Today I really got into ARP protocol and its attacks. I tried to download xArp to test my network and it said there was an attack detected. Then I researched something more about it, but I found nothing that actually concerned it. Sometimes, it popped out an alert saying the PC sent a frame but the destination coincided (the source address was the PC and recipient address was broadcast FF:FF:FF...) This afternoon I run again xArp to check if something had changed. Accidentally, I switched the connection on my phone (from my main network to a repeater), and I saw that another attack was detected. Then, I tried to connect back my phone and the program gave me the same result. Since an ARP attack is detected by XArp when there is a request from a device with the same MAC address as another one, but with a different IP address, and since the requests from the repeater have the same MAC (the repeater's) but different IPs (the devices'), do you think this is related? Is it a false positive?
Please let me know if you think I got something wrong or there's another explanation. Thanks.
1 Answer
You are most likely correct about the repeater. If it's connected to a regular Wi-Fi network, it will be forced to use its own MAC address due to limitations of Wi-Fi client connections. (It's unfortunate that 4addr mode is so uncommon among wireless routers.)
However, the pattern is the opposite from what you describe – a device with a single MAC address having multiple IPs is completely valid.1 Rather it's a single IP address moving between different MAC addresses that often indicates an ARP spoofing attack.
So when your phone switches to a repeater, to the rest of the network it can definitely look like the repeater is sending spoofed packets with the phone's IP address on them, because the MAC address is suddenly different.
1 (PCs can have multiple IPs assigned to them at once. Also, all packets going through a router will always be sent from the router's own MAC address.)
1