Arp Spoofing?

Joined
Jul 31, 2011
Messages
2
Reaction score
0
Points
1
I've been spending some days trying to work on this, but not sure I'm making any progress. If anyone has any thoughts I'd appreciate it.

I'm an American, stationed in China. Have a DLink wireless router (best one available here) and a home network. My SSID is hidden, all settings are changed from default, I have a 48 character random password, all that stuff. I have a Macbook, a Mac desktop and two iPads connected to this network.

I run Intego's virusbarrier and netbarrier, with netbarrier always set on the highest setting (like for public wifi). I also have ArpGuard running, and always use a VPN when I get online.

Yesterday ArpGuard went nuts. Whenever I was connected to my network without the VPN (which happens frequently because it takes a moment for the VPN to connect; plus the Chinese are constantly trying to shut down VPN access so the VPN shuts off every hour or so and I have to reconnect or connect to another) I would continuously get the message: "Suspicious activity detected on network." I contacted the ArpGuard designer, and he confirmed that it really only look for arp spoofing, so that's what it would have to be. Even with the VPN on, web pages would just suddenly stop loading, and I would be told there was something wrong with the page (like Google.) This is the typical way the Chinese block things here. They try to make it look like the page itself is down, so people don't realize the extent to which they are being blocked by the Great Firewall. If I kept pushing, I could sometimes get it to load. Finally I messed with my Netbarrier settings: I'd had it to block incoming internet connections and incoming local connections. It was allowing outgoing internet (obviously) and local. I blocked all outgoing local connections. When I did that and reconnected the VPN, everything ran smoothly (no more trouble loading pages) and ArpGuard reported everything ok.

As soon as the VPN goes off, ArpGuard reports activity again. I ran moobila wifi on my ipad, which basically tells you if a network is safe or not. However, it does not define the criteria it uses to make this decision. Without a VPN, it considers my home wireless to be malicious. With a VPN, it considers the wireless network safe.

I basically do know what arp spoofing is, but I don't understand a lot about it. I've spent the last few days wiping our ipads and redownloading everything only through the VPN, changing all our passwords to everything and reading everything I can find online about this.I just would really appreciate any advice or insight about what's going on. I assume someone, possibly the network provider at the behest of the government?, is trying to read/interfere with all our network traffic via an invisible arp spoof. (Though the anti-arp spoofing setting on the router is on). I've considered using SpoofMac (if I can ever figure out how to actually make it run) to spoof my own MAC address in case the ones we have are already compromised. However, to do that as I understand it requires disconnecting from the network and reconnecting. During that 1-3 minute window between reconnecting to the wireless itself and waiting for the VPN to connect, ArpGuard reports continuous activity (which all stops once the VPN is connected.) Is that enough time for a malicious entity to re-spoof any new MAC address we might have? There seems to be no trouble once the VPN is up: does the VPN itself provide us with enough protection? Could this all be a fluke or false alarm? It seemed that arp spoofing could only be done via direct physical access to the network. I assume that means the internet provider can do it. It's not a neighbor: our neighbors are all over 60 and don't even have computers. Plus these old Stalinesc concrete monster buildings can barely allow me to pick up my own wireless signal in my own apartment, let alone get through the walls for anyone else.

As you can see, I'm flailing in the dark a bit. This just started, so it seems like a new thing they're doing.
 

RavingMac

Well-known member
Staff member
Moderator
Joined
Jan 7, 2008
Messages
8,303
Reaction score
242
Points
63
Location
In Denial
Your Mac's Specs
16Gb Mac Mini 2018, 15" MacBook Pro 2012 1 TB SSD
I know very little about the subject but that never stopped me from having an opinion.

1) If you are a person or site of interest, you will lose this battle. They have way more resource, expertise and authority than you do. But, as long as you aren't doing anything that could get you in trouble, your main concern should be IMO privacy and protection of financial and personal info.
2) The only certain way to protect your info is not to transmit over electronic networks they ultimately control. Of course, if you used paper only, there is still mail interception and steaming open envelopes.

Bottom line, and going out on a limb here, since I have no idea of your situation or activities, but I think you need to do a realistic risk assessment. It seems to me you are investing way too much effort to little potential gain.
Spying on foreigners is a long established tradition/policy almost everywhere and goes with the territory, especially when living in a tightly controlled State. So, again IMO, you need to ask yourself. "Is this an annoying inconvenience, or a real threat?"
If the latter, I suspect asking in an open forum like this is unlikely to help, and could potentially backfire.
 

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top