Jump to content

ARP Cache Poisoning Attack


Recommended Posts

Hello guys. I was using my Oculus Quest 2 via air link. If you're not familiar, airlink allows to connect the the quest 2 vr headset to my pc and play wirelessly. I noticed some stuttering and decided to go into router and change wifi channel. Like 10 seconds after changing it I got 6 notifications from ESET...network threat blocked, arp cache poisoning attack. I was thinking that maybe it's a false positive because it happened exactly when I changed the wifi channel so I tried to change the channel again, and it happened again. If i put my cursor on "Computer" in the eset notification, it shows my the ip of the device and the device is the oculus quest 2. Did i get some malware on the quest 2 or should i ignore those notifications? I can't scan the quest if i connect it to pc although it shows up as a removable device. Thanks.

k.jpg

Link to comment
Share on other sites

  • Administrators

It's typically a result of having adapters with identical IP addresses in the network. Check your firewall log if it contains records about detected identical IP addresses.

Link to comment
Share on other sites

I didn't find any record about identical ip adresses. But looking in the logs the source ip is not always the quest 2 as i thought, i also get 192.168.1.1 which is the router. 

Besides my router, I have added a 2nd router in my parents kitchen and i use it as an extender so they have better range in their room. Could that cause this problem ?

z.jpg

Edited by ynwa
Link to comment
Share on other sites

I powered off the router that i use as extender and changed wifi channel to try replicate the issue and see if that extender was the cause. I didn't get that notification anymore. I thought i solved the problem. But after i plugged the extender back in and changed wifi channel im not receiving that ARP attack notification anymore. I can't replicate anymore. Do you still think that 2nd router that i use as extender can be the cause? Thanks.

Link to comment
Share on other sites

17 hours ago, Marcos said:

It's typically a result of having adapters with identical IP addresses in the network. Check your firewall log if it contains records about detected identical IP addresses.

I forgot to quote you in my replies. Can you please help me solve this problem? Do you think the 2nd router is the cause? Thank you.

Link to comment
Share on other sites

On 1/15/2022 at 3:39 AM, ynwa said:

I didn't find any record about identical ip adresses. But looking in the logs the source ip is not always the quest 2 as i thought, i also get 192.168.1.1 which is the router. 

Besides my router, I have added a 2nd router in my parents kitchen and i use it as an extender so they have better range in their room. Could that cause this problem ?

Verify that you have configured the main router properly.

I'm assuming both routers are set up in Wi-Fi mode. In that case, you want to set the main router to "repeater mode" as shown in this article: https://www.lifewire.com/use-router-as-wifi-extender-5190828 .

Link to comment
Share on other sites

55 minutes ago, itman said:

Verify that you have configured the main router properly.

I'm assuming both routers are set up in Wi-Fi mode. In that case, you want to set the main router to "repeater mode" as shown in this article: https://www.lifewire.com/use-router-as-wifi-extender-5190828 .

Hello. I think I did it correctly the first time but to be sure i resetted the 2nd router and configured it again. I've set the 2nd router as repeater and changed the ip address from 192.168.1.1 to 192.168.1.33 otherwise i cant access the interface because the routers have same ip. And then I connected the 2nd router to the 1st router's wifi. I will have to wait and see if i get that arp attack notification again. Do you think it's some conflict or attacker ? I dont understand what you mean by configuring the main router properly..i didnt have to do anything to it. I've followed the steps in the article, the repeater steps

Link to comment
Share on other sites

1 minute ago, ynwa said:

I've set the 2nd router as repeater

According to the linked Livewire article, you set the existing; i.e. "old,' router to repeater mode:

Quote

Locate the old router’s wireless settings and select Repeating Mode.

 

Link to comment
Share on other sites

I call 2nd router aka a spare router that i wasnt using anymore...thats the one i've put in repeating mode, to extend the range of my main router.  Is this correct ?

Edited by ynwa
Link to comment
Share on other sites

46 minutes ago, ynwa said:

I call 2nd router aka a spare router that i wasnt using anymore...thats the one i've put in repeating mode, to extend the range of my main router.  Is this correct ?

Correct.

Link to comment
Share on other sites

  • 2 weeks later...

Guys, after 12 days it has started again...what can I do ? Is someone really trying to steal information from me or is it a false positive ? I have 1000 network protection logs now with ARP cache poison attack. Again the IP is of the Quest 2. This time I didn't get any notification, I manually checked. I still have a suspicion it may have to do something with that 2nd router that I use as an extender but I dont know...

 

 

ftjynuh.jpg

Edited by ynwa
Link to comment
Share on other sites

  • Most Valued Members

If I am not mistaken , there are 2 devices on your network that are trying to obtain the same IP Address , that is why you are getting detections of it.

Link to comment
Share on other sites

  • Administrators

You can create an IDS exception for the detection / IP address if you intentionally use more devices with the same IP address.

Link to comment
Share on other sites

3 hours ago, Marcos said:

You can create an IDS exception for the detection / IP address if you intentionally use more devices with the same IP address.

But im not intentionally using more devices with the same ip. I didn't had this problem until I plugged that 2nd router which as far as I know is configured correctly. How can I know if someone is attacking me or if its just a duplicate ip ? Thank you.

Link to comment
Share on other sites

  • Administrators

Maybe the router supports mesh networks in which the IP address of the router is shared?

Link to comment
Share on other sites

  • Most Valued Members
8 minutes ago, ynwa said:

But im not intentionally using more devices with the same ip. I didn't had this problem until I plugged that 2nd router which as far as I know is configured correctly. How can I know if someone is attacking me or if its just a duplicate ip ? Thank you.

You could make the second router with a different subnet , then it won't have duplicate IPs , or the device that is trying to take the already taken IP Address , Manually give it a new address that isn't taken by another device in the network, but that won't prevent another device from trying and take it again.

Link to comment
Share on other sites

I have no idea on how to do all that. it's a bit too advanced for my networking knowledge I will do some research... I don't know if this helps in any way but Im able to replicate the arp poisoning attack notification. If i switch the wi fi network that my quest 2 is connected to, to the 2nd router(the extender) i get the notification again... I will try some research thanks for taking the time to assist me.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...