DNS & ARP cache poisoning attacks since 12-30-08

Discussion in 'ESET Smart Security' started by newbie2247, Jan 18, 2009.

Thread Status:
Not open for further replies.
  1. newbie2247

    newbie2247 Registered Member

    Joined:
    Jan 8, 2008
    Posts:
    199
    I just checked my firewall logs and noticed that for the last couple of weeks I have been barraged with constant ARP and DNS cache poisoning attacks. Non-stop. Everything in the log is in red ink. Not one blue (safe, I assume) entry.

    Has ESET done anything in their updates from 12-30-08? I was doing just fine and then this.

    Some months back I was getting a lot of the ARP attacks but they mysteriously stopped. I knew ESET was working on some bug or problem as I read it here.

    Is anybody else experiencing anything like this? What should I do? Ignore it and hope that I am safe because I have ESET Smart Security Suite? (I am serious as well as very scared and nervous.) :doubt:

    Thank You and a belated Happy New Year! :)
     
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    You're perfectly safe just ignore it like all the rest of us.
     
  3. newbie2247

    newbie2247 Registered Member

    Joined:
    Jan 8, 2008
    Posts:
    199
    Gotcha! Will do.



    Thank you.
     
  4. Novicex

    Novicex Registered Member

    Joined:
    Jan 21, 2009
    Posts:
    72
    What i know, the problem with DNS poisoning attack could be solved by creating on your PC the DNS server(i hope you know how its works) or you can configure your modem to do that if it supported or you could even try to set up different DNS server addresses. But ARP attacks is local sourse attack and it possibly comes from some PC of your network(sure you should read about ARP), attacker can read your internet traffic by using sniffer and obtain your passwords and logins and even get remote control of your PC(believe me:doubt: ). Of course you can use some hardware routers with firewall + modem which had their own ARP tables and other filters(physical!) otherwise you will still be vulnerable to attacks because software firewall is not perfect.
    Maybe some stupid one is tried to use some of sniffers and stopped, because he is stupid one and you have nothing to worry about, but better be carefull:)
     
  5. newbie2247

    newbie2247 Registered Member

    Joined:
    Jan 8, 2008
    Posts:
    199
    Thank you very much NoviceX for your kind reply.

    I must confess to you that I have absolutely no idea at all of what you said to me. I need a total translation in simple English (for computer dummies) as well as step by step instructions. Those I CAN follow.

    I have a Windows Vista Premium Home Edition if that helps you or any other kind and generous soul out there who could help me.

    I used ESET Smart Security Suite v3 for my security and I have it all set to HIGH rather than DEFAULT. Not taking any chances at all.

    One other thing. Whenever I am on the Internet, I always use the free version of Sandboxie, even when opening and reading my email. I have no clue if it conflicts with my ESET or how much protection it give me. Again, just not taking any chances. Plus it's free.

    The attacks are still going on and boy oh boy am I scared out of my mind. I have no idea why they started and I wish they would stop. I miss the blue ink (safe stuff) and HATE this non-stop RED ink. Sob, sob, sob.
     
  6. Novicex

    Novicex Registered Member

    Joined:
    Jan 21, 2009
    Posts:
    72
    Eset(ess) v.3 how i understand, only detect the ARP poisoning attack, so try smart security v.4 at least it listed in firewall log that the IDS blocking ARP attack. So if it is, so you can filter this warning by options in firewll log.
    About DNS cache poisoning try https://www.opendns.com/smb/start/device/windows-vista , after we will see. DNS cache poisoning attacks could be, rarely, but this is normal:)
    Do you have а static IP?
     
  7. newbie2247

    newbie2247 Registered Member

    Joined:
    Jan 8, 2008
    Posts:
    199
    Thanks again.

    I thought ESET 4 was beta. Also, I just renewed my v3 for 2 years at a lower rate but the daily update may or may not improve the v3. I don't know. What do you think?

    I clicked on that DNS link and looked at it. That's about all I am personally qualified to do, heh.

    I wish I had a techie brain like all of you do. Shmucks like myself get left behind. Way behind. That bites!

