Assistance with IP Spoofing

Detailed description: I have been running Norton 360 in our household for many years now. Recently I started seeing some odd issues with duplicate IPs. When this occurs the network comes to a crawl if it functions at all. A netgear router reboot resolves the issues for a while. Running Norton 360 VPN keeps this issue from occurring. I have a background as a Cyber Sec Program Manager and over 25 years of IT experience so I have slightly more knowledge than the average user. Everything is pointing to an IP spoofing malware/virus. This has been going on for months. Norton 360 full scans, Norton boot scans, and Microsoft Malicious SW removal find nothing. Is there a tool that can help?

Product & version number: Latest version of Norton 360

OS details: Windows 11

What is the error message you are seeing? Getting ip already in use errors, Net gear Armor detected and blocked a suspicious remote IP attempting a connection.

If you have any supporting screenshots, please add them:

Is it Norton that is alerting you? Can you get a screenshot of what you are seeing without any PI information showing? That would be of great help. Also the best thing for your router and ISP devices. Have you checked for available firmware for your personal router and checked your ISP device for its firmware being updated? Especially your ISP device, most a really lax about pushing updates to their devices on a regular basis. I would also check the maker and mode of both devices for outstanding and current CVE’s. If you’d like I can do both for you with the model and make info from your devices.

On an additional note have you disabled Netgear Armor on your device rebooted it and rechecked for the issue persisting? I believe that may be a part of your issue.

SA

Norton isn’t seeing the issue at all. The alerts are coming from my Netgear Nighthawk which is currently at it highest update level. I wasn’t running Netgear Armor when the issues started. I have since paid the subscription and turned it on for more insight into the issues.

1 Like

Thanks for the post back. Check for outstanding CVE’s for your Netgear router. Please post your progress so we can follow up. As you already know even a factory rest won’t prevent an infection reappear. Have you checked out the ARP tables to see what the “device” name is showing as duplicate? Assuming you already nevertheless suggesting all the same.

SA

What does CVE stand for?

My Netgear router is
Hardware Version
RAX50v2
Firmware Version
V1.1.4.28_2.1.26
Protection Engine Version
2.2.193/1.0.0.2097
I have completed a factory reset and the issue did come back. Do you think the Netgear router is my issue?

Your router could be the issue. Lets have a better look at some things before we make that assumption as the cause. CVE stands for Common Vulnerability and Exposures. Associated with publicly known vulnerabilities.
What is the model of your router? Was your on the listing in the article I linked? Knowing that will help.

SA

The router is a Nighthawk AX6 - AX5400 Model #RAX50

Your firmware appears to be current as the website shows. In your router settings do you see any duplicate IP addresses assigned to any specific device? Is this showing using Wifi, Ethernet or both? Also did you disable Netgear Armor, restart the router and recheck again? I’d like to see if that resolves the issue.

SA

if you have europe or america credit card you can update for those region latest version but don’t suggestion pay for in the asia region because asia’s norton product it overall worse than europe and USA use diffrerent technogly and features btw USA latest version have many issues

@Barry_Wang The OP’s firmware is the latest for his device.

SA