Cloadflare IP's have inserted themselves into my network

This topic was closed yesterday

https://community.cloudflare.com/t/my-isp-external-ip-being-sent-through-cloudflare/303984/27

@ausierod

I’m having the same problem on Windows 10. My network connection keeps going down every 5 minutes and I see that my External IP address is set to some Cloudflare IP address(s). It alternates between a cloudflare IP and my real IP. And every time it bounces to a Cloudflare IP address, my networking goes down.

Yes, I’m using the same Network Gadget as the other poster and no, it’s not broken (or rather, it’s broken in a GOOD way as this is the only utility that detects the bogus IP). It doesn’t just pull random Cloudflare IP’s out of nowhere.

I also noticed that I’ve got bogus MAC addresses listed on my router’s DHCP table. About 15 of them. They all begin with 1a:d6:c7 and then random after that. That prefix is not in the MAC database. BUT, if you change a to an 8, you have TP-Link. That’s too similar to be a coincidence, It’s gotta be something Evil.

Most of the connections from the MAC’s are called “Wireless Device(nn)”. but one of them is mapped to MY Computer and my CURRENT INTERNAL IP ADDRESS (.104) Then I have another DHCP entry from my machine, also active, that has a different IP address (.175) that is attached to my REAL MAC address, my EDUP USB adapter. But ipconfig says I’m .104, not .175.

So it sure looks like somthing is creating bogus devices, requesting IP’s and inserting itself between my machine and my network adapter by swapping around network interfaces. And whatever it is, it appears to be hosted by cloudflare.

My IP address has been 136.49.20.111 for a few days so if some Admin there wants to see where my connections are landing, be my guest. I’m probably going to bite the bullet and do a partial reinstall. First I’m going to remove all my adapter interfaces.

I did find one suspicious service running(?) that had the WinRing0 library compiled into it. It put itself in appdata/local/temp but I could not find the process running nor could I find the process that had the file open - I only saw it listed in autoruns.exe (sysinternals). And when I removed it with brute force (on reboot) it re-created a new .tmp file in the same path until I nuked “WinRing0” from the registry. The network problem persists, though.

I do not use any cloudflare services except for a few sites I visit.

FOLLOWUP: Since I removed that rogue service, I don’t think I’m losing network connectivity like I was before I removed WinRing0 from the registry. It’s still bouncing around between Cloudflare IP’s, “Error 0”, and my gateway’s external IP.

What do you mean by “not broken”. When I opened the gadget I can see the website it is using to determine the client IP, and that website is broken.

Everything about local devices on your network is best answered on StackOverflow.

That OUI is registered to TP-Link.

There’s no webservers at the usual ports of these IP addresses. What or who’s service(s) do you think they’re using?

As for 1a:d6:c7, I checked again. And Again. And again. The first 6 online tools listed on Gogle deny it’s assignment. I also looked at the whole list of OUI’s for both TP-links. Am I missing something?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.