you.

So, I had some problems this morning making a connection to a device connected the primary router (through the primary switch to another switch.) I had to restart the router and switch. After everything was done for the day I had to do the same thing again to power off the device. This is what led me to look at the NAT table on the primary router to look for some clue as to what caused the temporary interruption. The primary router is DD-WRT modified and I was able to telnet into it and cat the table.

I found a foreign private IP address in the table! The primary router has a LAN-side address range of 192.168.1.1/255. I have two other routers (5 actually but only two others were involved in this activity) connected to the primary switch and have a LAN-side address of 192.168.2.1/255 and 192.168.4.1/255. The first time around I found 192.168.2.108! I logged on to the remote admin page of the router and found it was assigned to an Android phone connected wirelessly. I blocked the MAC address of the phone and waited to see who it was (when they come to me to complain about connecting.) Waited an hour and nobody complained.

Later on I checked again and found another foreign IP address but this time it was 192.168.4.30! So I logged on to the router that IP address comes from and found it was from the same Android phone. I remembered that the maintenance guy has an Android phone so I asked him directly and found that indeed it was his phone.

The first time I spotted it, it was a connection to an IP address in China. The second time it was a connection to an Amazon EC2 server. I didn’t record the first instance but I have the second one still:

tcp      6 1096 ESTABLISHED src=192.168.4.30 dst=23.21.225.144 sport=53993 dport=443 packets=9 bytes=1131 [UNREPLIED] src=23.21.225.144 dst=192.168.4.30 sport=443 dport=53993 packets=0 bytes=0 mark=0 use=2

Remember, this entry came from a DD-WRT modified router with a LAN-side IP address range of 192.168.1.1/255.

Is this rare but normal activity or does this possibly indicate a compromised Android phone?

Edit:
The network topology is fairly straightforward. The primary router is the only router connected to the ISP modem with NAT and DHCP enabled and is DD-WRT modded, for various reasons. All other routers also have NAT and DHCP enabled (with their own subnets for various reasons) and are connected (via a main switch) to the primary router. There are no triple NATs. All of the routers are non-commercial off-the-shelf (residential) grade. When I show an IP/255, I'm referring to the default Class C subnet for LAN-side private IP address ranges; ie 192.168.1.1/255=192.168.1.1-192.168.1.255. Sorry for any confusion, my network terminology and notation is outdated.

Improve this question
13
  • 1
    Your router is NATting internal addresses to the public address of the router as they access the internet. This is normal behaviour, you will always see private addresses in the NAT table under normal circumstances.
    – Paul
    Commented Nov 2, 2015 at 2:27
  • @Paul Surely he knows that. But he's asking a question about 2 NAT routers. So if you were to address what he's writing about, your comment would surely have to be a bit more involved
    – barlop
    Commented Nov 2, 2015 at 2:55
  • you should clarify re foreign. There's A)foreign to the range of the NAT router B)the IP establishing connection to foreign websites.. C)An IP that none of your devices have, is on your network
    – barlop
    Commented Nov 2, 2015 at 2:59
  • @barlop If the NAT table on R1 is showing addresses from the other routers, then he is not using NAT on those routers, and his question also does not suggest he is using NAT anywhere other than the perimeter.
    – Paul
    Commented Nov 2, 2015 at 4:59
  • It's hard to give you a useful answer without some information about how your routers are connected to each other. For example, which routers are suppose to be doing NAT? Which routers treat their default route target as a WAN connection?
    – David Schwartz
    Commented Nov 2, 2015 at 8:38

1 Answer 1

Reset to default
0

This must be rogue activity on your LAN.

Your X.X.X.X/255 makes no sense - that is not a valid netmask - Getting the correct netmask set on your router is the first step to reducing the space the rogue device can work with.

The second step is to look at the ARP table (arp -an) and find the list of IP addresses which are unrecognised. You can take the first 3 octets of these addresses and do a lookup which, if the activity is innocent, may help you narrow down the device you are looking for by telling you the manufacturer - note that this can easily be faked sometimes, so if its malicious it might not tell you much.

You can also use tcpdump (for example tcpdump -n -i eth0 src or dst 192.168.4.30) to show, in real time what that device is communicating with.

Improve this answer
1
  • When I wrote X.X.X.X/255 I meant X.X.X.X/24. Forgot about CIDR notation. Sorry for the confusion.
    – user2804948
    Commented Nov 5, 2015 at 0:06

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .