Wow!! This was crazy interesting! Wifi ARP poisoning

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> General Questions
Author Message
devsk
DD-WRT Novice


Joined: 25 Aug 2016
Posts: 28

PostPosted: Fri Jan 11, 2019 17:27    Post subject: Wow!! This was crazy interesting! Wifi ARP poisoning Reply with quote
Sorry, for the long post but I found it bizarre!! Please bear with me.

devsk wrote:
Another issue I face is that sometimes the Archer C9 (which I am using as a switch/AP) claims the address 192.168.0.1 for itself (its broadcasts an arp for that IP with its mac) when the real router becomes unreachable, breaking all internet facing traffic.

Why does it claim 192.168.0.1 when it knows that's the default gateway and its IP is something else?

I posted this in Archer C9 thread but thought its more generally relevant.

So, I thought the MAC was that of *MY* TPLink C9 but that MAC was some other device in the neighbourhood (likely one of my neighbours). It only matched in first 3 OEM bytes.

So, basically, there is a wireless leak going on here somehow.

192.168.0.1 is my cable modem. A neighbour's TPLink device arps with 192.168.0.1. When I go to 192.168.0.1, it presents me with original TPLink ROM's login UI (I am running dd-wrt on my TPLink C9 routers and my 192.168.0.1 is the cable modem, not TPLink). I enter username and password and it rejects the connection. (I have since then changed my own passwords because I basically ended up disclosing my password to some random TPLink device)

This also explains all the intermittent internet connectivity issues my wifi devices were observing:

devsk wrote:
So, some of the times my client machines make wifi connection successfully but no traffic runs through the connection. The IP is assigned without issue by the DHCP server. It can not talk to internet though.

I have 2 TP-Link Archer C9's installed at the edges of the house (not very large) with their own AP. I am sitting right next to one.

I am running pretty much the latest snapshot (Nov 27) image on both of them.

This happens only once in a while. 4 out of 5 times, wifi connects and everything works. The problem is that the client thinks its connected when its not. So, it keeps retrying application level connections....leads to severe battery drains on cell phones and laptops.

Anybody else experience this type of behaviour?
Some of those wireless packets to the internet were not landing at my default gateway (my modem 192.168.0.1) but at my neighbour's wifi router and were likely dropped on the floor by it.

I have moved my LAN to 10.x.x.x network since this discovery and all has gone back to sanity. No more clients that can't connect to internet, no more 192.168.0.1 prompting login prompt to some random TPLink ROM. I was blaming Ring and its chime being a poor product because it would work sometimes and then won't. But it hasn't disconnected for days since the fix.

So, the big question is: How is this possible? How can my dd-wrt wifi AP be talking to neighbour's router when it has a wired connection to my modem? How can it happen at the L2 level itself? How are arp broadcasts leaking across wifi?


Last edited by devsk on Tue Jan 15, 2019 16:36; edited 1 time in total
Sponsor
devsk
DD-WRT Novice


Joined: 25 Aug 2016
Posts: 28

PostPosted: Sat Jan 12, 2019 1:01    Post subject: Reply with quote
Interesting read on the subject:

https://www.packetnexus.com/docs/arppoison.pdf

Its got me thinking more about security now.

I am pretty sure there is no van outside my house trying to spy on me or trying to take over my LAN every day, and I have very good relationships with neighbours on both sides. So, this was most likely accidental ARP poisoning, but it can happen in real nefarious purposes. So, better guard against it!
ian5142
DD-WRT Guru


Joined: 23 Oct 2013
Posts: 1866
Location: Canada

PostPosted: Sat Jan 12, 2019 3:19    Post subject: Build and Settings Reply with quote
What build of DD-WRT using?
If you are not using the latest, upgrade. See the link in my signature.

Settings. That sounds like a firewall issue to me. That is just my gut though. It sounds like your ISP is allowing your connection to go through your modem and back in through the neighbour's modem, to their TP-Link router behind it.

