Solved.
Remerciements0

N360 "compromised network", MITM, ARP spoofing

Envoyé le: 2022-08-18 | 15:19 · 11 Replies · · Traduction:

Hi, 1st post after research over past 3 days (searched here & broadband provider forums), in case anyone has similar experience/suggestions, please?

Using Virgin Media Hub 5 router in UK; 3 days ago pop-up message from Norton 360 on "compromised network" for our WiFi, "detected MITM attack" with "ARP spoofing" in detailed description. I've factory reset the Hub, set new SSID, new admin & user PWs (all when connected w/Ethernet). Nothing found by Norton & Malwarebytes on devices (laptops, mobiles). Still get the alert on WiFi. I scan for devices with Fing. Nothing unrecognised

Wireshark shows ARP duplicate address errors for the router every 15 mins (same IP of 192.168.0.1 at 5-6 different MAC addresses without manufacturer found). I believe mobiles & Win10/11 devices can randomise MAC to connect. Can a router cycle in that way? Could that be triggering "ARP spoofing" note? Alternatively, could that be either a false +ve or now left over unresolved, from before I did the nuke reset?

Sorry that this is probably me dabbling w/o real knowledge. Many thanks for any tips

Thématiques: Threat Detection, Alerts/Notifications, Windows 11, Pop-up, Norton Displays At Risk
Accepted Solution
Remerciements1 Stats

Re: N360 "compromised network", MITM, ARP spoofing

Envoyé le: 2022-08-30 | 08:37 · Permalien

Thank you, all, for the helpful suggestions. Several others on a Virgin Media forum seemed to have the same problem, starting around the same time.

The solution seems to be to disable the 'smart WiFi' settings and split the SSID of the 2.4 and 5GHz bands. I did this a couple of days ago and the duplicate ip/arp alerts are no longer showing. We assume there's some sort of bug in the (not so-)smart WiFi settings.

Thanks again

View Accepted Solution in Context

Réponses

Remerciements0

Re: N360 "compromised network", MITM, ARP spoofing

Envoyé le: 2022-08-18 | 15:24 · Permalien

PS I found other MITM threads plus link to Norton page explaining detection, but they didn't seem to help directly with this

Remerciements0

Re: N360 "compromised network", MITM, ARP spoofing

Envoyé le: 2022-08-18 | 16:27 · Permalien

Hello Yarmie. Please post a screenshot of the Norton detection from your history so we can see exactly what you're seeing and review it with you. Here is how to post screenshots: https://community.norton.com/en/forums/how-post-image-forums-0

A Virgin Media forums suggests "MAC filtering" which will force only the MAC address you manually install to connect. Please review this article. https://www.virginmedia.com/help/broadband/set-up-virgin-media-mac-filte...

SA

MS Certified Professional Windows 11 Home/Pro 22H2 x 64 build 22621.2283 - Windows 10 Pro x 64 version 22H2 / build 19045.3448 / Norton Security Ultra - Norton 360 Deluxe ver. 22.23.8.4 / Opera GX LVL5 (core:101.0.4843.85) 64 bit-Early Access w/Norton Chrome Extensions
Remerciements0

Re: N360 "compromised network", MITM, ARP spoofing

Envoyé le: 2022-08-19 | 06:37 · Permalien

What was the link to Norton explaining what is detecting? Have a different reason for compromised network but similar problem trying to work out what to do next.
Remerciements0

Re: N360 "compromised network", MITM, ARP spoofing

Envoyé le: 2022-08-19 | 07:16 · Permalien

this was the link I found. Not super helpful in terms of resolution IMHO https://support.norton.com/sp/en/us/norton-360-premium/22.22.7.14/soluti...

