ORIGINALLY POSTED IN THE GUEST FORUM:
Hi,
For the last few weeks I've been receiving way too much notificationes abour ARP Cache Poisoning / Duplicate IP Addresses (about to reach 10,000 combined).
This happens at intervals of 30-60min, typically once a day although there are days when it doesn' happen at all. During such an interval I get a notification every second and some websites become unreachable. For example, I can use all Google related sites and some other sites not related to Google at all, but I can't use Skype, the Eset site, etc.
I searched the forums and the Eset site. The IP address in the notifications is in the 192. 168.x.x safe range, so I tried making an IDS exception as instructed, but the problem wasn't solved at all.
I'm wondering if this is an actual attack. I would appreciate if I could get some ideas about what is going on and how to go about it.
Thank you.
ACKNOWLEDGEMENT:
Marcos, thanks for your reply in the guest forum.
UPDATE:
I cannot assert that all machines in the network are configured to get their IP address from a DHCP server (I don't have access to all of them). However, I ran ipconfig /all and it turns out that
a) my machine does use a DHCP server
b) The IP address of the DHCP server is precisley the same that appears in the ARP Cache Poisoning / Duplicate IP Addresses notifications.
Could this be a clue to solve the problem?
I also have observed the following:
a) whenever I start getting a stream of ARP cache poisioning notifications, the problem goes away if I set the IDS exception in "real-time" i.e. at the moment the "attack" is occurring.
b) This technique doesn't help with the duplicate IP address situation.
Any further help would be much appreciated, thanks.
@Marcos: I cannot assert all devices get their IP address from a DHCP server, since multiple people with multiple devices use the network. However, the issue presented itself today and I'm completely sure everyone in the property was away so that my device was the only one working. @itman. I'll try resetting the router as soon as the property owner is back on town.