Solved.
拍手0

N360 "compromised network", MITM, ARP spoofing

投稿日: 2022-08-18 | 15:19 · 返信 11 · · 翻訳:

Hi, 1st post after research over past 3 days (searched here & broadband provider forums), in case anyone has similar experience/suggestions, please?

Using Virgin Media Hub 5 router in UK; 3 days ago pop-up message from Norton 360 on "compromised network" for our WiFi, "detected MITM attack" with "ARP spoofing" in detailed description. I've factory reset the Hub, set new SSID, new admin & user PWs (all when connected w/Ethernet). Nothing found by Norton & Malwarebytes on devices (laptops, mobiles). Still get the alert on WiFi. I scan for devices with Fing. Nothing unrecognised

Wireshark shows ARP duplicate address errors for the router every 15 mins (same IP of 192.168.0.1 at 5-6 different MAC addresses without manufacturer found). I believe mobiles & Win10/11 devices can randomise MAC to connect. Can a router cycle in that way? Could that be triggering "ARP spoofing" note? Alternatively, could that be either a false +ve or now left over unresolved, from before I did the nuke reset?

Sorry that this is probably me dabbling w/o real knowledge. Many thanks for any tips

ラベル: Threat Detection, Alerts/Notifications, Windows 11, Popup, Norton Displays At Risk
解決承認済み
拍手1 統計

Re: N360 "compromised network", MITM, ARP spoofing

投稿日: 2022-08-30 | 08:37 · パーマリンク

Thank you, all, for the helpful suggestions. Several others on a Virgin Media forum seemed to have the same problem, starting around the same time.

The solution seems to be to disable the 'smart WiFi' settings and split the SSID of the 2.4 and 5GHz bands. I did this a couple of days ago and the duplicate ip/arp alerts are no longer showing. We assume there's some sort of bug in the (not so-)smart WiFi settings.

Thanks again

View Accepted Solution in Context

返信

拍手0

Re: N360 "compromised network", MITM, ARP spoofing

投稿日: 2022-08-18 | 15:24 · パーマリンク

PS I found other MITM threads plus link to Norton page explaining detection, but they didn't seem to help directly with this

拍手0

Re: N360 "compromised network", MITM, ARP spoofing

投稿日: 2022-08-18 | 16:27 · パーマリンク

Hello Yarmie. Please post a screenshot of the Norton detection from your history so we can see exactly what you're seeing and review it with you. Here is how to post screenshots: https://community.norton.com/en/forums/how-post-image-forums-0

A Virgin Media forums suggests "MAC filtering" which will force only the MAC address you manually install to connect. Please review this article. https://www.virginmedia.com/help/broadband/set-up-virgin-media-mac-filte...

SA

MS Certified Professional Windows 11 Home 22H2 x 64 build 22621.1702 - Windows 10 Pro x 64 version 22H2 / build 19045.3031 / Norton Security Ultra - Norton 360 Deluxe ver. 22.23.4.6 / Opera GX LVL4 (core: 98.0.4759.74) 64 bit-Early Access w/Norton Chrome Extensions
拍手0

Re: N360 "compromised network", MITM, ARP spoofing

投稿日: 2022-08-19 | 06:37 · パーマリンク

What was the link to Norton explaining what is detecting? Have a different reason for compromised network but similar problem trying to work out what to do next.
拍手0

Re: N360 "compromised network", MITM, ARP spoofing

投稿日: 2022-08-19 | 07:16 · パーマリンク

this was the link I found. Not super helpful in terms of resolution IMHO https://support.norton.com/sp/en/us/norton-360-premium/22.22.7.14/soluti...

