Abnormal ARP Request

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
MonarchX
DD-WRT User


Joined: 26 Sep 2009
Posts: 119

PostPosted: Mon Nov 08, 2021 21:52    Post subject: Abnormal ARP Request Reply with quote
192.168.7.3 is a client device in 192.168.7.1/24 network, where 192.168.7.1 is gateway.

Code:
Request who-has 192.168.7.3 tell 192.168.7.3, length 28
Request who-has 192.168.7.3 tell 192.168.7.3, length 28
Request who-has 192.168.7.3 tell 192.168.7.3, length 28
Request who-has 192.168.7.3 tell 192.168.7.3, length 28
Request who-has 192.168.7.3 tell 192.168.7.3, length 28
Request who-has 192.168.7.3 tell 192.168.7.3, length 28


EDIT:
I don't like to share more info than necessary about my topology, but what is going on seems to fit the definition of Gratuitous ARP Attack Cache Poisoning - https://github.com/mehiar/ARP-Poisoning-and-Defend#arp-cache-poisoning-methods
Quote:
ARP gratuitous attack: an ARP reply packet is boadcasted with the spoofed IP as the source and destination protocol address.


The device that sends these abnormal requests is Apple TV 4K 2021 and these requests tend to occur when it becomes idle, but enabling/disabling Sleep Mode on the device itself has no effect on these requests.

All network clients have static IP's assigned in gateway router and on devices themselves. DHCP for LAN is disabled. Static ARP is set on gateway router and on local DNS server for all clients.

Most ARP requests and ARP replies for Apple TV 4K 2021 are normal and show correct Apple TV 4K IP + MAC, correct gateway IP + MAC, and correct local DNS server IP + MC addresses for source and destination. The abnormal requests tend to occur when Apple TV 4K 2021 becomes idle and abnormal requests occur in series of 6-12 attempts.

The router I use is from Ubiquiti and it reports constant and consistent "High TCP Latency" anomaly for Apple TV 4K 2021, but only when Apple TV 4K 2021 becomes idle.

When in use, Apple TV 4K 2021 performs very well without any noticeable high latency or issues.

My main concern is that someone may be spoofing Apple TV 4K 2021 MAC address and local IP to perform ARP poisoning MITM attacks. There is no way to change Apple TV 4K 2021 MAC address.

To mitigate any ARP spoofing and other types of spoofing, I make sure to:
- Set static ARP for all clients in router and local DNS server configs
- Bind MAC + IP addresses with ARPTables, EBTables and IPTables in gateway router and local DNS server configs
- Edit SysCTL.conf in router and local DNS server configs to disable gratuitous ARP, disable sending and/or accepting redirects, force-enable return path filtering (rp_filter=1), disable ARP proxy, and disable ARP flux (drop_gratuitous_arp=1).


Last edited by MonarchX on Tue Nov 09, 2021 13:13; edited 4 times in total
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 12463
Location: Texas, USA

PostPosted: Mon Nov 08, 2021 22:43    Post subject: Reply with quote
More details on what said client device is, OS, installed apps, etc. might help. Might be time to refresh the arp table on said device, etc.

https://networkengineering.stackexchange.com/questions/19947/how-to-send-an-arp-request-manually

_________________
Official Forum Rules, Guidelines & Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware‽
DON'T use Chromium-based browsersRTFM/STFW TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is‽
Please DO NOT PM me with questions; Ask in the forum. ---------------------- Linux User #377467 counter.li.org / linuxcounter.net
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 1268

PostPosted: Mon Nov 08, 2021 22:58    Post subject: Reply with quote
yeah there is no context related to this... I can break networking things too...
MonarchX
DD-WRT User


Joined: 26 Sep 2009
Posts: 119

PostPosted: Tue Nov 09, 2021 9:59    Post subject: Reply with quote
I don't like to share more info than necessary about my topology, but what is going on seems to fit the definition of Gratuitous ARP Attack Cache Poisoning - https://github.com/mehiar/ARP-Poisoning-and-Defend#arp-cache-poisoning-methods
Quote:
ARP gratuitous attack: an ARP reply packet is boadcasted with the spoofed IP as the source and destination protocol address.


The device that sends these abnormal requests is Apple TV 4K 2021 and these requests tend to occur when it becomes idle, but enabling/disabling Sleep Mode on the device itself has no effect on these requests.

All network clients have static IP's assigned in gateway router and on devices themselves. DHCP for LAN is disabled. Static ARP is set on gateway router and on local DNS server for all clients.

Most ARP requests and ARP replies for Apple TV 4K 2021 are normal and show correct Apple TV 4K IP + MAC, correct gateway IP + MAC, and correct local DNS server IP + MC addresses for source and destination. The abnormal requests tend to occur when Apple TV 4K 2021 becomes idle and abnormal requests occur in series of 6-12 attempts.

The router I use is from Ubiquiti and it reports constant and consistent "High TCP Latency" anomaly for Apple TV 4K 2021, but only when Apple TV 4K 2021 becomes idle.

When in use, Apple TV 4K 2021 performs very well without any noticeable high latency or issues.

My main concern is that someone may be spoofing Apple TV 4K 2021 MAC address and local IP to perform ARP poisoning MITM attacks. There is no way to change Apple TV 4K 2021 MAC address.

To mitigate any ARP spoofing and other types of spoofing, I make sure to:
- Set static ARP for all clients in router and local DNS server configs
- Bind MAC + IP addresses with ARPTables, EBTables and IPTables in gateway router and local DNS server configs
- Edit SysCTL.conf in router and local DNS server configs to disable gratuitous ARP, disable sending and/or accepting redirects, force-enable return path filtering (rp_filter=1), disable ARP proxy, and disable ARP flux (drop_gratuitous_arp=1).
MonarchX
DD-WRT User


Joined: 26 Sep 2009
Posts: 119

PostPosted: Tue Nov 09, 2021 13:45    Post subject: Reply with quote
Wireshark labels those abnormal requests as "ARP Announce" and "Gratuitous". I assume my SysCTL.conf just ignores such requests.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum