Member preview

ATT’s Misuse of CloudFlare DNS IP 1.1.1.1

I’d like to preface this story by stating this is my theory based on observations made so far.

Update: As of 10/2/2018 ATT has released a version of their firmware for the Pace 5268AC in certain markets. This new firmware (11.1.0.531418) includes several changes to resolve the issues routing 1.1.1.1. Primarily, changing binding addresses for AirTies from 1.1.1.X to 203.0.113.X.
All references to the new address range can be found
(here).

On April 1st 2018 CloudFlare announced their new public DNS offering, and shortly after DSLReports users started complaining about their inability to reach the service.

Despite using the same modem and internet service as these users, I observed no issues reaching CloudFlare’s IPs. Seemingly, the only difference between my setup and theirs, was that I have bypassed my ATT gateway entirely. Without a bypassed gateway you can perform a trace route and see just one sub-millisecond hop, indicating the address is being routed to a resource within your own network.

Now, knowing that this was likely being caused by something running on the gateway, I figured the gateway’s firmware might hold some clues. Luckily, I’d managed to get my hands on a copy of the firmware and successfully binwalked it a few months prior.

Using Sift, I searched though the decompiled firmware for ‘1.1.1.1’ and quickly found a result. It was on line 8 in an init script called S91remote-monitor. Based on the contents of the file, it appears that a service called “AirTies Remote View” is binding to 1.1.1.1 on the interface wl0.

With a little regex, we can also search for anything that matches an ip-like pattern. The only other thing that stood out to me was a few matches for 1.1.1.2.

It appears the address is being utilized by Quantenna.

Based on observation of a few of the init scripts it seems all the addresses binding to 1.1.1.X are related to the configuration of AirTies services.

Config for steering client,

Linking it back to AirTies,

AirTies seems to have several large ISPs as customers, and after spot checking a few of them, it seems like there are some consumers of these ISPs with similar complaints. It’s unclear if those consumers are impacted for the same reason, or if there’s a different cause for their problems. The 1.1.1.1 and 1.1.1.2 addresses are both compiled into some of the libraries used, so it’s likely to be a choice made by AirTies, but I can’t be certain.


Originally published at blog.taylorsmith.xyz on May 5, 2018.