I have seen Chromebooks in 5 different schools display the same behavior, impersonate their own IP address as 100.115.92.1 and send packets to OpenDNS or AWS addresses. I guess this is part of a DNS thinking attack.
This happens even when schools have locked Chromebooks, banning extensions, developer mode, and personal (non-organizational) connections.
Chromebooks are on their own SSIDs and VLANs where packets originate. I do not think that MAC addresses are usurped. The 5 schools are generally not linked as organizations, but their networks and technology are completely separate.
Until now, the firewall seems to capture falsified packets and delete them, but I hope to find a way to find the cause and eliminate it.
Google technical support is running out of ideas. If anyone has an idea of how I could locate what appears to be a Chrome OS malware, or see this problem too, I'd love to hear from you.