    Oh well. :'(
     
  8. Novicex

    Novicex Registered Member

    Joined:
    Jan 21, 2009
    Posts:
    72
    Eset 4 is beta, but better than v.3 and about brains, all the people have different mental structures, so you could possibly be a good artist or someone else, so do not despond:D
     
  9. newbie2247

    newbie2247 Registered Member

    Joined:
    Jan 8, 2008
    Posts:
    199
    I thought v4 was still beta, so I am right on that count, thanks. Therefore since I have v3 I imagine I'd have to uninstall my paid for 2 year renewal of v3 and install the beta v4, correct? o_O

    Also, I imagine it must be still plenty loaded with bugs, etc. and wouldn't I also have to pay for v4? o_O

    How much do you all know about this and what should I do?

    My current settings for v3 are all default except for all the Threatsense settings. I have those ALL checked and set to "strict cleaning". I hope this is good. Feedback on all this eagerly needed and appreciated.

    I don't know what the deal is with dumping an already paid for 2 year renewal (v3) and getting the beta (v4). Pls advise and Thank You all very much for your time, help and patience with this Nervous Nellie who is very frustrated with nonstop ARP & DNA poisoning attacks. I sure wish they would stop.

    I HATE dealing with buggy programs - especially being so unenlightened - read: I don't know what the heck I am doing - with all things computer-related. I am the complete opposite of a tech savvy person. Don't understand any of the nomenclature and therefore almost everything I read for online help on anything and everything is way the heck over my head.

    What to do? There's always something. Isn't that the truth? Thank goodness for these forums and all you great people!!!! :)
     
  10. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    You buy a license for signature updates not software updates. You can use v2, v3, v4, v9000, during this time.

    As far as I know v4 doesn't "fix" this "problem". Like I said earlier. I ignore it. It doesn't break internet in any way. It's just extra information I don't care about.
     
  11. Novicex

    Novicex Registered Member

    Joined:
    Jan 21, 2009
    Posts:
    72

    You're right, you don't care about it, but i'm care, cause when someone read my internet traffic and could steal my logins and passwords(for example:webmoney)(i did this by myself for intersest), so i think this is really important to make that "fix" in the future, i mean the ARP cache poisoning attacks. About v4 doesn't "fix" this "problem"

    1/27/2009 12:49:12 AM Packet blocked by active defense (IDS) 192.168.1.200 192.168.1.55 ARP

    so maybe eset can block attacks on some layers, maybe local attacks, i don't know:blink:
     
  12. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    What!? You're NOT UNDER ATTACK. How are they going to steal anything?
     
  13. Novicex

    Novicex Registered Member

    Joined:
    Jan 21, 2009
    Posts:
    72
    Im not going crazy but,
    http://www.watchguard.com/infocenter/editorial/135324.asp
    http://en.wikipedia.org/wiki/ARP_spoofing
    "In my country many people use LAN networks to acces to Internet ( it's cheapest way ) so when someone make ARP Poisoning attac at my computer than he can catch all my password and all my traffic.. so it's dangerous and I don't know why KAV Labs priority about that i 0 "(not my words)
    "Recently, our school was badly influenced by the trojan sniffing the lan. Thousands of people suffer the poor network, lost their password. Since there is an indeed real threat, I can't use kis anymore. I have to change to sygate firewall, outpost firewall has arp protection, but with wrong solutions. When find an attack, the conneciton is lost untill unblock the attacker."

    and more more more(easy to find)


    And i repeat! i did this by myself, it's working. If you don't know how, so read more about ARP attacks and if you have the LAN try Cain&Abel www.oxid.it/cain.html (it's free:blink: )
    http://www.securityfriday.com/promiscuous_detection_01.pdf
     
  14. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    What are you quoting? As far as I see, the OP lives at home with a normal connection. In which case it's most likely hes router sending random bits of data ESS doesn't like, like 99% of all other cases.
     
  15. Spanaway01

    Spanaway01 Registered Member

    Joined:
    Jun 15, 2008
    Posts:
    16
    I've had the same issues with the "arp cache poisoning." However, I think that I have solved that problem on my system. I have 3 machines on my network and only one had this issue.

    A few weeks ago I ran a very brief trial of BitDefender. By brief I mean it was less than an hour. I subdued the system to a virtual crawl. I uninstalled. However, I did note that there were still references to BD in some of the context menus. I took a look at the processes that were running and saw one I was not familiar with - "livesvr.exe." I ran a Google and found this was related to BD. I stopped the process - no change. I tried toremove the remnants from Program Files - no could do! Went to BD site and downloaded their removal tool. It removed the remnants and so far, no arp poisoning issues.

    It has been an hour now and NO issues!

    This solution may also apply to other security apps that you may have installed/uninstalled and there is still stuff left behind.

    Hope this helps someone else.
     
  16. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    For the kind of attack you refer to, then the attack would need to be successful for the redirect of traffic through an alternate (spoofed) gateway.
    That is basically done by poisoning the ARP cache on the PC with the IP of the router with a MAC address of another node on LAN, then all traffic from the PC is sent through the spoofed gateway.

    I have just set up the V4 rc (I cannot get hold of a trial version of the current full version) and looked at ARP poisoning for such a redirect, unfortunately for some reason there was no logging in the firewall for the attempted ARP attack, but the attack did fail and the ARP cache remained correct. (I will of course make further checks/tests)

    This kind of attack is also used for ARP DOS attack, where an ARP request is sent to the PC with the gateway(or router) IP and a spoofed MAC address (the MAC address does not exist on the LAN) there by blocking all traffic, but the firewall did block such an attempt (of course such an attack can also be made on the router, and if unprotected can kill your connection anyway).


    On the DNS cache poisoning alert. I have already had one log entry for this that I know to be incorrect, certainly as the PC is protected behind my own gateway. I also need to make further tests/checks on that.


    - Stem
     
  17. stratoc

    stratoc Guest

    i noticed these logs when smart first came out, eset support told me it was my router and to either ignore them or disable the detection via ids settings, i disabled nothing and ignore them, would have thought it would be fixed by now to be honest.
     
  18. patch

    patch Registered Member

    Joined:
    May 14, 2007
    Posts:
    178
    From locked thread https://www.wilderssecurity.com/showthread.php?p=1445081#post1445081
    Macros
    Please think about this from a user perspective not software complying with an internal specification.

    Are you saying there is a network printer which mounts a DNS cache poison attack. Interesting, I hadn't expected printer manufactures to be in that business.

    An alternative interpretation is ESET ESS design prevented a previously functioning network printer from functioning. Suggesting a ESS design problem.

    Again. ESET you are not Microsoft. Your software needs to work with existing hardware. If you are detecting attacks from a commercial router then that is a false positive. It makes no difference what your program specification says the router should do.
     
  19. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    I doubt that, it's probably more a situation of the printer sending useless/non-useful data that's somehow interpreted as that kind of attack.
     
  20. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The printer was actually trying to connect to different ports on the computer and was not a member of the Trusted zone.
     
  21. DarrenDavisLeeSome

    DarrenDavisLeeSome Registered Member

    Joined:
    Mar 23, 2009
    Posts:
    315
    Location:
    Riverside, CA U.S.A
    If I may reiterate, when I first started using ESS 4.0 (even ESS 3.0) I would get quite a few ARP/DNS Cache Poisoning Attack detections whenever I would go to a secured server for my email, banking, etc... The source of these "attacks" were mostly from my Router. Whenever I used the secured server to chat with my ISP's Tech support I would get "attacks" from my ISP's secure Chat server.

    Peculiar thing now is I haven't seen any "attacks" for awhile and I am still going to the same secured servers for my email and banking. Just got off the secured Chat with my ISP and no "attacks" in the Firewall log.


    You think ESS 4.0's Firewall is...uh...well..."learning"?
     
  22. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    No, it is just that the logging of the events as changed.

    The problem while collecting mail. Well, on my setup, collecting mail shows the same underlying problem of excessive DNS lookups.

    Example:
    The last install of ESS I made was build 417. I installed and left in Automatic mode to stop any problems possibly due to restrictions in my rules. The first connection I actually made was to my e-mail server. I checked my sniffer logs and found that ESS had made over 300 DNS lookup in less than 0.01 seconds. It did then settle down, but even after that, every time I collected mail approx 18 DNS lookups where made for various "mailshell.net" addresses. I have attached a screen grab of the lookups(these where made after every e-mail collection, and in previous builds most of the replies where being blocked by the firewall). I have requested info on this behavior, but unfortunately like all other info requests I have made, No reply.

    01.jpg


    - Stem
     
Thread Status:
Not open for further replies.