IP Spoofing – Confirmation of Chromebooks in Potential Botnet Attack

I have seen Chromebooks in 5 different schools display the same behavior, impersonate their own IP address as and send packets to OpenDNS or AWS addresses. I guess this is part of a DNS thinking attack.

This happens even when schools have locked Chromebooks, banning extensions, developer mode, and personal (non-organizational) connections.

Chromebooks are on their own SSIDs and VLANs where packets originate. I do not think that MAC addresses are usurped. The 5 schools are generally not linked as organizations, but their networks and technology are completely separate.

Until now, the firewall seems to capture falsified packets and delete them, but I hope to find a way to find the cause and eliminate it.

Google technical support is running out of ideas. If anyone has an idea of ​​how I could locate what appears to be a Chrome OS malware, or see this problem too, I'd love to hear from you.