[TheOOBEandMe]

Hi, 

 

My home network got super crazy last year as a tool for harassment.  I know almost nothing about Networking but here this is:

 

The ISP is Cox in Arizona

Router was a Netgear R7000 which my brother installed DDWrt firmware on to maybe help stem the "shutdowns"

Modem was a CIsco DPQ3212

 

So I went through log after log and found something peculiar.  With the old network being located in the Phoenix suburbs in Arizona we generally would have the WAN IP in that range, with San Diego being thrown in from time to time.  I figured the mistake was Cox Communications based as opposed to a network intrusion.  But this time there was an IP address from Ireland showing in the syslog under "WAN is up:  34.240.118.245".

 

Why would this happen?  Is it related to the attack and could it possibly be used, in conjunction with Date and Time to point to the hacker?  Again, I know nothing...obviously.  But Cox was really skittish about providing me with the serial number they had on file for my modem when I wanted to make sure it matched with our In-Home modem.  Again, why?  It didn't match.  And there was mystery online charges on our statement showing our service one week going from the 100 mb/s to 30 mb/s and then back again...just for one week.  With all attached charges zeroed out.

 

I have reason to suspect that it is either the work of some crazy telecommunications employee messing with people's stuff OR...and try to stay with me here...OR its law enforcement.  I'm not sure how the official "handover" of data is usually carried out between an ISP and a law enforcement agency.  Just take my word that I had good reasons to consider that an option, and due to the amount of time since the attacks were taking place, the "handover" yielded nothing. 

 

Thanks in advance for any networking insight into this.  I have attached a screen shot of the syslog entry.  Keep in mind that these logs were captured during the boot process and there was nothing connected to the WiFi or by ethernet.

 

 

[Advertisements]

192.168.1.xxx is your home network

[azarl]

192.168.1.xxx is your home network

[TheOOBEandMe]

Yes, it is. But the WAN shows at the top of the screen shot. Normally this address is a local address determined by my ISP. But on this occasion, and this occasion only, the WAN is an Ireland based EC2 AWS address. The location of this setup is in the Phoenix, AZ suburbs, and was being flooded and frequently shut down. Why would this show as Ireland? And an Amazon or AWS site showing as the internet facing IP?

[azarl]

Anything to do with this?

https://www.cox.com/...loudPortQRG.pdf

[TheOOBEandMe]

It looks like a viable reason for the anomaly. Though it does say that I would need to sign up for AWS services before a connection like that could be made. At one point there was reason to suspect there was another machine with our IP, like the IP was duplicated. For instance, you saw that our IP was the 192.168.1.1, but there was evidence of about 30 concurrent connections to YouTube using 192.168.0.1 as the local address and 192.168.0.5, 6, 7, 8 and so on. Perhaps there was another router being used somewhere along the way being used to intercept traffic. I have a screen shot of that too.