Traffic from unassigned subnet?

[Kets_One]

Hi,

Today i noticed that suspicious traffic from LAN -> WAN was blocked by Q-Feeds (thanks Q-feeds).
What i cannot understand is where this traffic originated from: 192.168.90.100 (port 123).
This should be impossible, since the DHCP range that i use is 192.168.1.0/24.
No fixed IPs are assigned.
ARP Table does not show the source IP (192.168.90.100).
Hostname of the source IP is empty.

The destination was 94.16.122.152 (port 123).
While this may look as ordinary NTP traffic, the destination IP does not appear an NTP server (no response).
Also, why would the originating IP address be out of the DHCP range?
And why would the destination IP be on a Q-Feeds blocklist?

Is this a spoofing attempt? Is this legit?
What am i missing?
How to find out which client this originated from?

As a mitigation and while i am figuring this out I have:
- Blocked the ASN for the destination address in F/W;
- Allowed only 192.168.1.0/24 and 224.0.0.0/8 out from LAN into F/W.

[pfry]

My guess would be a piece of small office networking equipment, such as a web-managed switch, with DCHP off (so it autoassigns an IP). 94.16.122.152 is likely from pool.ntp.org (I didn't bother to confirm), but how the client would look it up without an appropriate IP is a bit of a mystery (perhaps a cached lookup).

I have a few switches of that type. At times I've just let them chat away, but I usually go in and hard-configure them to communicate (management traffic) on port 1 only (generally by setting the other ports to a VLAN other than 1).

[Kets_One]

Thanks for the suggestion.
However, I don't have managed switches installed. All other networking equipment I have monitored for years without such behaviour.

Strangely nslookup of 94.16.122.152 resolves s7.vonderste.in.
Not known as a part of the ntp.pool, maybe just an NTP client.
Indeed this doesnt explain the source ip.

Update:
Just now a new request was made from 192.168.90.100:123 to a different destination ip: 217.144.138.234, which appears to be an NTP server: ntp2.wup-de.hosts.301-moved.de. Again i am unable to locate the source ip / host on my LAN. Maybe some WireShark is in order...

[Q-Feeds]

Thanks for the suggestion.
However, I don't have managed switches installed. All other networking equipment I have monitored for years without such behaviour.

Strangely nslookup of 94.16.122.152 resolves s7.vonderste.in.
Not known as a part of the ntp.pool, maybe just an NTP client.
Indeed this doesnt explain the source ip.

Update:
Just now a new request was made from 192.168.90.100:123 to a different destination ip: 217.144.138.234, which appears to be an NTP server: ntp2.wup-de.hosts.301-moved.de. Again i am unable to locate the source ip / host on my LAN. Maybe some WireShark is in order...

94.16.122.152 is identified as a TOR node, that's why it's on our list :)

[Kets_One]

Hi, thanks for the information. Does that mean that all TOR nodes (exists and relays) are on the list?

BTW: it appears that one of my wifi repeaters is the culprit that is trying to contact these NTP servers.
Why it would try to do that is beyond me, i have a fixed NTP server set for the whole network.
To prevent this i have added a specific port-forwarding rule which should forward this traffic to a server of my liking ;)

[Q-Feeds]

No not all in particular.

[Seimus]

Hi, thanks for the information. Does that mean that all TOR nodes (exists and relays) are on the list?

One those that are flagged for suspicious activity. This applies to any "IoC", that's why ppl often have VPNs blocked.

Regards,
S.