How can I show evidence to identify cyber attacker (MiTM and arp spoofing, evil twin)?

Question

I am not new to technology but am a security novice. Here is my problem: I have been constantly harassed online for the past 10 months by presumably the same person. It has caused me untold stress, sleepless nights, delays in work and study and so much frustration. This is a specific background but I want to justify my question first, especially given i'm new to the forum. This has gotten to the stage where I can no longer tolerate it. It's not an occasional attack, it's daily and nightly. I can't watch a movie or read a book online in my own home. For the last 10 months. Currently using windows 7 but also attacked on windows 10 (other machine)

Ok, on to the question: If there is a man in the middle type attack with arp spoofing, is there a way of identifying the perpetrator?

Also, fyi: I have secured my modem - strong encryption, password, no showing ssid, mac filtering, netcut, vpn, xarp. This person seems to get access to my wifi via man in the middle and evil twin. I can see from the arp table. I keep resetting my pcs and modem, even buying new ones.

One example is: When I changed to vpn, my wifi was disconnected. Once I checked the arp table, I could see a bunch or redirected mac addresses. I read up and found the script to delete the table and change to a static entry. However, he somehow overwrote this by dividing the table inter interfaces, and putting my static entry in the wrong place under an unrecognizable script. I can put a sample here. i have tried to find out how to change this back but can't find a script for that online. The only thing I can do is write a script to delete and reenter. But the guy is now writing a script to continually flood the table with refreshed entries.

I've also got continuous scripts checking for open ports, and a script running against my router that keeps trying to gain access (I found this in the logs but the src address was missing - how did he do that?).

Quick answers to obvious things in case you think it: Why haven't I moved? Laws in Melbourne are strict. I have a lease that runs for another 5 months. If I leave I have to pay rent until another tenant is found?

Why don't I just use wired internet? I did, and it was very cumbersome to drag wires with me. I did that for 3 months. I also replaced all my wired devices. However, I have a flatmate now and the broadband connection is in her bedroom. in any case, I don't know if it will solve the problem entirely.

Help from security experts would be greatly appreciated.

I know this guys name and address, and I have enough circumstantial evidence to suggest he is the most likely culprit. I even have some mac addresses I've captured but i need something solid.

I know this is probably too difficutl but any assistance and advice would be appreciated.

Answer 1

To start off, you should probably contact the authorities at this point, as @SMeyer recommended. I have no experience with Australian law, but I imagine that this would fall under harassment, at least. At this point, this seems like the most effective course of action.

With that in mind, is it possible that there is some other cause behind this? The lengths to which this individual seems to have gone to in order to disrupt your internet connection borders on the absurd. Occam's Razor would suggest that there is some other cause behind it, though the evidence you mention seems fairly damning. Perhaps a misconfigured script, a poorly-designed device, or even simple interference? The latter seems like a less-likely option, as the changes to the routing table does suggest an active attack, if perhaps an unintentional one. Perhaps ask your neighbors if they have also experienced this problem? Alternatively, perhaps you could explain your situation to your neighbors and ask for access to one of their WiFi networks.

If this is in fact the work of a hostile individual, have you considered that they might have access to your router itself? If you are still using the default admin credentials for your router, you should change that immediately. Do you have any Internet of Things devices on your network? With the recent spate of IoT-based attacks, a compromised device would not be an unreasonable suspicion. Do you expose any services on your local network to the internet, e.g. a website, a Minecraft server, a VPN host?

Finally, you could attempt to misdirect your attacker with a bit of further subterfuge. One option would be to buy another router, have it broadcast a network with a generic SSID (maybe borrow the SSID of a neighbor's network?) and use that as your primary network. Leave the other router broadcasting, but switch your internet connection to the new router. Alternatively, you could invest in a much higher-grade router; past a certain point of broadcast and processing power, the attacks you describe become extremely impractical. An evil twin attack relies on overpowering the signal from the legitimate router with its own fake broadcast. It would also be a good idea to add the MAC addresses you know to a blacklist; while that is fairly easy to bypass, it might have some preventative effect if the attacks are in fact accidental. You could also attempt something more primitive; you mention that you think you know the person behind the attack, and where they are attacking from. You could try moving your router as far away from that location within your house as you can, or try to put a radio-impermeable barrier between your router and said location.