You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

ARP Cache Poison behavior by Apple TV

Norton Anti-Virus reports blocking an ARP Cache Poison attack against my home network. The reported source of the attack is the MAC number of the Apple TV on the network.


Whether Norton is "reliable" is apparently contentious in the support community. Several authors suggest, with authority, disabling Norton or the particular attack profile.


Whether that makes sense depends on what the Apple TV is innocently doing to be profiled as a network attack.


Even when supposedly "asleep" the Apple TV is doing something that meets the profile of an ARP Cache Poison attack. It did it every 30 minutes today, nine times yesterday, about 30 times day before and etc.


And if it is a design feature of the device, why is the device still performing despite having the activity continously blocked? What is the purpose of this attack-like activity, assuming it is not an attack? If it is an attack, how does one erase the programming initiating the attacks and still have an Apple TV?

MacBook Pro, Mac OS X (10.4.11)

Posted on Oct 20, 2011 4:55 PM

Reply
Question marked as Top-ranking reply

Posted on Jul 13, 2015 6:27 PM

This is an old post, but I wanted to provide an answer as I still see this behavior on my home network as well (I'm not using Norton, but one of my BSD servers is complaining)... and this thread came up as one of the top search results for me.


The cause of it is due to the Apple TV or Airport Extreme acting as a Bonjour Sleep Proxy. The sleep proxy services connection requests and Bonjour queries while your OS X device is sleeping. If the OS X device, such as a Macbook, needs to wake up to provide service (SSH, file sharing, iTunes sharing, etc.), the sleep proxy will wake it up by sending a special packet.


The sleep proxy responds to ARP requests on behalf of the sleeping device, and therefore has to spoof the ARP and poison the cache of other computers on the network. It's not an attack, but it is smells like one.


This behavior can be removed by disabling Wake on Demand on your OS X devices, under Energy Saver preferences.


You can see Bonjour Sleep Proxies on your network by using the dns-sd command in the OS X terminal (10.10.4):

$ dns-sd -B _sleep-proxy._udp

Browsing for _sleep-proxy._udp

DATE: ---Mon 13 Jul 2015---

21:19:51.737 ...STARTING...

Timestamp A/R Flags if Domain Service Type Instance Name

21:19:51.738 Add 2 5 local. _sleep-proxy._udp. << Device information will go here >>


See also:

About Wake on Demand and Bonjour Sleep Proxy - Apple Support

https://en.wikipedia.org/wiki/Bonjour_Sleep_Proxy

10 replies
Question marked as Top-ranking reply

Jul 13, 2015 6:27 PM in response to Mark Wilder1

This is an old post, but I wanted to provide an answer as I still see this behavior on my home network as well (I'm not using Norton, but one of my BSD servers is complaining)... and this thread came up as one of the top search results for me.


The cause of it is due to the Apple TV or Airport Extreme acting as a Bonjour Sleep Proxy. The sleep proxy services connection requests and Bonjour queries while your OS X device is sleeping. If the OS X device, such as a Macbook, needs to wake up to provide service (SSH, file sharing, iTunes sharing, etc.), the sleep proxy will wake it up by sending a special packet.


The sleep proxy responds to ARP requests on behalf of the sleeping device, and therefore has to spoof the ARP and poison the cache of other computers on the network. It's not an attack, but it is smells like one.


This behavior can be removed by disabling Wake on Demand on your OS X devices, under Energy Saver preferences.


You can see Bonjour Sleep Proxies on your network by using the dns-sd command in the OS X terminal (10.10.4):

$ dns-sd -B _sleep-proxy._udp

Browsing for _sleep-proxy._udp

DATE: ---Mon 13 Jul 2015---

21:19:51.737 ...STARTING...

Timestamp A/R Flags if Domain Service Type Instance Name

21:19:51.738 Add 2 5 local. _sleep-proxy._udp. << Device information will go here >>


See also:

About Wake on Demand and Bonjour Sleep Proxy - Apple Support

https://en.wikipedia.org/wiki/Bonjour_Sleep_Proxy

Oct 20, 2011 6:46 PM in response to Mark Wilder1

Short answer: it is a false positive. I don't know exactly what causes it but I would guess Apple's Bonjour protocol, which is why you see something every 30 minutes. That's just a blind guess, but seems to fit.


