Sorry for the winded post. Wasn't sure if (NOT enterprise related) /where I should submit this:
I work from home. A month ago I installed a new router. My network is pretty simple:
edge device is a Verizon managed router > DMZ > Sonicwall TZ-170 > ASUS router > Internal network. Had to place Verizon device outside the Sonicwall in order to access some DVR app (I never seem to use).
I changed the Verizon WiFi security from WEP to WPA-2 then disabled it. Enabled a bit of logging and assigned MAC addresses (filtering) to IP addresses in the DHCP server. Any device that is not mine lives in the DMZ along with a few devices.
The ASUS logs were more informative than the previous Linksys running dd-wrt. I noticed DHCP leases to 2 MAC addresses that were not mine. I have a spreadsheet with about 20-25 devices which could be on the internal network and these 2 devices were unknown. They did not respond to a ping so I knocked them off and did a few things to try to feel a little more secure:
Enabled firewall on NAS (Synology running a Linux kernel), accept only connections from the internal subnet (not helpful if a node is already there but it accepts 1 IP address or a subnet. Configured admin console to only respond to 1 IP address. Already had SSL running.
Disabled all my devices from responding to ICMP packets. Assigned MAC addresses (filtering) to IP addresses in the internal network (ASUS) DHCP server and limited IP addresses to the number of nodes I use.
Used OpenVPN tunnel with phone and personal machine for my Internet connectivity.
A few days later I added 2 IP addresses to see if these nodes would re-appear but they did not.
Yesterday one of them appeared in the Connection Logs and it looked like the connections were to Tor Relays (port 9001):
tcp 192.xxx.xxx.xxx:1316 212.83.131.33:9001 ESTABLISHED
tcp 192.xxx.xxx.xxx:1291 212.83.131.33:9001 ESTABLISHED
tcp 192.xxx.xxx.xxx:1292 38.229.0.29:9001 ESTABLISHED
tcp 192.xxx.xxx.xxx:1293 86.59.119.82:443 ESTABLISHED
I checked the destination port IP addresses at- https:/
and confirmed these are Tor Relays.
Note: the Relays are listening on Tor Onion port 9001. The last Relay is listening on port 8080 so I have no idea whats going on with it connected to 443. Not too familiar w/ Tor, perhaps this is the Entry Node?
I changed the ASUS WPA-2 passwd and setup Wireless MAC filtering. Also created rules to block this node's IP address from using TCP & UDP ports 1-65535. I tested it on my machine and it dropped some packets but was allowing UDP 53 (DNS queries out). I opened a ticket with the router vendor for that.
I'll be changing the subnet completely in a few days (after I complete a project).
I'm assuming the MAC addresses of the 2 nodes were spoofed but they were from:
Hon Hai Precision (which I am told is HP) &
Motorola Mobility.
I would appreciate any suggestions on this. Running Kaspersky IS 2013 on machines, Avira and Windows Defender on a 10 yr old P-IV (which is on for 12 hours on Saturdays).
The phone does not have any security sw running.
Thanks a lot and I am sorry for the winded post.