Who does this IP belong to, possible spoofing attack?

Question

I am currently using a TalkTalk router to access my home network. I've had issues previously with my connection being either slow or cutting out fully (not a common issue).

I download XARP previously - a tool used to identify ARP spoofing attacks - The tool detected my network for a possible attack. I read somewhere in order to avoid this, you should make all ARP entries static. Even when doing so, the entry would revert back to dynamic when running arp -a via cmd.

In the process of testing, I inputted the following command to show all neighbors on my network interface (in this case my Ethernet connection):

netsh interface ipv4 show neighbors "Ethernet"

Results can be seen here

However, I noticed an odd IP here (169.254.93.156) with the physical address as 00-00-00-00-00-00 (I'm assuming this is the MAC address) and the type set to unreachable. There are also many other IP's with this MAC address.

When I execute netstat -ano via cmd to check for all connections and listening ports, I notice something weird with the local addresses showing 0.0.0.0 here and here.

What could I do in the worst scenario? Lets say someone has all the details to my router and my devices connected on it. I know I can detect using XARP but how would I prevent possible spoofing attacks?

Could the above be an indication of a possible MAC spoofing attack?

Bit of a rookie with this so any advise will be appreciated.

Answer 1

169.254.93.156 is an APIPA address. Many operating systems will automatically pick an address in this range if one can't be obtained from DHCP.

Static ARP requires you do the following:

• Find the MAC address of every device on your network.
• Configure static ARP entires on every device on your network, including your router.
• Update every device on your network when you introduce a new device.

Unless you did the above you probably did it wrong. Also this can't be done on things like iPhones. It's a lot of "administrative overhead" and probably not worth it in most instances - if you have untrusted devices on your network there's better ways to separate them from trusted devices (VLANs or other network segmentation).

ARP converts IP addresses to MAC addresses, and is typically needed so devices in a LAN can communicate with one another if they aren't preloaded with IP-to-MAC mappings.

Someone can use ARP attacks within your network if they get past your router, but they shouldn't be getting past your router in the first place to even do that, so you should be working towards figuring that out.

If you suspect your network is compromised, you need to take your router offline, reset it, ensure firmware is updated to latest version, and change any passwords both on the router and also related to any ISP or provider accounts from a known not-compromised system.

Answer 2

However, I noticed an odd IP here (169.254.93.156) with the physical address as 00-00-00-00-00-00 (I'm assuming this is the MAC address) and the type set to unreachable. There are also many other IP's with this MAC address.

That's normal. "Unreachable" means that the ARP lookup failed for this address (i.e. it does not exist in your local subnet), so the 'MAC address' field remains empty. Such an entry will show up whenever you ping or otherwise attempt to connect to a nonexistent local IP address.

(The neighbour table doesn't only cache "positive" results – it also keeps track of "negative" entries for a short amount of time, so that the OS wouldn't flood the network with ARP queries if they're just going to keep failing.)

This will occur for any address that the OS considers as within the local subnet, and this includes 169.254.0.0/16 addresses because they're defined to be link-local even if not explicitly configured that way.

When I execute netstat -ano via cmd to check for all connections and listening ports, I notice something weird with the local addresses showing 0.0.0.0 here and here.

That's normal (and completely unrelated to the previous).

In the bind() function used to establish listening sockets, the all-zeros address (0.0.0.0 for IPv4 or :: for IPv6) means "unspecified address" and binds the socket to all local addresses available.