ARP gratuitous attack: an ARP reply packet is boadcasted with the spoofed IP as the source and destination protocol address.
The device that sends these abnormal requests is Apple TV 4K 2021 and these requests tend to occur when it becomes idle, but enabling/disabling Sleep Mode on the device itself has no effect on these requests.
All network clients have static IP's assigned in gateway router and on devices themselves. DHCP for LAN is disabled. Static ARP is set on gateway router and on local DNS server for all clients.
Most ARP requests and ARP replies for Apple TV 4K 2021 are normal and show correct Apple TV 4K IP + MAC, correct gateway IP + MAC, and correct local DNS server IP + MC addresses for source and destination. The abnormal requests tend to occur when Apple TV 4K 2021 becomes idle and abnormal requests occur in series of 6-12 attempts.
The router I use is from Ubiquiti and it reports constant and consistent "High TCP Latency" anomaly for Apple TV 4K 2021, but only when Apple TV 4K 2021 becomes idle.
When in use, Apple TV 4K 2021 performs very well without any noticeable high latency or issues.
My main concern is that someone may be spoofing Apple TV 4K 2021 MAC address and local IP to perform ARP poisoning MITM attacks. There is no way to change Apple TV 4K 2021 MAC address.
To mitigate any ARP spoofing and other types of spoofing, I make sure to:
- Set static ARP for all clients in router and local DNS server configs
- Bind MAC + IP addresses with ARPTables, EBTables and IPTables in gateway router and local DNS server configs
- Edit SysCTL.conf in router and local DNS server configs to disable gratuitous ARP, disable sending and/or accepting redirects, force-enable return path filtering (rp_filter=1), disable ARP proxy, and disable ARP flux (drop_gratuitous_arp=1).
Last edited by MonarchX on Tue Nov 09, 2021 13:13; edited 4 times in total
ARP gratuitous attack: an ARP reply packet is boadcasted with the spoofed IP as the source and destination protocol address.
The device that sends these abnormal requests is Apple TV 4K 2021 and these requests tend to occur when it becomes idle, but enabling/disabling Sleep Mode on the device itself has no effect on these requests.
All network clients have static IP's assigned in gateway router and on devices themselves. DHCP for LAN is disabled. Static ARP is set on gateway router and on local DNS server for all clients.
Most ARP requests and ARP replies for Apple TV 4K 2021 are normal and show correct Apple TV 4K IP + MAC, correct gateway IP + MAC, and correct local DNS server IP + MC addresses for source and destination. The abnormal requests tend to occur when Apple TV 4K 2021 becomes idle and abnormal requests occur in series of 6-12 attempts.
The router I use is from Ubiquiti and it reports constant and consistent "High TCP Latency" anomaly for Apple TV 4K 2021, but only when Apple TV 4K 2021 becomes idle.
When in use, Apple TV 4K 2021 performs very well without any noticeable high latency or issues.
My main concern is that someone may be spoofing Apple TV 4K 2021 MAC address and local IP to perform ARP poisoning MITM attacks. There is no way to change Apple TV 4K 2021 MAC address.
To mitigate any ARP spoofing and other types of spoofing, I make sure to:
- Set static ARP for all clients in router and local DNS server configs
- Bind MAC + IP addresses with ARPTables, EBTables and IPTables in gateway router and local DNS server configs
- Edit SysCTL.conf in router and local DNS server configs to disable gratuitous ARP, disable sending and/or accepting redirects, force-enable return path filtering (rp_filter=1), disable ARP proxy, and disable ARP flux (drop_gratuitous_arp=1).