2 WAN IP's get only one MAC addres - poison/spoofing attack?

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
MonarchX
DD-WRT User


Joined: 26 Sep 2009
Posts: 119

PostPosted: Tue May 25, 2021 1:27    Post subject: 2 WAN IP's get only one MAC addres - poison/spoofing attack? Reply with quote
WAN is my eth4 interface and I get WAN IP via DHCP. Once I get the WAN IP, I enter SSH and type "arp -a". That shows me 2 WAN IP with identical MAC address for each. The MAC address is from ISP's neighborhood-wide node switch. One of the IP's is the actual WAN IP, but the other IP is IDP DHCP server/gateway.

I can delete one of the entries, but do not know which one I should bind to my WAN port?
Sponsor
tedm
DD-WRT Guru


Joined: 13 Mar 2009
Posts: 554

PostPosted: Tue May 25, 2021 7:54    Post subject: Reply with quote
say what??

when you say "Once I get the WAN IP, I enter SSH"

what do you mean? Are you saying you are sshing into the dd-wrt router?

"That shows me 2 WAN IP with identical MAC address for each. The MAC address is from ISP's neighborhood-wide node switch. One of the IP's is the actual WAN IP, but the other IP is IDP DHCP server/gateway."

That does NOT sound to me like a DHCP connection that sounds like a PPP or other point-to-point connection, or possibly a VPN connection.

What is IDP?

Something does not sound right here. On the router itself you would normally have a single MAC per IP even if you are receiving an IP via DHCP. You would not have an arp entry for a local interface, either. (ie: either the wan or the bridge interface)

Please post the output of ifconfig followed by arp -a (you can change the IP's if you like)
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14126
Location: Texas, USA

PostPosted: Tue May 25, 2021 14:29    Post subject: Reply with quote
It is possible for the arp cache to have two IPs for the same MAC address.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
tedm
DD-WRT Guru


Joined: 13 Mar 2009
Posts: 554

PostPosted: Wed May 26, 2021 5:50    Post subject: Reply with quote
Yes, if you have a secondary IP added to the interface, which is why I would like to see the ifconfig output. It's a common trick used when going through a subnet renumber in fact, I've used it myself in production.
MonarchX
DD-WRT User


Joined: 26 Sep 2009
Posts: 119

PostPosted: Thu May 27, 2021 10:45    Post subject: Reply with quote
kernel-panic69 wrote:
It is possible for the arp cache to have two IPs for the same MAC address.


Under normal circumstances, that is the definition of ARP cache poisoning.
tedm
DD-WRT Guru


Joined: 13 Mar 2009
Posts: 554

PostPosted: Thu May 27, 2021 15:10    Post subject: Reply with quote
MonarchX wrote:

Under normal circumstances, that is the definition of ARP cache poisoning.


A secondary IP is a different IP with the same MAC. An arp cache poison is when you have different MACs for the same IP. They are different things entirely.

The point of an ARP cache poison is to redirect traffic usually default gateway traffic. The point of a secondary IP is to access 2 independent networks on the same wire.

For example Comcast has endpoint CPE's that have a hardcoded IP of 10.0.10.1 on them. If you get a static IP from them for example 5.6.7.2/30 their gear has 5.6.7.1/30 on it - but due to stupidity in the firmware some of their devices won't let the admin access them with a web browser on 5.6.7.1 You might be then using a Linux box to do double-duty as both an Asterisk server and a translating router so you can have the static on the machine without having to run the SIP trunks through a translator...so...to get access to the Comcast device (for reporting, etc.) you would put a secondary IP of 10.0.10.2 on the interface.

That's just 1 legitimate use of secondary IP's there are others..I mentioned renumbering already...

As for different MACs for the same IP the legitimate needs are more rare but they do exist - HSRP is one of them.

Not everything weird in networking is an attack. And esoteric attacks are getting more rare because so many attackers are stupid morons - script kiddies that are fooling around with stuff they would have no ability to write, and certainly don't understand.

You need to print out Hanlon's razor and stick it on your wall....LOL...ISP's are NOT known for being experts in endpoint equipment configuration after all...
MonarchX
DD-WRT User


Joined: 26 Sep 2009
Posts: 119

PostPosted: Fri May 28, 2021 15:37    Post subject: Reply with quote
Er... ARP Cache Poison = different IP's with same MAC address.

Before ARP Cache Poisoning:


After ARP Cache Poisoning:


Another example of ARP Cache Poisoning:
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14126
Location: Texas, USA

PostPosted: Fri May 28, 2021 16:27    Post subject: Reply with quote
Actually, both are technically spoofing / poisoning and part of a MITM attack. Not sure what to think of this anomaly, though. I see no reason for it. It could be on your ISP's end, or not.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
tedm
DD-WRT Guru


Joined: 13 Mar 2009
Posts: 554

PostPosted: Sat May 29, 2021 19:13    Post subject: Reply with quote
kernel-panic69 wrote:
Actually, both are technically spoofing / poisoning and part of a MITM attack.


CAN be part of an attack. However it would be a poor attack if it's ADDING an additional IP to the same MAC address because the original default route would still exist to the original MAC and even if the attacker adjusted the route somehow to the new IP, the new IP is just going to point to the SAME mac as the old IP. So the MITHM is still never going to see the victim packets no matter how many IP's he adds with the same MAC.

Think about it for a moment, you will realize such an "attack" isn't a MITM attack. More like "script kiddie got it azz-backwards attack"
tedm
DD-WRT Guru


Joined: 13 Mar 2009
Posts: 554

PostPosted: Sat May 29, 2021 19:19    Post subject: Reply with quote
MonarchX wrote:
Er... ARP Cache Poison = different IP's with same MAC address.

Before ARP Cache Poisoning:


After ARP Cache Poisoning:



172.20 is part of the RFC private address range so all bets are off here. Even though this is on a WAN, your ISP isn't actually delivering you a public IP.

The range is:
172.16.0.0 - 172.31.255.255
CIDR: 172.16.0.0/12

Same goes for the 192.168.x.x range

You are behind someone else's router. Based on what's supplied here it looks EXACTLY like you are a student in a college dorm, plugged into the ethernet port on the wall and you are not actually paying a real ISP for Internet connectivity.
MonarchX
DD-WRT User


Joined: 26 Sep 2009
Posts: 119

PostPosted: Sun May 30, 2021 14:04    Post subject: Reply with quote
tedm wrote:
MonarchX wrote:
Er... ARP Cache Poison = different IP's with same MAC address.

Before ARP Cache Poisoning:


After ARP Cache Poisoning:



172.20 is part of the RFC private address range so all bets are off here. Even though this is on a WAN, your ISP isn't actually delivering you a public IP.

The range is:
172.16.0.0 - 172.31.255.255
CIDR: 172.16.0.0/12

Same goes for the 192.168.x.x range

You are behind someone else's router. Based on what's supplied here it looks EXACTLY like you are a student in a college dorm, plugged into the ethernet port on the wall and you are not actually paying a real ISP for Internet connectivity.


That was just an example of a ARP spoofing attack I found on a website.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum