IPoE is good, but…

St. Petersburg provider SkyNet? It may seem that the vulnerability is rather banal and it is surprising how such an experienced “participant of the Internet” as an ISP could even allow it? Here’s a more interesting situation for you.


All information is provided for academic purposes ONLY. The author respects his colleagues and in every possible way condemns any destroy!


So, I once helped a young progressive gamer and a novice streamer to set up a high-quality, fast and fault-tolerant Internet. Naturally, MikroTik, Dual-WAN, monitoring, that’s it. FTTB provider with IPoE. Offers to fill in statics with handles and issues a /22 subnet. The thought is spinning in my head – “I wonder how access is organized?”. In theory, each user should have an isolated port (Vlan per User or something like that) and not “shine” with their neighbors. But in fact .. Well, everything is a little different.

Hello network neighbor!

Let’s start experimenting. In WinBox, I add the port to which the cable from the provider (WAN) is connected to one bridge along with the port that looks to the local area (in my case, on the young gamer’s PC), thus merging our broadcast domain with the provider’s broadcast:

Well, in fact, everything is ready!

You can move on to fun!

Actually, it won’t work. But we can sniff the traffic of broadcast protocols. Without going far from the cash register, we immediately check all sorts of discovery protocols with the same WInBox (Mikrotiks from are mine). Voila!

Hello MikroTik brothers!
Hello MikroTik brothers!

Someone is not even afraid to expose the management interface to the outside without any VPN there. Risky guys!

Because I have limited time and I don’t have Linux with nmap at hand, I quickly install Wireshark on Windows, and move on. Let’s see how things are with ARP?

Great and terrible Broadcast!
Great and terrible Broadcast!

And things are going really well. 621 (!) ARP packet in 30 seconds! Zyxel, TP-Link, Tenda (the provider rents), Tsiska, even some BeijingX (judging by Google, something from the Xiaomi zoo). The beauty. For the sake of interest, I decided to see what kind of Tsiska it was. It turned out to be someone’s IP phone:

Unfortunately, it was not possible to conduct a full-fledged pentest of the other hosts, besides, the link is tied to the documents of the parent of the young gamer, and in which case there will be big problems :(. But I think you get the point.

Of course, the switches are probably configured to protect against storms and various spoofing. But the very fact that the provider puts the whole house in one broadcast is somewhat alarming, because. There will always be ways to get through to your neighbor.

Instead of a conclusion

IPOE is great. No more need to explain to the user how to set up a PPPx session, no logins and passwords to remember, less load on the equipment, not a single break.. The beauty! But to put subscribers from all over the house into a common /22? An interesting decision. What do you think about it?

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *