Starting on the 13th, apparently there is a device on my network sending too many DNS requests to my ISP, triggering an automatic suspension of my account.
The second time it occurred, almost exactly one week later (#1: 8/13/18 ~10 AM; #2: 8/20/18 ~1 PM), a laptop of mine went down (UEFI settings and registry, still have not resurrected it). Apparently Cox (my ISP) does not suspend on the first "attack", so I wasn't aware of the issue until the second round. The timing was awfully suspicious, and I was hoping the dead laptop would be the end of this.
This morning (#3: 8/26/18 ~4 AM) marks the third "attack", and as I can now safely rule out the dead laptop, I am looking for other possible sources of these attacks.
There are 5 PCs on my network: 4 Windows and 1 Mac. I have run virus / malware scans on the Windows PCs but not on the Mac.
Apart from my router (with LEDE), I have a Ubiquiti UAC Pro and a Honeywell Wifi Thermostat. Beyond those devices, there are a few Android TV boxes, but none of those were ON during (at least) the last two "attacks".
I keep putting "attacks" in quotes because the almost "automatic" frequency of these occurrences suggests that perhaps some piece of software on my network is malfunctioning.
The most logical thing I can think of to do next is log all of my incoming/outgoing connections, and then try to match the next attack to an IP address on my network. From a cursory search, I believe what I will need to do is use some combination of iptables, sys_log, and a remote logging application. Is anyone aware of a tutorial hiding somewhere on the internet that would walk me through some of the steps?
Beyond that, is there any package I could install that would prevent this sort of thing from happening?
Note: Just as an intermediate test, I changed my DNS servers to Google. I'm also using YAMon to track bandwidth usage.