Traffic from unassigned subnet?

Started by Kets_One, November 30, 2025, 08:13:57 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 30, 2025, 08:13:57 PM Last Edit: November 30, 2025, 09:05:08 PM by Kets_One
Hi,

Today i noticed that suspicious traffic from LAN -> WAN was blocked by Q-Feeds (thanks Q-feeds).
What i cannot understand is where this traffic originated from: 192.168.90.100 (port 123).
This should be impossible, since the DHCP range that i use is 192.168.1.0/24.
No fixed IPs are assigned.
ARP Table does not show the source IP (192.168.90.100).
Hostname of the source IP is empty.

The destination was 94.16.122.152 (port 123).
While this may look as ordinary NTP traffic, the destination IP does not appear an NTP server (no response).
Also, why would the originating IP address be out of the DHCP range?
And why would the destination IP be on a Q-Feeds blocklist?

Is this a spoofing attempt? Is this legit?
What am i missing?
How to find out which client this originated from?

As a mitigation and while i am figuring this out I have:
- Blocked the ASN for the destination address in F/W;
- Allowed only 192.168.1.0/24 and 224.0.0.0/8 out from LAN into F/W.

Deciso dec3840: EPYC 3101, 16GB RAM, 512GB SSD
Deciso dec3850: EPYC 3201, 16GB RAM, 256GB SSD
December 01, 2025, 07:40:41 PM #1
My guess would be a piece of small office networking equipment, such as a web-managed switch, with DCHP off (so it autoassigns an IP). 94.16.122.152 is likely from pool.ntp.org (I didn't bother to confirm), but how the client would look it up without an appropriate IP is a bit of a mystery (perhaps a cached lookup).

I have a few switches of that type. At times I've just let them chat away, but I usually go in and hard-configure them to communicate (management traffic) on port 1 only (generally by setting the other ports to a VLAN other than 1).
December 01, 2025, 08:25:00 PM #2 Last Edit: December 01, 2025, 10:36:08 PM by Kets_One
Thanks for the suggestion.
However, I don't have managed switches installed. All other networking equipment I have monitored for years without such behaviour.

Strangely nslookup of 94.16.122.152 resolves s7.vonderste.in.
Not known as a part of the ntp.pool, maybe just an NTP client.
Indeed this doesnt explain the source ip.

Update:
Just now a new request was made from 192.168.90.100:123 to a different destination ip: 217.144.138.234, which appears to be an NTP server: ntp2.wup-de.hosts.301-moved.de. Again i am unable to locate the source ip / host on my LAN. Maybe some WireShark is in order...
Deciso dec3840: EPYC 3101, 16GB RAM, 512GB SSD
Deciso dec3850: EPYC 3201, 16GB RAM, 256GB SSD
Print
Go Up Pages1
User actions