ARP Cache Poisoning attack

[smuggler.ie 0]

Hi,

As per title getting, "ARP Cache Poisoning attack" from local IP to my PC. Thing is that this comes from TV.

Along with this "Duplicate IP address" from same IP(TV)

Further detail:
There is other Samsung smart TV's and no reports from them.
All TV's set with static IP's
there is shared folder(media files) on PC that TV's have access over DLNA

Main question:

What cause of it, and is it safe to "kill" this with exclusion rule? What possible consequences by creating exclusion rule  - its Samsung smart TV with cr*p apps preinstalled on it? Is it safe?

 

Thank you

Edited September 21, 2018 by smuggler.ie

[Marcos 5,074]

Let's start off with the following:
- enable advanced firewall logging (or network protection logging in latest versions) in the advanvced setup -> tools -> diagnostics
- clear the firewall log
- restart the computer
- wait until a notification is triggered
- disable logging
- gather logs with ESET Log Collector and provide me with the generated archive.

[smuggler.ie 0]

HI Macros,

Sorry for late comeback.  I hope you can still help me to resolve this...

Currently updated to ESET Endpoint Security 7.0.2073.1

Where about do i "-clear firewall log" ?

 

[Nightowl 202]

45 minutes ago, smuggler.ie said:

HI Macros,

Sorry for late comeback.  I hope you can still help me to resolve this...

Currently updated to ESET Endpoint Security 7.0.2073.1

Where about do i "-clear firewall log" ?

 

Quote

Log files are accessible from the ESET Endpoint Security main menu by clicking Tools > Log files. Select the desired log type using the Log drop-down menu at the top of the window

Once you go there I think there is an option to reset/clear the logs somewhere.

[TomFace 539]

Hello smuggler.ie. See if this KB helps a little bit. https://support.eset.com/kb3186/

Best regards.

Tom

Edited October 8, 2018 by TomFace

[smuggler.ie 0]

1 hour ago, Rami said:

Once you go there I think there is an option to reset/clear the logs somewhere.

 

1 hour ago, TomFace said:

Hello smuggler.ie. See if this KB helps a little bit. https://support.eset.com/kb3186/

Best regards.

Tom

Thank you folks, but...

ESET Endpoint Security v7.2073.1 has no " firewall log " in log drop-down menu and interface completely different than the one in link. "Network protection" might be?

[TomFace 539]

I'm bad...Sorry I missed the "endpoint" caveat. Perhaps the KB library would be of help to you. https://support.eset.com/

Best regards.

Tom

Edited October 8, 2018 by TomFace

[Marcos 5,074]

Most likely the device uses different MAC addresses over time.  If you want to resolve it quickly, just right-click the appropriate record in the Network protection log and select "Don't block similar events in the future".

[smuggler.ie 0]

13 hours ago, Marcos said:

Most likely the device uses different MAC addresses over time.  If you want to resolve it quickly, just right-click the appropriate record in the Network protection log and select "Don't block similar events in the future".

Thanks Macros.

Not sure what you mean "different MAC" - could it be possible for TV able to spoof/change MAC? Doubt that.

Any way, it comes from same IP(whatever IP i set on TV - DHCP or static) and IP resolves to same MAC.

I know option to "stop blocking" or "stop notifications" options, but this brings us back to my original question:

" What cause of it, and is it safe to "kill" this with exclusion rule? What possible consequences by creating exclusion rule - its Samsung smart TV with cr*p apps preinstalled on it? Is it safe? "

I could accept that this ARP  calling could be beacon to see if network shares available or some in these lines, but how to be sure?

And where is "Duplicate IP addresses on network" coming from - router, that act as DHCP server, have no logs about duplicate IP addresses and no other network issues?

 

[itman 1,659]

Here is Eset's definition of an ARP poisoning attack:

Quote

ARP Poisoning attack detection – Detection of ARP poisoning attacks triggered by man in the middle attacks or detection of sniffing at network switch. ARP (Address Resolution Protocol) is used by the network application or device to determine the Ethernet address.

https://help.eset.com/ees/7/en-US/idh_config_epfw_advanced_settings.html

My best guess of what is happening is "detection of sniffing at network switch" by the Smart TV. Your only option if you want the TV to access a shared file on the PC appears to be to allow the activity.

