IPv4 gateway changes when DNS poisoning from successful arp spoof
I’ve recently been testing my wireless LAN against common attacks, one of them being arp spoofing, and attacks stemming from a successful arp spoof, such as dns poisoning. (I use bettercap
)
On all of my routers, arp spoofing works successfully. But on one, DNS spoofing results in something strange:
- I obtain full arp control of a target device.
- The target device makes a DNS request to a particular domain.
- I “poison” the reply, attempting to redirect the victim to a different IP address, before domain resolution occurs.
- Instead, what actually happens is that before the victim has time to be redirected, the IPv4 gateway address changes to something random1.
- I (automatically) try again, and it changes, again.
- This creates an endless loop where the victim’s page never actually loads, but neither does the intended one.
Why?- Is this some sort of protection? I don’t know of any premeditated protections on that router.
Is there a way to prevent this happening?
1: My default IPv4 gateway address is 192.168.9.1
, with devices situated on 192.168.9.*
. When the gateway changes, it changes to anything situated along 192.168.*.1
. Because this gateway is invalid, it forces the DNS spoofing to temporarily stop, as described above. The gateway then changes back to the default shortly after.