ARP spoofing

dk109

Spent an evening troubleshooting a new issue with dropped connections caused by ARP spoofing I finally found the root cause. Having WiFi disabled, connected wireshark laptop to Connect Box 3 (Fiber/PON) directly using UTP cable and having all other infrastructure disconnected, I got the pcap confirming that CB3 sent two ARP replies for its gateway address using different MAC addresses. While one of them is correct, the second one seems random generated upon CB3 reboot and cause traffic blackholing while in use.

Moving to the third-octet different subnet like 192.168.7.0/24 doesn’t help. CB3 still sending pair of replies with new fresh generated MAC for 192.168.7.1.

Known issue? Have a fix already?

[upl-image-preview uuid=9cbae518-ac6b-4221-a86b-3345569eefe1 url= alt={TEXT?}

Xydocq

hello dk109

Welcome to the community.

Thank you for sharing the information. It seems you’re not the only one complaining about this issue. The community is a place where customers help other customers. You can call the hotline 0800 707 707 and report the issue there.

Maybe @Sunrise_Team can forward the information to the right people at Sunrise?

Xydocq

dk109

When did this error occur the first time?
Could you please provide the firmware- eg. software-version installed on your Connect Box?

Daniele_Sunrise

dk109 I’ve also found this regarding the security software message. It might be of further help.

https://forum.eset.com/topic/49052-arp-cache-poisoning-actual-attempt-or-false-positive/

Greetings
Daniele

dk109

Started several days ago. Definitely not weeks or months.
I’ve already tried several times reboot and power cycle - don’t help. Things like antivirus, IDS/IPS are not applicable

Hardware version 1.2.1b
Software version 8.10.4-2504.5-upg
ONT MAC address c4:eb:43:00:00:01
ONU serial number YCEC31266543

ZerosCool

Dear Team,

We’ve seen the same issue with several of our clients who have been working from home for the past few days. Others with consumer-grade connections for small offices are also being affected.

ARP spoofing is detected by the antivirus system and will block all connections from the machine. But even without an antivirus system, a duplicate ARP entry with different MAC addresses will cause major problems. It is also not feasible to create an exclusion for this type of alert.

We are talking about consumer lines with non-business SLAs. However, it is highly likely that this will become a major issue for you, generating a significant number of calls. We hope that the root cause (FW Update?) is quickly identified and rectified. Hope you’ll put it on Hight priority in your system

Xydocq

hello ZerosCool

Please tell the affected clients to disable channel optimization on the Connect Box 3 FIBRE. It can be found under Advanced Settings > Wireless > Wireless Signal

https://community.sunrise.ch/d/49255-heavy-packet-loss-with-meraki-mx/8

Ahmet_sunrise

Hello everyone,

Thank you for the engaging discussion. I’ve forwarded this internally. As soon as my colleagues provide feedback, I’ll be happy to share it with you here.

Best regards,
Ahmet

dk109

Xydocq
I can confirm with this workaround there is single ARP reply

ZerosCool

I’ve sent the workaround to my colleagues; we’ll see if it works for us as well.

Daniele_Sunrise

D k109 doesn’t use ESET; it was on my end that I encountered this error. Dk109 found, using Wireshark, that the box was responding with two MAC addresses, so it makes sense to me that ESET is returning a spoofing error. I’ve temporarily added an exception for the IP 192.168.1.1, but that’s not ideal.

Looking at the post on the ESET forum, it seems that users have a Virgin Media Hub5x, which appears to be the same as the Connect Box 3 Fiber used by Sunrise.

Could a potential Sagemcom firmware update include a feature that triggers ARP spoofing detection? Have you had any configuration rollouts or updates in the last few days or weeks for this type of equipment?

This seems to be limited to this type of box. At home, I have a Sunrise DSL line with a different type of box and I don’t have the issue.

Xydocq

ZerosCool

The Virgin Media Hub5x is similar to the Connect Box 3 FIBRE. Both companies belong somehow to Liberty Global.

Different versions of the Firmware are affected.

Not every user reporting the issue is using ESET. Some use their own router behind the Connect Box like @dk109 or @luisr and others just complained about the tv not working properly and outages when surfing the internet.

All complains so far are related to the Connect Box 3 FIBRE.

ZerosCool

Xydocq

Okay good to know that I’m not completely crazy ;-)

In my view, disabling optimisation is still just a workaround. Do you know if there are plans to release a firmware bug fix? If yes do you have any ETA?

Xydocq

ZerosCool

I am not a Sunrise employee. Therefor I can’t answer your question.

I just try to collect as much information as I can and spread it around the forum. There are like 6 different discussions going on right now.

All but one user reported, disabling the channel optimisation made their connection stable again.

Daniele_Sunrise

ZerosCool Our modem team has now been notified via the community and other support channels. They are currently investigating the exact cause of the issue. The common factor isn’t the modems themselves, but the Plume logic, which is used by many providers for Wi-Fi.

We’ll get back to you as soon as we have more information.

Greetings
Daniele