ARP cache poisoning attack

Discussion in 'ESET Smart Security' started by Pfipps, Nov 6, 2007.

Thread Status:
Not open for further replies.
  1. Pfipps

    Pfipps Registered Member

    Joined:
    May 15, 2007
    Posts:
    181
    I am on a college network and keep on logging "ARP cache poisoning attack." Could this be a false positive? It keeps on logging it at least once every 20 seconds. I might have to notify the IT department.
     
  2. Pfipps

    Pfipps Registered Member

    Joined:
    May 15, 2007
    Posts:
    181
    Is some snoop trying to see what other people are doing on my network? Hell, they might be looking at this message right now.
     
  3. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    Maybe another PC on the network has some bot/trojan on it. Maybe is your NIC that is malfunctioning.
    It happened to me that I kept getting DNS cache poisoning attack, it was not an attack neither was ESS, it was My router that was sending the wrong information.
    Sory I can't be more especific but i'm no expert in the matter.
     
  4. Pfipps

    Pfipps Registered Member

    Joined:
    May 15, 2007
    Posts:
    181
    I also notice that there is no IP or port information for the ARP attack, so I really don't know where it is coming from. Are there any IT experts at Eset who know how the firewall and local networks work? How would my NIC be malfunctioning? The NIC driver maybe?

    I read that many network sniffers use this poisoning.
     
  5. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    I still got that during my short evaluation of ESS. I'm waiting until the problem with images is fixed to consider trying it again. I would get the ARP cache poisoning alert, and there was no info. except for 0 for the port (I think it was that at least.) I also have a router.
     
  6. Pfipps

    Pfipps Registered Member

    Joined:
    May 15, 2007
    Posts:
    181
    Are you on a local network, or do you use an ISP, broadband or not?
     
  7. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    ARP is sent on a broadcast address in the format following from http://www.erg.abdn.ac.uk/users/gorry/eg3561/inet-pages/arp.html:
    If any of the information in the request is seen to be incorrect for the segment then this could be seen as an attack attempt.

    Maybe your router is forwarding ARP requests from the internet?

    HTH

    Cheers :)
     
  8. Pfipps

    Pfipps Registered Member

    Joined:
    May 15, 2007
    Posts:
    181
    I don't have a router though. Apparently, there are two possibilities with me being on a college network: the ESS firewall is giving a false positive or there is someone on my local network snooping around. I even got an inbound connection request (svchost.exe) for the port used by llmnr (Link-Local Multicast Name Resolution) from a local user on my network, not a designated DNS server or anything like that. Since I am in interactive mode, I just blocked that particular address. Still, does that show there is anything wrong?
     
  9. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    So far as I can see from the information you have provided here it seems your ESS is working well and doing it's job :)

    Cheers :)
     
  10. Pfipps

    Pfipps Registered Member

    Joined:
    May 15, 2007
    Posts:
    181
    11/6/2007 11:59:50 PM Communication denied by rule *.*.*.*:54746 239.255.255.250:1900 UDP Deny traffic for svchost.exe(2) c:\windows\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE

    I don't quite understand this. When I got the dialogue it said it was attempting to connect to my pc, but the address says "239.255.255.250," which is not my pc. Am I blocking something routine?

    The "*.*.*.*" is another user on my network.
     
  11. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    Probably, yes.
     
  12. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    239.255.255.250 is a broadcast (multicast) address and it is common for a PC to listen on this address but that doesn't mean necessarily that you want all of the traffic sent on it.

    Cheers :)
     
  13. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    I'm on broadband and on a home network. Since there's hardly any info., I don't know what ESS is picking up.
     
  14. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    You should send a ticket to Eset Support. If you have wireshark you could capture some packets and send them too. That is what they asked me to do when I had a similar problem with RC1 of ESS
     
  15. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    So what was the problem in your case? I'm afraid I only know how to send Eset a description of the issue.
     
  16. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    My problem was that ESS detected a repeated DNS cache poisoning attack coming from my router's IP. I asumed it was ESS since I had been using Kerio (which has its own IDS system and never saw that kind of mesage).
    Result was that after sending Eset a support ticket and capturing some packets with wireshark they found out that the problem was my router that was handling bad DNS responses.
    That is why I would advice you to contact support, maybe is your own NIC that is the problem and ESS is telling you.
    That is also why I like the firewall, no other software firewall I ever used was able to tell me this and now I have managed to solve the problem with my router and everything works just fine.
     
Thread Status:
Not open for further replies.