GSMiller 1 Posted November 1, 2019 Posted November 1, 2019 I just moved to a new home in Sarasota, Florida. I set up my computer a few days ago but only today started getting a message of a "network event blocked" called "ARP Cache Poisoning attack." It further says "A computer on the network is sending malicious traffic. This can be an attempt to attack your computer." These messages are coming in 1 per second! The only other computer on the network is my husband's. We have a wireless router through Comcast. I have a wireless printer and my iPhone. I am not a techy and very confused. The IP address starts with 10.0.0. and the last 3 digits has changed at least twice and then back again. I didn't see anything in the community about this. I welcome any help and advice. Gail peteyt 1
Administrators Marcos 5,451 Posted November 2, 2019 Administrators Posted November 2, 2019 Sounds like a device with multiple adapters and sharing the same IP address responds to ARP queries. Hover the mouse cursor over "computer" and if you trust the device, click "Change handling of this threat" and exclude the detection for the particular IP address.
GSMiller 1 Posted November 4, 2019 Author Posted November 4, 2019 Thanks for the response! How can I tell what device has the IP address linked to the word "computer?" I do have a multi port USB connected to my laptop. I have had it for years without this problem. Thanks...
Administrators Marcos 5,451 Posted November 4, 2019 Administrators Posted November 4, 2019 If you trust the remote computer, exclude it from ARP cache poisoning detection.
itman 1,801 Posted November 4, 2019 Posted November 4, 2019 (edited) 58 minutes ago, GSMiller said: How can I tell what device has the IP address linked to the word "computer?" Note: enter the 10.0.0.xxxx in place of the %ipaddress% parameter in the following: Quote Querying DNS 1. Click the Windows Start button, then "All Programs" and "Accessories." Right-click on "Command Prompt" and choose "Run as Administrator." 2. Type "nslookup %ipaddress%" in the black box that appears on the screen, substituting %ipaddress% with the IP address for which you want to find the hostname. 3. Find the line labeled "Name" underneath the line with the IP address you entered and record the value next to "Name" as the hostname of the computer. https://smallbusiness.chron.com/hostname-ip-address-47400.html Edited November 4, 2019 by itman
GSMiller 1 Posted November 7, 2019 Author Posted November 7, 2019 Just getting back to this. I am most concerned with figuring out if I trust the remote computer so I know if I trust it. The instructions you offered, Wiseman, are more complicated than I understand. Can you give me a little more detail? After clicking on the Windows Start button, should I see an "All Programs" and "Accessories" link or graphic? It lists all the programs but I don't know what the next step is. I don't see a command prompt, though I can search on it. I'm sure I'm missing something simple but need your help to point me in the right direction! Thanks.
Most Valued Members peteyt 396 Posted November 7, 2019 Most Valued Members Posted November 7, 2019 1 hour ago, GSMiller said: Just getting back to this. I am most concerned with figuring out if I trust the remote computer so I know if I trust it. The instructions you offered, Wiseman, are more complicated than I understand. Can you give me a little more detail? After clicking on the Windows Start button, should I see an "All Programs" and "Accessories" link or graphic? It lists all the programs but I don't know what the next step is. I don't see a command prompt, though I can search on it. I'm sure I'm missing something simple but need your help to point me in the right direction! Thanks. depends on what version of windows you have. For example windows 10, you can right click start and click command prompt or powershell which I believe is the same but with advanced stuff (and looking at it windows seems to have replaced command prompt in the right click start menu with powershell)
itman 1,801 Posted November 7, 2019 Posted November 7, 2019 (edited) 1 hour ago, GSMiller said: After clicking on the Windows Start button, should I see an "All Programs" and "Accessories" link or graphic? Assuming you're running Win 10, click on the Start menu icon on the left side of the desktop taskbar. Refer to the below screen shot: 1. Scroll down to "Windows System" and click on it. 2. Right mouse click on "Command Prompt." 3. Position mouse cursor on "More." Then click on "Run as Administrator." You will now receive a UAC prompt. Click on the "Yes" tab. Edited November 7, 2019 by itman
GSMiller 1 Posted November 8, 2019 Author Posted November 8, 2019 I got some help (Windows 10 works a bit differently... got to the command prompt differently!) and decided to trust the 2 IP addresses I was receiving since they were in the safe zone as 10.0.0.X addresses. I stopped the notifications and life is peaceful again! Thanks for all the help.
Lajos 0 Posted November 21, 2019 Posted November 21, 2019 (edited) Hi, I have a somehow similar problem: I also get a message of an ARP cache poisoning along with a message about double IP-addresses. The problem seems to be the Digicorder (a device to watch and/or record digital tv) that somehow has two MAC-addresses that both use the same IP (dynamic). I know I can make a rule for this IP in the "IDS-exceptions", but I have doubt about such a solution because I'm not sure if the second MAC (6A:vv:ww:xx:yy:zz) used is legitimate or not. It is just one character different from the one on the sticker on the Digicorder (68:vv:ww:xx:yy:zz). I find that very strange because those 3 first parts (68:vv:ww) are about the vendor name? So how can I determine whether this is a man-in the-middle-attack or not? Isn't it suspicious that a device has two MACs? thanks in advance, Lajos Windows10 / ESET Internet Security 13.0.22.0 / laptop via WiFi and Digicorder attached by cable, to IP-router. Edited November 21, 2019 by Lajos I didn't want the jpg visible in my text but just as an attachement for the moderator, but i can't find out how to do that
itman 1,801 Posted November 22, 2019 Posted November 22, 2019 (edited) 21 hours ago, Lajos said: The problem seems to be the Digicorder (a device to watch and/or record digital tv) that somehow has two MAC-addresses that both use the same IP (dynamic). As far as I am aware of, a device can have only one MAC address associated with it. Now it is possible that two devices could be housed in an enclosure giving the external appearance of one physical device. You will have to contact the manufacture of Digicorder to verify that this might be the reason for these two MAC addresses appearing. However, MAC spoofing does exist and is in fact legal and in certain instances used for security reasons. It is also likewise used for malicious purposes. You can read about MAC spoofing here: https://en.wikipedia.org/wiki/MAC_spoofing Edited November 22, 2019 by itman
Recommended Posts