拍手0

Re: N360 "compromised network", MITM, ARP spoofing

投稿日: 2022-08-19 | 07:27 · パーマリンク

Thanks very much for your reply & research. Couple of screenshots attached to show full list (still get message *after reset of router on 18 Aug with new SSID, PWs, etc, unless that's a continuation/carryover as unresolved?) plus a detail expand under "more options". Strange that High risk has No action required

Thanks, too, for the pointer to MAC filtering. I was aware of that but it seems a downgrade to turn off the private address randomisation on each device (I know we could do it only for this home network, but would need fixing for any changes)

Thanks again for any ways to track this down & ideally resolve. Couldn't find any obvious log files in a quick search on my laptop

拍手0

Re: N360 "compromised network", MITM, ARP spoofing

投稿日: 2022-08-19 | 07:41 · 編集日: 2022-08-19 | 07:43 · パーマリンク

My advice is a rather tedious suggestion but will help you positively ID the device causing the issue. Disconnect and power down, ALL the devices currently on your network, WiFi and Ethernet connected. Reboot the router. Put a device back onto your network that has Norton installed. ONLY one device. Log into your ISP gateway device and check logs to see "what clients" are connected. If there is a device shown you DO NOT know, block it using the MAC filtering info that I previously posted the link for on the Virgin Media forums. That should be the device that is causing the MITM spoofing. 

SA

MS Certified Professional Windows 11 Home 22H2 x 64 build 22621.1702 - Windows 10 Pro x 64 version 22H2 / build 19045.3031 / Norton Security Ultra - Norton 360 Deluxe ver. 22.23.4.6 / Opera GX LVL4 (core: 98.0.4759.74) 64 bit-Early Access w/Norton Chrome Extensions
拍手1 統計

Re: N360 "compromised network", MITM, ARP spoofing

投稿日: 2022-08-19 | 07:41 · パーマリンク

Does your Virgin router include any security features that might be scanning your network? One search I did notes this feature.   

It comes with Intelligent WiFi which checks connections and ensures bandwidth is used evenly between devices.

See if you can find this feature and if you can disable it in the router settings. Then see if you still see the Norton warnings.

拍手1 統計

Re: N360 "compromised network", MITM, ARP spoofing

投稿日: 2022-08-19 | 07:45 · パーマリンク

All: My TP-link router has a feature called "Smart Connect". It will assign devices to the 2.4 or 5 GHz networks and ethernet to even out bandwidth so that all devices perform nominally. I haven't ever seen an MITM notification from that setting being enabled.

SA

MS Certified Professional Windows 11 Home 22H2 x 64 build 22621.1702 - Windows 10 Pro x 64 version 22H2 / build 19045.3031 / Norton Security Ultra - Norton 360 Deluxe ver. 22.23.4.6 / Opera GX LVL4 (core: 98.0.4759.74) 64 bit-Early Access w/Norton Chrome Extensions
拍手0

Re: N360 "compromised network", MITM, ARP spoofing

投稿日: 2022-08-20 | 12:54 · パーマリンク

Hi SoulAsylum, thanks for the steps on resetting and adding back one at a time. I'm now away for work so will have to try when I'm back. It seems the most predictable way to ID the device

Thanks, too, to PeterWeb on the smart scanning. We weren't using that band steering, as I'd already split to 2 separate networks for 2.4 and 5GHz before we had the alert

解決承認済み
拍手1 統計

Re: N360 "compromised network", MITM, ARP spoofing

投稿日: 2022-08-30 | 08:37 · パーマリンク

Thank you, all, for the helpful suggestions. Several others on a Virgin Media forum seemed to have the same problem, starting around the same time.

The solution seems to be to disable the 'smart WiFi' settings and split the SSID of the 2.4 and 5GHz bands. I did this a couple of days ago and the duplicate ip/arp alerts are no longer showing. We assume there's some sort of bug in the (not so-)smart WiFi settings.

Thanks again

拍手1 統計

Re: N360 "compromised network", MITM, ARP spoofing

投稿日: 2022-08-30 | 09:57 · パーマリンク

Good news. Thanks for posting back.

This thread is closed from further comment. Please visit the forum to start a new thread.