I’m seeing what appears to be strange activity on my Primary router (the only router connected to the ISP modem) from one Android device. It could be that I’ve never seen it before as the day is nearing end and most everybody else is gone and this one maintenance person is the only other person on the network. However, what I’m seeing doesn’t make sense to me in the context of what NAT is supposed to do for client devices, at least as I understand it. This is my first time looking at a NAT table mind you.
So, I had some problems this morning making a connection to a device connected the primary router (through the primary switch to another switch.) I had to restart the router and switch. After everything was done for the day I had to do the same thing again to power off the device. This is what led me to look at the NAT table on the primary router to look for some clue as to what caused the temporary interruption. The primary router is DD-WRT modified and I was able to telnet into it and cat the table.
I found a foreign private IP address in the table! The primary router has a LAN-side address range of 192.168.1.1/255
. I have two other routers (5 actually but only two others were involved in this activity) connected to the primary switch and have a LAN-side address of 192.168.2.1/255
and 192.168.4.1/255
. The first time around I found 192.168.2.108
! I logged on to the remote admin page of the router and found it was assigned to an Android phone connected wirelessly. I blocked the MAC address of the phone and waited to see who it was (when they come to me to complain about connecting.) Waited an hour and nobody complained.
Later on I checked again and found another foreign IP address but this time it was 192.168.4.30
! So I logged on to the router that IP address comes from and found it was from the same Android phone. I remembered that the maintenance guy has an Android phone so I asked him directly and found that indeed it was his phone.
The first time I spotted it, it was a connection to an IP address in China. The second time it was a connection to an Amazon EC2 server. I didn’t record the first instance but I have the second one still:
tcp 6 1096 ESTABLISHED src=192.168.4.30 dst=23.21.225.144 sport=53993 dport=443 packets=9 bytes=1131 [UNREPLIED] src=23.21.225.144 dst=192.168.4.30 sport=443 dport=53993 packets=0 bytes=0 mark=0 use=2
Remember, this entry came from a DD-WRT modified router with a LAN-side IP address range of 192.168.1.1/255
.
Is this rare but normal activity or does this possibly indicate a compromised Android phone?
Edit:
The network topology is fairly straightforward. The primary router is the only router connected to the ISP modem with NAT and DHCP enabled and is DD-WRT modded, for various reasons. All other routers also have NAT and DHCP enabled (with their own subnets for various reasons) and are connected (via a main switch) to the primary router. There are no triple NATs. All of the routers are non-commercial off-the-shelf (residential) grade. When I show an IP/255
, I'm referring to the default Class C subnet for LAN-side private IP address ranges; ie 192.168.1.1/255
=192.168.1.1-192.168.1.255
. Sorry for any confusion, my network terminology and notation is outdated.