[itman 1,659]

5 hours ago, smuggler.ie said:

And where is "Duplicate IP addresses on network" coming from - router, that act as DHCP server, have no logs about duplicate IP addresses and no other network issues?

There was another recent forum posting about this. In that case, Eset was detecting different MAC addresses for the same internal IP address which was indeed the router.

What I do know is that ISP's do "strange things" when it comes to IPv6 DHCP assignment. I use Eset's Public profile so I have been "spared" many of these strange Eset Connected Home Monitor and the like detections. As far as my ISP goes, it has some type of phantom IPv6 DHCP server set up on the router that Eset is totally oblivious to except for firewall detection. This phantom IPv6 DHCP server has the identical IP address as the "real" DHCP IPv6 server except its last digit of the IP address is one less in value. All this bugger does is constantly send IPv6 pings to my device. Appears its sole purpose is to check for IPv6 connectivity as best as I can determine.

[smuggler.ie 0]

4 hours ago, itman said:

Here is Eset's definition of an ARP poisoning attack:

https://help.eset.com/ees/7/en-US/idh_config_epfw_advanced_settings.html

My best guess of what is happening is "detection of sniffing at network switch" by the Smart TV. Your only option if you want the TV to access a shared file on the PC appears to be to allow the activity.

Not quite...there is  some thing else and i want to find out what that is, with experts help of course?

This TV, same as other, has required access to "file server" PC and shares on it, but I'm getting "ARP poisoning attack" and "duplicate address" notifications from that specific one.

Furthermore, notifications are on other PC's - screenshot above is not from "file server" PC.

In regard IPv6  - my consumer grade router doesn't even support IPv6. And i have disabled IPv6 protocol on all computers were avail(extra unnecessary traffic)

By source IP  it is that one TV not router

 

Edited October 9, 2018 by smuggler.ie

[itman 1,659]

14 hours ago, smuggler.ie said:

This TV, same as other, has required access to "file server" PC and shares on it, but I'm getting "ARP poisoning attack" and "duplicate address" notifications from that specific one.

At this point, you have the following choices:

1. Create an IDS exception for the ARP poisoning detection to allow the TV communication if you believe that communication is safe.

2. Do the same for the duplicate IP address detection. The Eset home vers. don't have that IDS detection. It might be exclusive to the endpoint vers.

3. Disable the IDS ARP poisoning/duplicate IP address detections which will expose your entire network to such attacks.

[Marcos 5,074]

If you provide me with the network protection advanced log with an ARP cache poisoning attack detection captured, I should be able to confirm that it's caused by a different MAC address than the one from which the previous ARP response was sent. After generating the log and disabling advanced logging, gather logs with ELC and provide me with the generated zip file.

[itman 1,659]

I will also add if you open a command prompt window and enter the following:

arp -a

It will display the current MAC settings that exist in the ARP cache. The MAC address setting shown that corresponds to IP address assigned to your router; e.g. 192.168.1.254, should match that imprinted on your router's label/casing.

The point of confusion at this point is Eset is throwing an ARP poisoning alert against your PC's assigned IP address of 192.168.1.101. That makes no sense to me since ARP attacks are directed against routers to redirect the outbound traffic to their attack device.

Note the following in regards to the arp command:

Quote

ARP is sometimes useful when diagnosing duplicate IP assignment problems. For example, suppose you can’t access a computer that has an IP address of 192.168.168.100. You try to ping the computer, expecting the ping to fail; but lo and behold, the ping succeeds. One possible cause for this may be that two computers on the network have been assigned the address 192.168.168.100, and your ARP cache is pointing to the wrong one.

https://www.dummies.com/programming/networking/network-administration-arp-command/

I believe a duplicate IP address assignment is your issue. Eset detects that the MAC address associated with an IP address in the ARP catch doesn't match its actual physically assigned network adapter MAC address and is throwing an IDS alert.

Edited October 10, 2018 by itman

[smuggler.ie 0]

4 hours ago, itman said:

I will also add if you open a command prompt window and enter the following:

arp -a

It will display the current MAC settings that exist in the ARP cache. The MAC address setting shown that corresponds to IP address assigned to your router; e.g. 192.168.1.254, should match that imprinted on your router's label/casing.

The point of confusion at this point is Eset is throwing an ARP poisoning alert against your PC's assigned IP address of 192.168.1.101. That makes no sense to me since ARP attacks are directed against routers to redirect the outbound traffic to their attack device.