This is just a theory. Don't shoot the messenger.

_________________
Before asking a question on the forums, update dd-wrt: Where do I download firmware? I suggest reading it all.

Some dd-wrt wiki pages are up to date, others are not. PM me if you find an old one, I am trying to update them.

Atheros:
TP-Link Archer C7 v2 x2 - WDS AP, WDS Station
TP-Link TL-WDR3600 v1 - WDS Station
TP-Link 841nd v8 - WDS Station
Linksys WRT400N - bricked
D-Link 615 C1 x 4 - not used
D-Link 615 E3 x 2 - WDS Station
D-Link 825 B1 - WDS Station
D-Link 862L A1 - WDS Station (Entware 3X)
Netgear WNDR3700v2 - WDS Station
TP-Link 1043nd v1, inactive, unstable hardware
UBNT loco M2 x2 - airOS

Broadcom
Asus N66U - backup Gateway
Netgear r6300 v1 - AP
Linksys E2500 - not used
Linksys EA2700 - not used
Linksys 160N v3 x2 - not used
Netgear WNDR3700v3 - not used
MediaTek
UBNT EdgeRouter X - Gateway, DHCP, QoS
devsk
DD-WRT Novice


Joined: 25 Aug 2016
Posts: 28

PostPosted: Sat Jan 12, 2019 4:27    Post subject: Reply with quote
Quote:
If you are not using the latest, upgrade. See the link in my signature.
As I said usin the Nov 27 (2018) build, so its not terribly old.

Quote:
It sounds like your ISP is allowing your connection to go through your modem and back in through the neighbour's modem, to their TP-Link router behind it.
That would be a customer security disaster for Comcast, right? And if this happened, changing my LAN to 10.x.x.x addresses won't fix it.

I think it just so happens that most of these devices get initialized with 192.168.0.1 as the IP, and they broadcast ARP over the wireless radio over to other wifi APs (my C9 in my case), which now gets confused as to who 192.168.0.1 is.
ian5142
DD-WRT Guru


Joined: 23 Oct 2013
Posts: 1866
Location: Canada

PostPosted: Sat Jan 12, 2019 4:55    Post subject: DHCP Reply with quote
Wait, was your internal LAN on 192.168.0.1 (on your DD-WRT router). It defaults to 192.168.1.1, with DHCP 192.168.1.100-199
_________________
Before asking a question on the forums, update dd-wrt: Where do I download firmware? I suggest reading it all.

Some dd-wrt wiki pages are up to date, others are not. PM me if you find an old one, I am trying to update them.

Atheros:
TP-Link Archer C7 v2 x2 - WDS AP, WDS Station
TP-Link TL-WDR3600 v1 - WDS Station
TP-Link 841nd v8 - WDS Station
Linksys WRT400N - bricked
D-Link 615 C1 x 4 - not used
D-Link 615 E3 x 2 - WDS Station
D-Link 825 B1 - WDS Station
D-Link 862L A1 - WDS Station (Entware 3X)
Netgear WNDR3700v2 - WDS Station
TP-Link 1043nd v1, inactive, unstable hardware
UBNT loco M2 x2 - airOS

Broadcom
Asus N66U - backup Gateway
Netgear r6300 v1 - AP
Linksys E2500 - not used
Linksys EA2700 - not used
Linksys 160N v3 x2 - not used
Netgear WNDR3700v3 - not used
MediaTek
UBNT EdgeRouter X - Gateway, DHCP, QoS
devsk
DD-WRT Novice


Joined: 25 Aug 2016
Posts: 28

PostPosted: Sat Jan 12, 2019 6:32    Post subject: Reply with quote
Quote:
Wait, was your internal LAN on 192.168.0.1
I am using the DHCP server on my gateway (the cable modem/router). That device had IP of 192.168.0.1 on the LAN and it was giving out leases from 192.168.0.2 to 250.

