ARP Cache Poisoning Attack

[ynwa 0]

Hello guys. I was using my Oculus Quest 2 via air link. If you're not familiar, airlink allows to connect the the quest 2 vr headset to my pc and play wirelessly. I noticed some stuttering and decided to go into router and change wifi channel. Like 10 seconds after changing it I got 6 notifications from ESET...network threat blocked, arp cache poisoning attack. I was thinking that maybe it's a false positive because it happened exactly when I changed the wifi channel so I tried to change the channel again, and it happened again. If i put my cursor on "Computer" in the eset notification, it shows my the ip of the device and the device is the oculus quest 2. Did i get some malware on the quest 2 or should i ignore those notifications? I can't scan the quest if i connect it to pc although it shows up as a removable device. Thanks.

[Marcos 4,285]

It's typically a result of having adapters with identical IP addresses in the network. Check your firewall log if it contains records about detected identical IP addresses.

[ynwa 0]

I didn't find any record about identical ip adresses. But looking in the logs the source ip is not always the quest 2 as i thought, i also get 192.168.1.1 which is the router. 

Besides my router, I have added a 2nd router in my parents kitchen and i use it as an extender so they have better range in their room. Could that cause this problem ?

Edited January 15 by ynwa

[ynwa 0]

I powered off the router that i use as extender and changed wifi channel to try replicate the issue and see if that extender was the cause. I didn't get that notification anymore. I thought i solved the problem. But after i plugged the extender back in and changed wifi channel im not receiving that ARP attack notification anymore. I can't replicate anymore. Do you still think that 2nd router that i use as extender can be the cause? Thanks.

[ynwa 0]

17 hours ago, Marcos said:

It's typically a result of having adapters with identical IP addresses in the network. Check your firewall log if it contains records about detected identical IP addresses.

I forgot to quote you in my replies. Can you please help me solve this problem? Do you think the 2nd router is the cause? Thank you.

[itman 1,407]

On 1/15/2022 at 3:39 AM, ynwa said:

I didn't find any record about identical ip adresses. But looking in the logs the source ip is not always the quest 2 as i thought, i also get 192.168.1.1 which is the router. 

Besides my router, I have added a 2nd router in my parents kitchen and i use it as an extender so they have better range in their room. Could that cause this problem ?

Verify that you have configured the main router properly.

I'm assuming both routers are set up in Wi-Fi mode. In that case, you want to set the main router to "repeater mode" as shown in this article: https://www.lifewire.com/use-router-as-wifi-extender-5190828 .

[ynwa 0]

55 minutes ago, itman said:

Verify that you have configured the main router properly.

I'm assuming both routers are set up in Wi-Fi mode. In that case, you want to set the main router to "repeater mode" as shown in this article: https://www.lifewire.com/use-router-as-wifi-extender-5190828 .

Hello. I think I did it correctly the first time but to be sure i resetted the 2nd router and configured it again. I've set the 2nd router as repeater and changed the ip address from 192.168.1.1 to 192.168.1.33 otherwise i cant access the interface because the routers have same ip. And then I connected the 2nd router to the 1st router's wifi. I will have to wait and see if i get that arp attack notification again. Do you think it's some conflict or attacker ? I dont understand what you mean by configuring the main router properly..i didnt have to do anything to it. I've followed the steps in the article, the repeater steps

[itman 1,407]

1 minute ago, ynwa said:

I've set the 2nd router as repeater

According to the linked Livewire article, you set the existing; i.e. "old,' router to repeater mode:

Quote

Locate the old router’s wireless settings and select Repeating Mode.

 

[ynwa 0]

I call 2nd router aka a spare router that i wasnt using anymore...thats the one i've put in repeating mode, to extend the range of my main router.  Is this correct ?

Edited January 16 by ynwa

[itman 1,407]

46 minutes ago, ynwa said:

I call 2nd router aka a spare router that i wasnt using anymore...thats the one i've put in repeating mode, to extend the range of my main router.  Is this correct ?

Correct.

[ynwa 0]

Guys, after 12 days it has started again...what can I do ? Is someone really trying to steal information from me or is it a false positive ? I have 1000 network protection logs now with ARP cache poison attack. Again the IP is of the Quest 2. This time I didn't get any notification, I manually checked. I still have a suspicion it may have to do something with that 2nd router that I use as an extender but I dont know...

 

 

Edited January 30 by ynwa

[Nightowl 157]

If I am not mistaken , there are 2 devices on your network that are trying to obtain the same IP Address , that is why you are getting detections of it.

[Marcos 4,285]

You can create an IDS exception for the detection / IP address if you intentionally use more devices with the same IP address.

[ynwa 0]

3 hours ago, Marcos said:

You can create an IDS exception for the detection / IP address if you intentionally use more devices with the same IP address.

But im not intentionally using more devices with the same ip. I didn't had this problem until I plugged that 2nd router which as far as I know is configured correctly. How can I know if someone is attacking me or if its just a duplicate ip ? Thank you.

[Marcos 4,285]

Maybe the router supports mesh networks in which the IP address of the router is shared?

[Nightowl 157]

8 minutes ago, ynwa said:

But im not intentionally using more devices with the same ip. I didn't had this problem until I plugged that 2nd router which as far as I know is configured correctly. How can I know if someone is attacking me or if its just a duplicate ip ? Thank you.

You could make the second router with a different subnet , then it won't have duplicate IPs , or the device that is trying to take the already taken IP Address , Manually give it a new address that isn't taken by another device in the network, but that won't prevent another device from trying and take it again.

[ynwa 0]

I have no idea on how to do all that. it's a bit too advanced for my networking knowledge I will do some research... I don't know if this helps in any way but Im able to replicate the arp poisoning attack notification. If i switch the wi fi network that my quest 2 is connected to, to the 2nd router(the extender) i get the notification again... I will try some research thanks for taking the time to assist me.