Note the following in regards to the arp command:

https://www.dummies.com/programming/networking/network-administration-arp-command/

I believe a duplicate IP address assignment is your issue. Eset detects that the MAC address associated with an IP address in the ARP catch doesn't match its actual physically assigned network adapter MAC address and is throwing an IDS alert.

Let me provide more detail...

1. arp - a list has no duplicates
2. MAC of router match listed on arp -a
3. pay attention to screenshot i attached - source IP 192.168.1.12 (dynamic)is TV, notifications on ALL computers with ESET(four) start ONLY when TV is powered ON and stop as soon its OFF
4. no other network issues(if I'm right, usually, duplicate IP causes devices not being able to communicate, access resources or internet)
5. If "Eset detects that the MAC address associated with an IP address in the ARP catch doesn't match its actual physically assigned network adapter MAC address..", would it be correct to think that  offending device is TV as it is TV that show up on all ESET installs.

@Macros
Thank you for offer, will get back to you on this.

 

[itman 1,659]

1 hour ago, smuggler.ie said:

3. pay attention to screenshot i attached - source IP 192.168.1.12 (dynamic)is TV, notifications on ALL computers with ESET(four) start ONLY when TV is powered ON and stop as soon its OFF

Looks like we are making progress.

Run the arp -a command on both PCs. Assumed is the physical address for 192.168.1.12 will be different since it is being dynamically assigned. This is what is triggered the Eset ARP alert. It is detecting that on your network two devices(PCs) are being accessed by another device with different MAC address. It also explains the duplicate IP address alert.

Appears to me two solutions exist:

1. Assign a static MAC address for 192.168.1.12.

2.  Exclude 192.168.1.12 from Eset IDS ARP poisoning detection.

A reference on static assignment. Note the underlined portions:

Quote

By default, the device responds to an Address Resolution Protocol (ARP) request only if the destination address of the ARP request is on the local network of the incoming interface. For Fast Ethernet or Gigabit Ethernet interfaces, you can configure static ARP entries that associate the IP addresses of nodes on the same Ethernet subnet with their media access control (MAC) addresses. These static ARP entries enable the device to respond to ARP requests even if the destination address of the ARP request is not local to the incoming Ethernet interface.

Also, unlike dynamically learned ARP entries, static ARP entries do not age out. You can also configure static ARP entries in a troubleshooting situation or if your device is unable to learn a MAC address dynamically.

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/interfaces-configuring-static-arp-table-entries.html

Let's see what @Marcos recommends

Edited October 10, 2018 by itman

[smuggler.ie 0]

You got me here...

I know how to spoof MAC on virtual adapter in Hyper-V or VMware, but how to do this on TV network card...? Please do tell.
Assigning MAC-to-IP within PC with arp -s doesn't make sense as arp -a from both PC's return same MAC for IP 192.168.1.12(and all other IP's for this matter). Router also confirm same IP/MAC in client list.

"2." not an option til i figure out cause of it - network functioning OK so far, only annoying notifications and personal concern about "possible threat" or device misbehavior.
I'm not that guy removing warning light bulb from dashboard just to mask failed airbag notification in the car.

Thanks for your patience.

 

 

[itman 1,659]

Thinking about this a bit more, I am not too confident that a static assignment will work either.

What Eset is detecting it appears is a device, the TV, simultaneous trying to connect to two network devices at the same time and interpreting that as an ARP attack. If you think about this, the only network device with this capability is the router.

The only thing I know of that might work is on each PC, you enter the IP address of the TV, 192.168.1.12, manually as an IDS  excluded IP address in Eset Firewall section -> Fire Zones -> Addresses excluded from IDS detection.

The only alternative to this is to add the IP address of the TV to the Trusted Addresses section which I won't recommend for an IoT device.

Edited October 10, 2018 by itman

[smuggler.ie 0]

Well, you see ... i can hide notifications from IP and keep blocking it(available option in ESET), but now i got determined to find out actual cause.
Wonder if this could be some dodgy app. TV used by child(13) and very possible, or should i say most likely, it was "explored" in and out. Might be at some point something/some app was enabled/started. Internet browsing was also involved. As TV (to my understanding) has no protection whatsoever it might catch some "dirt"(hmmm...router firewall should prevent this) Who knows.  I never liked "pre-loaded" apps and no option to control /delete them.
While ago i read online - someone selling 5 day old Smart TV. To question "Why? Whats wrong?" answer was : "To smart" ?

