Re: Apple devices spoofing default gateway?

[Mel Beckman <mel () beckman org>]

Can you post some packet captures? 

I was a network engineer on the WiFi network at SFO, for both passengers and baggage scanners, with several hundred 
APs. Several times we were misled by packet captures that seemed to show client traffic causing network problems, such 
as packet storms, but which ultimately always had some more mundane cause, like a failed DHCP server or flapping switch 
interface. 

The particular SFO network I worked on has Juniper switching and Aruba APs, so it’s not directly applicable to your 
ecosystem. But the complexities of interpreting packet captures may apply.

 -mel beckman

> On Mar 14, 2019, at 5:28 AM, Simon Lockhart <simon () slimey org> wrote:
>
> All,
>
> We're seeing a bit of a weird one on our network at the moment, and wondering
> if anyone else has seen it.
>
> Since Friday we're seeing Apple devices (we believe it's both laptops and 
> iPhones) responding to ARP requests for the default gateway IP with their own
> MAC address (i.e. ARP spoofing / MITM type attack). We're only seeing it on
> Apple devices, but what's more strange is that we're only seeing it where 
> those Apple devices are connected to Cisco 1810 and 1815 APs, and where those
> APs are connected to a Cisco WLC running v8.5 software. If we downgrade the
> WLC to v8.2 the problem goes away (but v8.2 doesn't support 1815 APs, so we 
> can't roll that out globally). We're engaged with Cisco TAC, but they're 
> trying to deny it's their problem. Apple support are investigating, but aren't
> admitting to having seen it before.
>
> Has anyone else seen or heard of similar issues over the last few days?
>
> Many thanks,
>
> Simon