/ ATT

ATT's Misuse of CloudFlare DNS IP 1.1.1.1

I'd like to preface this story by stating this is my theory based on observations made so far.

On April 1st 2018 CloudFlare announced their new public DNS offering, and shortly after DSLReports users started complaining about their inability to reach the service.

Despite using the same modem and internet service as these users, I observed no issues reaching CloudFlare's IPs. Seemingly, the only difference between my setup and theirs, was that I have bypassed my ATT gateway entirely. Without a bypassed gateway you can perform a trace route and see just one sub-millisecond hop, indicating the address is being routed to a resource within your own network.

Now, knowing that this was likely being caused by something running on the gateway, I figured the gateway's firmware might hold some clues. Luckily, I'd managed to get my hands on a copy of the firmware and successfully binwalked it a few months prior.

powershell_sift-1

Using Sift, I searched though the decompiled firmware for '1.1.1.1' and quickly found a result. It was on line 8 in an init script called S91remote-monitor. Based on the contents of the file, it appears that a service called "AirTies Remote View" is binding to 1.1.1.1 on the interface wl0.

airties_rv_init

With a little regex, we can also search for anything that matches an ip-like pattern. The only other thing that stood out to me was a few matches for 1.1.1.2.

ip_mentions

It appears the address is being utilized by Quantenna.

iptables

Based on observation of a few of the init scripts it seems all the addresses binding to 1.1.1.X are related to the configuration of AirTies services.

Config for steering client,

steering_conf

Linking it back to AirTies,

airties_link

AirTies seems to have several large ISPs as customers, and after spot checking a few of them, it seems like there are some consumers of these ISPs with similar complaints. It's unclear if those consumers are impacted for the same reason, or if there's a different cause for their problems. The 1.1.1.1 and 1.1.1.2 addresses are both compiled into some of the libraries used, so it's likely to be a choice made by AirTies, but I can't be certain.

ATT's Misuse of CloudFlare DNS IP 1.1.1.1
Share this