Reply to thread

Message

<blockquote data-quote="Hacker News" data-source="post: 76191" data-attributes="member: 365">A few days ago, I noticed that my home network performance would degrade substantially to the point of being unusable. I would just power-cycle all my switches, and the issue would resolve for a while. It happened again this morning, so I decided to try to look closer at what could be causing the issue. That's when I noticed that my Linux desktop was doing a lot of traffic, and here's what I observed:- My desktop has a private IP address, let's say 10.0.0.2.- Running `iftop`, I saw all the traffic coming from a different source IP address, 10.0.0.3. It was transferring ~300Mbps.- Running `tcpdump`, I saw that all of this traffic was going to a public IP address (AT&amp;T). All of the source port/dest were ipsec-nat-t.- I saw that `10.0.0.3` showed up as a client on my switch with a randomized MAC address (presumably, since I couldn't find the MAC prefix in a vendor list).- I could not find any references to `10.0.0.3` or the random MAC address on my desktop (looking at kernel logs, system logs, ip a, ifconfig).- During this period, my network was degraded (high packet loss across my switches).It was at this point that I decided to try blocking the MAC address from my switch, and performance immediately returned to normal. I tried unblocking the MAC a few minutes later, but it has yet to return. That plus the fact that the issue happens at seemingly random times (especially the middle of the night) makes me think that it's not automatically connecting and instead being triggered remotely.I've since disconnected my desktop from the network and am in the process of rotating keys. I'm especially perplexed at the traffic showing up from a different source IP on my desktop, but I did not see any interface that matched. I tried to look and see if it was potentially a VM running, but I didn't see anything in virsh. I did have Docker containers running, but I assume I would have seen the IP address show up on one of my interfaces.I'm at a bit of a loss and was wondering if anyone has ever seen anything like this before, and if there is any suggestions for things I should check.<hr />Comments URL: <a href="https://news.ycombinator.com/item?id=33820330" target="_blank">https://news.ycombinator.com/item?id=33820330</a>Points: 27# Comments: 5<a href="https://news.ycombinator.com/item?id=33820330" target="_blank">Continue reading...</a></blockquote>

[QUOTE="Hacker News, post: 76191, member: 365"] A few days ago, I noticed that my home network performance would degrade substantially to the point of being unusable. I would just power-cycle all my switches, and the issue would resolve for a while. It happened again this morning, so I decided to try to look closer at what could be causing the issue. That's when I noticed that my Linux desktop was doing a lot of traffic, and here's what I observed: - My desktop has a private IP address, let's say 10.0.0.2. - Running `iftop`, I saw all the traffic coming from a different source IP address, 10.0.0.3. It was transferring ~300Mbps. - Running `tcpdump`, I saw that all of this traffic was going to a public IP address (AT&T). All of the source port/dest were ipsec-nat-t. - I saw that `10.0.0.3` showed up as a client on my switch with a randomized MAC address (presumably, since I couldn't find the MAC prefix in a vendor list). - I could not find any references to `10.0.0.3` or the random MAC address on my desktop (looking at kernel logs, system logs, ip a, ifconfig). - During this period, my network was degraded (high packet loss across my switches). It was at this point that I decided to try blocking the MAC address from my switch, and performance immediately returned to normal. I tried unblocking the MAC a few minutes later, but it has yet to return. That plus the fact that the issue happens at seemingly random times (especially the middle of the night) makes me think that it's not automatically connecting and instead being triggered remotely. I've since disconnected my desktop from the network and am in the process of rotating keys. I'm especially perplexed at the traffic showing up from a different source IP on my desktop, but I did not see any interface that matched. I tried to look and see if it was potentially a VM running, but I didn't see anything in virsh. I did have Docker containers running, but I assume I would have seen the IP address show up on one of my interfaces. I'm at a bit of a loss and was wondering if anyone has ever seen anything like this before, and if there is any suggestions for things I should check. [HR][/HR] Comments URL: [URL]https://news.ycombinator.com/item?id=33820330[/URL] Points: 27 # Comments: 5 [url="https://news.ycombinator.com/item?id=33820330"]Continue reading...[/url] [/QUOTE]

Verification