I might reset TV to factory defaults and see if this would change behavior.

[itman 1,659]

I came across this reference to Samsung's SmartHub feature in regards to regards their Smart TV's: https://smallbusiness.chron.com/connect-pc-samsung-smart-hub-72573.html

It appears to me the assumption behind this and like capability is that the TV is connecting to a single PC to access data. If this was the case, there would be no issue with Eset detecting  an IDS ARP attack. So I am sticking with what I posted previously; create an IDS exception for the TV's IP address on each PC. The only risk associated with this is that if the TV attempted other nefarious activities such as accessing the admin shares on either PC assuming you had enabled that IDS mitigation. As such, you might instead set up the TV IP address as Trusted since you are already allowing it access to your PCs. Do note that Eset's default firewall rules in regards to Trusted zone devices would be in effect. Also and notwithstanding the IDS issue, the Eset firewall will block the TV's access to the PCs via SMB ports access since that is only allowed for Trusted zone IP addresses. 

Edited October 11, 2018 by itman

[smuggler.ie 0]

Yesterday and before reset ARP tables were "clean", but after... this was surprise to me.

Today i ran arp -a and TV came back with Eth .12(dynamic) address as it was yesterday.
Reset that TV to factory def. TV notified that will reset all except network setting. Well, OK
Ran arp -a again and TV came back with Eth .12(dynamic) address as it was before.
ESET notifications popped on both 100 and 200 PC's.
I decided to give TV static IP's for Eth(.70) and WiFi(.71)

After running arp -a  on both PC's discovery was "something".  Don't even know what to say.

I have purged ARP table on PC's and it came back with normal readings, no ESET "yelling" so far

 

[smuggler.ie 0]

Again - arp -a show "clean" table, but ESET yelling...

Note: intervals in 20min . ???

[itman 1,659]

3 hours ago, smuggler.ie said:

Again - arp -a show "clean" table, but ESET yelling...

Not surprised by this.

23 hours ago, smuggler.ie said:

I decided to give TV static IP's for Eth(.70) and WiFi(.71)

Have no clue what you are trying to do here. The TV is a single device with a unique MAC address. Your above arp -a screen shots clearly show that.

Again, I have given you my recommendations as what to do.

I believe your problem boils down to the fact you are trying to establish two network connections to a device  that was designed for one connection. Just because the TV has both ethernet and a Wi-Fi connection doesn'tmean that you can use both simultaneously. It only means that you can connect to the TV via Ethernet or Wi--Fi; not both. You will probably have to explore using something like this; Wireless To Wired Ethernet/Ethernet To Wi-Fi Wireless Network Bridge Adapter: https://www.amazon.com/Wireless-Ethernet-Network-Bridge-Adapter/dp/B01GF6GST4                                                                                                                            

Edited October 12, 2018 by itman

[smuggler.ie 0]

Calm down.
I appreciate you recommendations

First, i am not "trying to establish" anything - that TV power up  > ESET start "yelling" on PC's. Same time i have another Samsung TV(well, all 4x are Samsung, different models) on Eth .60(see arp -a tables above) and there is no single beep about it.
Only one connection is available on TV at the time  - you are right here - both addresses on ARP only says that table has "time out period"(purge does clean it)

For clearance, so i know what connection is in use, i have Eth and WiFi IP's different (is there something wrong with that?) as these are separate NIC's with different MAC's (unless i am wrong here, however MAC's read different). Same i could say about laptop that has Eth and Wifi  - different NIC's > different IP's > separate entries in ARP table > no entries in ESET.
As far i understand, ARP should list IP-to-MAC providing request/respond.
After purge, ARP should populate only what is on the network replying to request, there should be all fresh entries - then why ESET still read "duplicate IP" and only from this one TV?
I don't say it is ESET's fault as it reports this one TV, on different PC's , no matter on what IP and what way i set it up.

Other possibility i could think of - if some other devise "echo" reply "on behalf" to request about that IP(TV). Lets say router, same time replay: "i know that device on this MAC". But to my logic it should be : "shut up, i didn't ask you!"  ☺️

I'm not willing to "throw blanket over" it as there is issue with TV or my network setup or lack of my knowledge.

But it feels like all this is stressing you. Relax and ...forget about it.

Thanks all for advice