Strange things are going on our network.
Since yesterday a host which is actually not on our subnet spreads wrong ARP Replys on our network. To be precise, only on the WIFI. If I connect my Laptop to the cable ethernet, it gets the right MAC adress of the router. Also my Android phone and my Ubuntu system do get the right MAC Adress.
So I took a look at wireshark. When I clear the ARP cache of the windows machine, the first ARP response is correct and comes from the router. But like 10 ms later another ARP response comes from another host in the WIFI.
The host changes its IP Adresses from time to time and they look like they are not on our subnet. So I can not use the internet because DNS is not working anymore.
Sometimes the router wins the race condition and the mac adress is set correctly in the arp cache.
I first thought, this is an arp-poisoning mitm attack but it does not make sense if the packets get not routed correctly?!
I restarted the router but it didn’t help. I have no access to the router, else I would change the shared key to make sure there is no intruder on the wifi.
Looks like a rogue AP. Get out something you can measure wireless signal strength with, track it down and unplug it.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.