07-02-2012 08:35 AM
My Norton firewall (NIS 5 on OS X Lion) is reporting hundreds of ARP Cache Poison attempts and the MAC address is that of my husband's HTC Incredible 2 phone. Our router is pretty secure with WPA2 and a complex password, and filtered by MAC Address as well. What should I do about this? I see advice on other threads to ignore this, but not sure if that applies here.
07-02-2012 05:53 PM
ARP (address resolution protocol) is the network interaction that takes a human readable Internet name and returns the numbers that your computer uses to compose traffic to actually view that site (or whatever).
In the past, malicious software would try to screw up your computer's local stash of names previously matched to numbers to get your computer to go to the wrong places on the internet. It would do this by sending a spurious response to your computer, when your computer had never made any such request in the first place, in the hopes your computer would accept the spurious response info ANYWAY and save the bogus name/number pairing in its cache of such stuff. That's an ARP Cache Poison event.
But there's a much simpler, non-malicious, reason this might happen, which is that some other device on your network happens to be mistakenly using the networking IP address assigned to your computer. So the other device sends an ARP request (which happens frequently) and your computer sees the response. And the Norton stuff catches that, blocks the spurious response, and reports it.
Since you've identified the source of the original request as your husband's phone, the most likely explanation is that your husband's phone and your computer are mistakenly using the same IP address. This can happen if you've set either one of them to use a fixed IP address, or if there is a bug in the computer or in the phone, or if there is a bug or settings mistake in your Wifi router so that it is handing out the same IP address for use by more than one device.
Check your Mac and his phone for the IP address they are each using when these events happen, and check how they, and your router ared set to use DHCP -- which is the protocol they use to ask your router which IP address they should use. This will likely be complicated by your router using what's called NAT (network address translation) so that one external IP address -- used to represent your home network to the outside world -- is shared between multiple, internal IP addresses for the devices in your home. Your router should have a table it will display which shows the external and internal IP addresses in use at the moment. Check that what your Mac and his phone say they are using match what the router expects to be happening, and that the internal IP address numbers for the two of them are different.
This may not be happening all the time. You can set the Norton stuff to put up an alert on your Mac when it detects an ARP Cache Poison event -- rather than just tallying them in its list. Then you can catch it exactly when it is happening and go check right away what IP address your Mac and his phone are using.
The good news is that even if you can't figure this out quickly, there's almost certainly no danger. That's because the requests your husband's phone are generating are likely "real" -- part of its normal usage -- and the results coming back from your internet service provider are also likely "real", meaning there's not actually any nasty stuff happening in that ARP traffic. It's just a configuration issue in your home network that needs to be tracked down.
07-03-2012 11:44 AM
Thank you for the detailed explanation, that is very helpful! I had actually spent quite a bit of time googling this, and it seemed to always be an HTC phone that was causing the problems. It isn't happen consistently, nor is it happening with any of our other devices, including an even older HTC phone. So as you point out, I'll have to check the router and see if I can confirm that's what is happening. I'm puzzled though, about why the router would have this addressing conflict to begin with.
Perhaps Norton has me a bit on edge, given my other problems with the AV failing to enable and throwing up errors (in no detectable pattern)!!