So, all my internet facing traffic went through 192.168.0.1.

The setup is WAN -> Cable modem (router mode) -> ( Wired TP Link AP1 | Wired TP Link AP2 )

Then the clients are connected to wired ports of AP1/AP2 and Wifi of AP1/AP2.
ian5142
DD-WRT Guru


Joined: 23 Oct 2013
Posts: 1866
Location: Canada

PostPosted: Sat Jan 12, 2019 14:11    Post subject: DHCP Reply with quote
If I was you, I would put the modem in Bridge Mode. Move both of the TP-Link routers to 192.168.1.X (1 and 2 probably). Then make one of the routers a DHCP server. The Firewall is much better in DD-WRT then most modems.
_________________
Before asking a question on the forums, update dd-wrt: Where do I download firmware? I suggest reading it all.

Some dd-wrt wiki pages are up to date, others are not. PM me if you find an old one, I am trying to update them.

Atheros:
TP-Link Archer C7 v2 x2 - WDS AP, WDS Station
TP-Link TL-WDR3600 v1 - WDS Station
TP-Link 841nd v8 - WDS Station
Linksys WRT400N - bricked
D-Link 615 C1 x 4 - not used
D-Link 615 E3 x 2 - WDS Station
D-Link 825 B1 - WDS Station
D-Link 862L A1 - WDS Station (Entware 3X)
Netgear WNDR3700v2 - WDS Station
TP-Link 1043nd v1, inactive, unstable hardware
UBNT loco M2 x2 - airOS

Broadcom
Asus N66U - backup Gateway
Netgear r6300 v1 - AP
Linksys E2500 - not used
Linksys EA2700 - not used
Linksys 160N v3 x2 - not used
Netgear WNDR3700v3 - not used
MediaTek
UBNT EdgeRouter X - Gateway, DHCP, QoS
devsk
DD-WRT Novice


Joined: 25 Aug 2016
Posts: 28

PostPosted: Sat Jan 12, 2019 15:56    Post subject: Re: DHCP Reply with quote
ian5142 wrote:
If I was you, I would put the modem in Bridge Mode. Move both of the TP-Link routers to 192.168.1.X (1 and 2 probably). Then make one of the routers a DHCP server. The Firewall is much better in DD-WRT then most modems.
And the problem will still occur if my other neighbour is using TP Link with 192.168.1.1 as IP on his wifi AP...Smile

But I get your point about the dd-wrt having a better featured firewall than the cable modem.
ian5142
DD-WRT Guru


Joined: 23 Oct 2013
Posts: 1866
Location: Canada

PostPosted: Sat Jan 12, 2019 18:55    Post subject: Firewall Reply with quote
I doubt you will see the problem if you are using the DD-WRT firewall. I have never seen any of my neighbours networks.
_________________
Before asking a question on the forums, update dd-wrt: Where do I download firmware? I suggest reading it all.

Some dd-wrt wiki pages are up to date, others are not. PM me if you find an old one, I am trying to update them.

Atheros:
TP-Link Archer C7 v2 x2 - WDS AP, WDS Station
TP-Link TL-WDR3600 v1 - WDS Station
TP-Link 841nd v8 - WDS Station
Linksys WRT400N - bricked
D-Link 615 C1 x 4 - not used
D-Link 615 E3 x 2 - WDS Station
D-Link 825 B1 - WDS Station
D-Link 862L A1 - WDS Station (Entware 3X)
Netgear WNDR3700v2 - WDS Station
TP-Link 1043nd v1, inactive, unstable hardware
UBNT loco M2 x2 - airOS

Broadcom
Asus N66U - backup Gateway
Netgear r6300 v1 - AP
Linksys E2500 - not used
Linksys EA2700 - not used
Linksys 160N v3 x2 - not used
Netgear WNDR3700v3 - not used
MediaTek
UBNT EdgeRouter X - Gateway, DHCP, QoS
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum