ORIGINALLY POSTED IN THE GUEST FORUM:
Hi,
For the last few weeks I've been receiving way too much notificationes abour ARP Cache Poisoning / Duplicate IP Addresses (about to reach 10,000 combined).
This happens at intervals of 30-60min, typically once a day although there are days when it doesn' happen at all. During such an interval I get a notification every second and some websites become unreachable. For example, I can use all Google related sites and some other sites not related to Google at all, but I can't use Skype, the Eset site, etc.
I searched the forums and the Eset site. The IP address in the notifications is in the 192. 168.x.x safe range, so I tried making an IDS exception as instructed, but the problem wasn't solved at all.
I'm wondering if this is an actual attack. I would appreciate if I could get some ideas about what is going on and how to go about it.
Thank you.
ACKNOWLEDGEMENT:
Marcos, thanks for your reply in the guest forum.
UPDATE:
I cannot assert that all machines in the network are configured to get their IP address from a DHCP server (I don't have access to all of them). However, I ran ipconfig /all and it turns out that
a) my machine does use a DHCP server
b) The IP address of the DHCP server is precisley the same that appears in the ARP Cache Poisoning / Duplicate IP Addresses notifications.
Could this be a clue to solve the problem?
I also have observed the following:
a) whenever I start getting a stream of ARP cache poisioning notifications, the problem goes away if I set the IDS exception in "real-time" i.e. at the moment the "attack" is occurring.
b) This technique doesn't help with the duplicate IP address situation.
Any further help would be much appreciated, thanks.