ARP attack between Sonos speakers. ARC attacks the Era-100 rear speakers, or vice versa. What's happening with Sonos? My Eset antivirus detected the ARP attack between these products, and this is causing my Wi-Fi network to crash. I also notice they're creating a hidden 2.4GHz network.
Are all of these devices wired to a managed switch?
If the two Era 100s are surrounds, remove any Ethernet cables from them, they should latch on to the 5 GHz signal (hidden) generated by the Arc. It’s how the system is actually designed to work.
Edit: of course the radio/wifi needs to be turned on on all three devices.
All the speakers are connected to a TP-Link Archer 9 router on the 2.4GHz band. About 4 days ago, I started having problems with my internet connection being slow. I noticed the first ARP attack between the Era-100s and the ARC bar. Now, today I'm getting another attack between the ARC and an Era-100. My Wi-Fi network hasn't been working properly since then.
Then they’re not connected via an Ethernet cable. I’m not much help, other than to suggest you communicate directly with Sonos themselves, by submitting a system diagnostic within 10 minutes of experiencing this problem, and calling Sonos Support to discuss it. Don’t post the resulting diagnostic number here, they get sensitive about GDPR.
There may be information included in the diagnostic that will help Sonos pinpoint the issue and help you find a solution.
When you speak directly to the Support staff, they have tools at their disposal that will allow them to give you advice specific to your network and Sonos system.
Are you sure that this isn't a false report from your tool and that the blocking it is doing is causing the problem?
The problem is real; there's nothing fake here; it's just something that's happening. I'm waiting for a Sonos engineer to resolve this speaker security issue for me, because that's what it really looks like. They'll know.
You’re already in communication with Sonos engineers?
I don't know if it will be possible to do it. I'm in Panama and I don't know if they can do anything for me or check the devices from there. Really, I would just have to reset the speakers and I don't know if that will solve the problem, because I need someone from them to see this post.
The only Sonos employees that read this forum and reply are Sonos forum moderators.
If you want to get data to engineers, you’d need to submit that diagnostic I was speaking of, and call Sonos support.
I’m certainly not having any issue with my Arc and Era 100s surrounds, and like
I recognize being in Panama is a challenge, as there is no Support location there, but Sonos Support exists in other countries in South America. Perhaps one of those might be able to assist you.
Resetting, aka factory reset, will usually do nothing and usually makes things worse.
I'd really lean to your tool getting confused by the way Sonos uses your network and the one(s) it creates.
Try removing the Ethernet connections and the private "SonosNet" 2.4 gHz network should go away.
Unbond any subs and surrounds and the private 5 gHz network should also go away.
If you can configure your tool to understand Sonos networking and how the Sonos devices use your network and the ones they create it might be able to coexist and not block essential Sonos to Sonos network, traffic, or essential traffic between Sonos and your router and/or Controller.
If you can't call support you could try the other contact options, maybe chat?
I think this is a false positive. When in surround mode the Arc will request the IP addresses for the rears via some kind of DHCP Proxy and it looks like your Eset Antivirus is seeing this as a problem which it is not in reality.
I’m not sure why this would bring your WiFi down. Where is Eset installed? It looks like it’s just a PC, so not sure why that could bring down your network.
This is normal behavior for Sonos HT, don’t be concerned.
When the Era-100’s are powered on / restart they use their own MAC address and get an IP address from your router. They will then bond to the Arc, and use the Arc MAC address (proxy) and use same IP address. This is often detected as a MAC “Spoof” or “Poison”. You will see 2 MAC addresses in your screenshot with only a single IP address, one will be the Arc the other an Era-100.
One of the reasons why I don’t recommend reserving IP address for Sonos speakers.
This problem started about 5 days ago, I used the Eset antivirus years ago and this is the first time it sends an ARP attack message and the strangest thing is that it is caused by Sonos products, right now I have the speakers disconnected from the power grid, the router I use is about 5 years old and has never given me a problem so right now I am keeping the Sonos speakers offline, my woofo network uses DHCP to automatically assign IP, I will see what day it is when I have time I will try connecting my PC directly to the router of the internet company that I pay to check the internet speed and then compare it with that of my own router if the problem continues I will have to reset my router or buy another one to see if this strange issue is corrected. I will keep you informed.
Strange situation no doubt. It might be prudent to upgrade your WiFi router (I know, more $$$) to get around this mess. Just for reference, I’ve got ASUS RT-AX5400 routers in a 2 node mesh network with 26-28 connected devices that runs flawless. I’ve had these up and running since Oct 2023. I like the fact I can monitor and make adjustments from my primary workstation (Win 11,) iPhone & iPad without issues. I’ve got the ARC Ultra connected via Ethernet on the primary node, Sub 4 & ERA100’s are all in wireless connection mode. Just pure bliss for now, hands down.
My internet provider is Breezeline @ 500MB down / 50MB up. I can speed test from my Win 11 machine that’s connected (via Ethernet) on the secondary router node and get consistent advertised speeds. That’s impressive considering it rides the 5GHz pipe between router nodes to attain that.
Anyway, give some thought to a new router and get rid of this headache you’ve got. I don’t see any of that nonsense with my setup, so there’s that. Hope you get it worked out, please share your findings when you do get it sorted!
Moderator edit: Link removed.
Just to be clear here’s an AI generated explanation of an ARP attack…
All said Sonos (IMO) is not at fault although it may be collateral damage due to a network security breach. The most common breaches occur because of poor network encryption and passwords:
Encryption
Password
Stopping or preventing the attacks can be as simple as correcting the points made or above. More difficult resolution may require one or more of the following:
* Password update of Wi-Fi clients required
Problem solved. After testing the Wi-Fi network, I discovered wireless interference due to other signals outside my home. The problem was resolved by changing the transmission channels from the 2.4 and 5GHz bands to unsaturated channels. My router was set to automatic channels; it's an Archer C9 router. The ARP attack message between speakers no longer appeared in the antivirus, and the hidden 2.4GHz band that was showing up before also disappeared. Thanks to everyone for their time and advice.
Good call on the encryption and password use. I use WPA2/WPA3 with a 18 character PW. I’ve learned a lot about the AI explosion used by hackers on Hive Systems website. I’m a retired data center network guy, not specialized in security for routers but did the last stretch of my career doing Windows server farm admin.
Strong encryption and passwords are a must these days.
My router uses WPA2 with AES, so I'll have to buy a newer one that's just as good as this one and has WPA3. I improved the Wi-Fi passwords just in case, but I've never had any problems with my Wi-Fi network.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.