Realize that a report of ARP poisoning wouldn't be likely on a private LAN, unless you got infected somehow. No known malware like this for iOS devices (and much harder to insert one on AppleTV versus an iPhone or iPad.) There are legitimate cases where ARP spoofing is used. And even Cisco has instances where they say to ignore that warning:


CSCsm25943—The meaning of the following error message on the controller is not clear. This message does not necessarily imply that any actual "ARP poisoning" is occurring. Rather, this message appears when a WLAN is configured for DHCP Required and a client (after associating to this WLAN) transmits an ARP message without first using DHCP. The client is unable to send or receive any data traffic until it performs DHCP through the controller.


DTL-1-ARP_POISON_DETECTED: STA [00:01:02:0e:54:c4, 0.0.0.0] ARP (op 1) received with

invalid SPA 192.168.1.152/TPA 192.168.0.206


Workaround: Perform the following steps:

...


• Verify that the client eventually does perform DHCP without undergoing an unacceptable outage. If the outage before performing DHCP is acceptable, then you can ignore this message.


I'm not saying that Norton's message is the same as Cisco's. Just that Cisco states that the meaning of why the message appears is not clear and sometimes is acceptable. And Cisco is the world leader in networking technology so if they don't always know why you get an ARP poisoning warning.... 😉


I won't go into the politics of "Norton bad" or whatever, but based on my experience (bias) with Norton in it's various forms for over 10 years, IMHO you can ignore this. Hopefully you can configure Norton to selectively ignore this. If not, you may have to use a different security program. Me personally, I do not recommend any "security suites" because they cause exactly this kind of additional headache. Just a "plain" antivirus program. Windows has a built-in firewall and most people will be using a hardware firewall at the office or home so the firewall in the "security suite" is extraneous.

Oct 20, 2011 7:18 PM in response to Asatoran

Unfortunately Norton don't take the same view, they blame everyone else's equipment (and in particular Apple's) on the basis that they don't properly implement ARP protocol. Norton do claim to know why this happens but believe it's too complicated a matter to explain to us. It's interesting to note though that they have now made it a non reported event by default and merely list it in logged events.


As you've clearly noticed I don't tend to hold back on my bias toward Norton (for mac), I might if it was merely useless, but it's also been shown to be destructive in cases and not simply intrusive. Glad you posted here though,upon re-reading I think I misinterpreted a politely put enquiry and didn't really address the OP's question at all.

Apr 11, 2013 10:00 AM in response to Mark Wilder1

I can confirm this behavior. My Cisco ASA 5505 shows both of my Apple TV's pretending to be each other. I even set static IP's for them but they still do it. It doesn't cause any problems aside from the constant warnings about a misbehaving networking device. But why they do this is beyond me. Apple tech support didn't know what ARP meant so no help there...


User uploaded file

Apr 24, 2013 11:18 AM in response to Mark Wilder1

I can assure you that my AppleTV's do this same exact thing and my ZyWALL Firewall reports bad behavior in the form of an ARP attack. Though I guess it does not harm anything, there is something wrong w/these devices as they should not be doing this! Apple needs to really fix this, as it is annoying to see this junk in my logs! So I'm guessing Norton is reporting correctly.


User uploaded file

Dec 29, 2015 7:08 AM in response to transcendent

Nice post Transcendent, and not much material about this on the internet. I have the same problem, 4 Apple TV's and 1 Airport Extreme and I'm constantly getting ARP Poison behavior (several hundred per day) from those devices and you can't just set a firewall rule to allow them because that make your network vulnerable to real attacks. So the question is how do what you talking about above in an windows environment? Or better yet how do we get Apple to address the problem since their Tech support has no idea what's going on. Also leaving it the way it is is not a good for a healthy network environment.


Very annoying, distracting and disappointing problem - it took a lot of effort to Identify devices on network causing this problem - looking at every devices MAC address and associated IP address, only to discover all Apple products.


Thanks

ARP Cache Poison behavior by Apple TV

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.