ARP UNWANTED REPLY

Discussion in 'other firewalls' started by cryon, Jul 6, 2011.

Thread Status:
Not open for further replies.
  1. cryon

    cryon Registered Member

    Joined:
    Apr 7, 2006
    Posts:
    45
    Hi guys,

    Need your expert advise on this. Being getting this message from Outpost for the past 1 day.

    17:03:08 xx.xx.xx.xx Detected attack, host not blocked ARP_UNWANTED_REPLY

    Should I be worried? What does it mean?
     
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Are you on a large LAN?
    It could be "Gratuitous ARP" from nodes(other PCs) booting.


    - Stem
     
  3. cryon

    cryon Registered Member

    Joined:
    Apr 7, 2006
    Posts:
    45
    Thanks Stem for pointing me to the right direction. Yes, it's part of a large LAN. Destination always points to ff:ff:ff:ff:ff:ff.
     
  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi cryon,

    It does sound like "Gratuitous ARP"

    What happens, is when a node(PC) boots, gets an IP, then it sends out an ARP broadcast to ask if any other node on LAN has the same IP.
    Blocking them can cause problems (possibly resulting in 2 nodes on LAN with same IP), but also allowing them could cause problems(easy to DOS a node on LAN with spoofed Gratuitous ARP (IP conflict)). It depends on if the LAN is well managed or not.

    If you are not getting connection problems, then leave it as is, and ignore those warnings.

    - Stem
     
  5. cryon

    cryon Registered Member

    Joined:
    Apr 7, 2006
    Posts:
    45
    Thanks Stem. Will ignore it for now as I'm not seeing this error anymore today.
     
Thread Status:
Not open for further replies.