Remerciements0

Re: N360 "compromised network", MITM, ARP spoofing

Envoyé le: 2022-08-19 | 07:27 · Permalien

Thanks very much for your reply & research. Couple of screenshots attached to show full list (still get message *after reset of router on 18 Aug with new SSID, PWs, etc, unless that's a continuation/carryover as unresolved?) plus a detail expand under "more options". Strange that High risk has No action required

Thanks, too, for the pointer to MAC filtering. I was aware of that but it seems a downgrade to turn off the private address randomisation on each device (I know we could do it only for this home network, but would need fixing for any changes)

Thanks again for any ways to track this down & ideally resolve. Couldn't find any obvious log files in a quick search on my laptop

Remerciements0

Re: N360 "compromised network", MITM, ARP spoofing

Envoyé le: 2022-08-19 | 07:41 · Édité: 2022-08-19 | 07:43 · Permalien

My advice is a rather tedious suggestion but will help you positively ID the device causing the issue. Disconnect and power down, ALL the devices currently on your network, WiFi and Ethernet connected. Reboot the router. Put a device back onto your network that has Norton installed. ONLY one device. Log into your ISP gateway device and check logs to see "what clients" are connected. If there is a device shown you DO NOT know, block it using the MAC filtering info that I previously posted the link for on the Virgin Media forums. That should be the device that is causing the MITM spoofing. 

SA

MS Certified Professional Windows 11 Home/Pro 22H2 x 64 build 22621.2283 - Windows 10 Pro x 64 version 22H2 / build 19045.3448 / Norton Security Ultra - Norton 360 Deluxe ver. 22.23.8.4 / Opera GX LVL5 (core:101.0.4843.85) 64 bit-Early Access w/Norton Chrome Extensions
Remerciements1 Stats

Re: N360 "compromised network", MITM, ARP spoofing

Envoyé le: 2022-08-19 | 07:41 · Permalien

Does your Virgin router include any security features that might be scanning your network? One search I did notes this feature.   

It comes with Intelligent WiFi which checks connections and ensures bandwidth is used evenly between devices.

See if you can find this feature and if you can disable it in the router settings. Then see if you still see the Norton warnings.

Remerciements1 Stats

Re: N360 "compromised network", MITM, ARP spoofing

Envoyé le: 2022-08-19 | 07:45 · Permalien

All: My TP-link router has a feature called "Smart Connect". It will assign devices to the 2.4 or 5 GHz networks and ethernet to even out bandwidth so that all devices perform nominally. I haven't ever seen an MITM notification from that setting being enabled.

SA

MS Certified Professional Windows 11 Home/Pro 22H2 x 64 build 22621.2283 - Windows 10 Pro x 64 version 22H2 / build 19045.3448 / Norton Security Ultra - Norton 360 Deluxe ver. 22.23.8.4 / Opera GX LVL5 (core:101.0.4843.85) 64 bit-Early Access w/Norton Chrome Extensions
Remerciements0

Re: N360 "compromised network", MITM, ARP spoofing

Envoyé le: 2022-08-20 | 12:54 · Permalien

Hi SoulAsylum, thanks for the steps on resetting and adding back one at a time. I'm now away for work so will have to try when I'm back. It seems the most predictable way to ID the device

Thanks, too, to PeterWeb on the smart scanning. We weren't using that band steering, as I'd already split to 2 separate networks for 2.4 and 5GHz before we had the alert

Accepted Solution
Remerciements1 Stats

Re: N360 "compromised network", MITM, ARP spoofing

Envoyé le: 2022-08-30 | 08:37 · Permalien

Thank you, all, for the helpful suggestions. Several others on a Virgin Media forum seemed to have the same problem, starting around the same time.

The solution seems to be to disable the 'smart WiFi' settings and split the SSID of the 2.4 and 5GHz bands. I did this a couple of days ago and the duplicate ip/arp alerts are no longer showing. We assume there's some sort of bug in the (not so-)smart WiFi settings.

Thanks again

Remerciements1 Stats

Re: N360 "compromised network", MITM, ARP spoofing

Envoyé le: 2022-08-30 | 09:57 · Permalien

Good news. Thanks for posting back.

This thread is closed from further comment. Please visit the forum to start a new thread.