ARP Cache Poison behavior by Apple TV

This is an old post, but I wanted to provide an answer as I still see this behavior on my home network as well (I'm not using Norton, but one of my BSD servers is complaining)... and this thread came up as one of the top search results for me.

The cause of it is due to the Apple TV or Airport Extreme acting as a Bonjour Sleep Proxy. The sleep proxy services connection requests and Bonjour queries while your OS X device is sleeping. If the OS X device, such as a Macbook, needs to wake up to provide service (SSH, file sharing, iTunes sharing, etc.), the sleep proxy will wake it up by sending a special packet.

The sleep proxy responds to ARP requests on behalf of the sleeping device, and therefore has to spoof the ARP and poison the cache of other computers on the network. It's not an attack, but it is smells like one.

This behavior can be removed by disabling Wake on Demand on your OS X devices, under Energy Saver preferences.

You can see Bonjour Sleep Proxies on your network by using the dns-sd command in the OS X terminal (10.10.4):

$ dns-sd -B _sleep-proxy._udp

Browsing for _sleep-proxy._udp

DATE: ---Mon 13 Jul 2015---

21:19:51.737 ...STARTING...

Timestamp A/R Flags if Domain Service Type Instance Name

21:19:51.738 Add 2 5 local. _sleep-proxy._udp. << Device information will go here >>

See also:

About Wake on Demand and Bonjour Sleep Proxy - Apple Support

https://en.wikipedia.org/wiki/Bonjour_Sleep_Proxy

I suspect you have already made your mind up on this one, however as others have presumably told you, Norton is a waste of time, indeed it's worse than a waste of time, at best it misleads you with erroneous messages at worst it corrupts your computer. Get Rid.

Short answer: it is a false positive. I don't know exactly what causes it but I would guess Apple's Bonjour protocol, which is why you see something every 30 minutes. That's just a blind guess, but seems to fit.

Realize that a report of ARP poisoning wouldn't be likely on a private LAN, unless you got infected somehow. No known malware like this for iOS devices (and much harder to insert one on AppleTV versus an iPhone or iPad.) There are legitimate cases where ARP spoofing is used. And even Cisco has instances where they say to ignore that warning:

CSCsm25943—The meaning of the following error message on the controller is not clear. This message does not necessarily imply that any actual "ARP poisoning" is occurring. Rather, this message appears when a WLAN is configured for DHCP Required and a client (after associating to this WLAN) transmits an ARP message without first using DHCP. The client is unable to send or receive any data traffic until it performs DHCP through the controller.

DTL-1-ARP_POISON_DETECTED: STA [00:01:02:0e:54:c4, 0.0.0.0] ARP (op 1) received with

invalid SPA 192.168.1.152/TPA 192.168.0.206

Workaround: Perform the following steps:

...

• Verify that the client eventually does perform DHCP without undergoing an unacceptable outage. If the outage before performing DHCP is acceptable, then you can ignore this message.

I'm not saying that Norton's message is the same as Cisco's. Just that Cisco states that the meaning of why the message appears is not clear and sometimes is acceptable. And Cisco is the world leader in networking technology so if they don't always know why you get an ARP poisoning warning.... 😉

I won't go into the politics of "Norton bad" or whatever, but based on my experience (bias) with Norton in it's various forms for over 10 years, IMHO you can ignore this. Hopefully you can configure Norton to selectively ignore this. If not, you may have to use a different security program. Me personally, I do not recommend any "security suites" because they cause exactly this kind of additional headache. Just a "plain" antivirus program. Windows has a built-in firewall and most people will be using a hardware firewall at the office or home so the firewall in the "security suite" is extraneous.

Unfortunately Norton don't take the same view, they blame everyone else's equipment (and in particular Apple's) on the basis that they don't properly implement ARP protocol. Norton do claim to know why this happens but believe it's too complicated a matter to explain to us. It's interesting to note though that they have now made it a non reported event by default and merely list it in logged events.

As you've clearly noticed I don't tend to hold back on my bias toward Norton (for mac), I might if it was merely useless, but it's also been shown to be destructive in cases and not simply intrusive. Glad you posted here though,upon re-reading I think I misinterpreted a politely put enquiry and didn't really address the OP's question at all.

I can confirm this behavior. My Cisco ASA 5505 shows both of my Apple TV's pretending to be each other. I even set static IP's for them but they still do it. It doesn't cause any problems aside from the constant warnings about a misbehaving networking device. But why they do this is beyond me. Apple tech support didn't know what ARP meant so no help there...

I can assure you that my AppleTV's do this same exact thing and my ZyWALL Firewall reports bad behavior in the form of an ARP attack. Though I guess it does not harm anything, there is something wrong w/these devices as they should not be doing this! Apple needs to really fix this, as it is annoying to see this junk in my logs! So I'm guessing Norton is reporting correctly.

At the same time of the attack form my apple tv all my systems freeze for a second something strange is going on.. LOL Big brother is watching LOL.. Apple needs to check their code for corruption this started after the last update.

Nice post Transcendent, and not much material about this on the internet. I have the same problem, 4 Apple TV's and 1 Airport Extreme and I'm constantly getting ARP Poison behavior (several hundred per day) from those devices and you can't just set a firewall rule to allow them because that make your network vulnerable to real attacks. So the question is how do what you talking about above in an windows environment? Or better yet how do we get Apple to address the problem since their Tech support has no idea what's going on. Also leaving it the way it is is not a good for a healthy network environment.

Very annoying, distracting and disappointing problem - it took a lot of effort to Identify devices on network causing this problem - looking at every devices MAC address and associated IP address, only to discover all Apple products.

Thanks

Old thread and stuff, yes yes... however this helped me, so transcendent deserve a thanks 🙂

And Apple should know this is bloody annoying -.-

(Using eset endpoint security v5ïsh-something something)

Same as above... This is an older post. However, I've recently been experiencing the same issue. After upgrading to ESET Smart Security v.10.x.x.x a little over a week ago, I've been receiving the same notifications. Thank you transcendent for the answer.