Jump to content
GSMiller

Getting "ARP Cache Poisoning Attack" messages all day!

Recommended Posts

I just moved to a new home in Sarasota, Florida. I set up my computer a few days ago but only today started getting a message of a "network event blocked" called "ARP Cache Poisoning attack."  It further says "A computer on the network is sending malicious traffic. This can be an attempt to attack your computer."  These messages are coming in 1 per second!

The only other computer on the network is my husband's. We have a wireless router through Comcast. I have a wireless printer and my iPhone.

I am not a techy and very confused. The IP address starts with 10.0.0. and the last 3 digits has changed at least twice and then back again.

I didn't see anything in the community about this. I welcome any help and advice.

Gail

image.png.8674e6fd6cb98f9cab27c711ff979991.png

Share this post


Link to post
Share on other sites

Sounds like a device with multiple adapters and sharing the same IP address responds to ARP queries. Hover the mouse cursor over "computer" and if you trust the device, click "Change handling of this threat" and exclude the detection for the particular IP address.

Share this post


Link to post
Share on other sites

Thanks for the response! How can I tell what device has the IP address linked to the word "computer?"  I do have a multi port USB connected to my laptop. I have had it for years without this problem.

 

Thanks...

Share this post


Link to post
Share on other sites

If you trust the remote computer, exclude it from ARP cache poisoning detection.

Share this post


Link to post
Share on other sites
58 minutes ago, GSMiller said:

How can I tell what device has the IP address linked to the word "computer?"

Note: enter the 10.0.0.xxxx in place of the %ipaddress% parameter in the following:

Quote

Querying DNS

1. Click the Windows Start button, then "All Programs" and "Accessories." Right-click on "Command Prompt" and choose "Run as Administrator."

2. Type "nslookup %ipaddress%" in the black box that appears on the screen, substituting %ipaddress% with the IP address for which you want to find the hostname.

3. Find the line labeled "Name" underneath the line with the IP address you entered and record the value next to "Name" as the hostname of the computer.

https://smallbusiness.chron.com/hostname-ip-address-47400.html

 

Edited by itman

Share this post


Link to post
Share on other sites

Just getting back to this. I am most concerned with figuring out if I trust the remote computer so I know if I trust it.

 

The instructions you offered, Wiseman, are more complicated than I understand. Can you give me a little more detail? After clicking on the Windows Start button, should I see an "All Programs" and "Accessories" link or graphic? It lists all the programs but I don't know what the next step is. I don't see a command prompt, though I can search on it.  I'm sure I'm missing something simple but need your help to point me in the right direction!

 

Thanks.

Share this post


Link to post
Share on other sites
1 hour ago, GSMiller said:

Just getting back to this. I am most concerned with figuring out if I trust the remote computer so I know if I trust it.

 

The instructions you offered, Wiseman, are more complicated than I understand. Can you give me a little more detail? After clicking on the Windows Start button, should I see an "All Programs" and "Accessories" link or graphic? It lists all the programs but I don't know what the next step is. I don't see a command prompt, though I can search on it.  I'm sure I'm missing something simple but need your help to point me in the right direction!

 

Thanks.

depends on what version of windows you have. For example windows 10, you can right click start and click command prompt or powershell which I believe is the same but with advanced stuff (and looking at it windows seems to have replaced command prompt in the right click start menu with powershell)

Share this post


Link to post
Share on other sites
1 hour ago, GSMiller said:

After clicking on the Windows Start button, should I see an "All Programs" and "Accessories" link or graphic?

Assuming you're running Win 10, click on the Start menu icon on the left side of the desktop taskbar. Refer to the below screen shot:

1. Scroll down to "Windows System" and click on it.

2. Right mouse click on "Command Prompt."

3. Position mouse cursor on "More." Then click on "Run as Administrator."

You will now receive a UAC prompt. Click on the "Yes" tab.

Eset_Command.png.a66d563e9cf1a39ca0fef61f29aceffa.png

 

Edited by itman

Share this post


Link to post
Share on other sites

I got some help (Windows 10 works a bit differently... got to the command prompt differently!) and decided to trust the 2 IP addresses I was receiving since they were in the safe zone as 10.0.0.X addresses.

 

I stopped the notifications and life is peaceful again!

Thanks for all the help.

Share this post


Link to post
Share on other sites

Hi,

I have a somehow similar problem: I also get a message of an ARP cache poisoning along with a message about double IP-addresses. The problem seems to be the Digicorder (a device to watch and/or record digital tv) that somehow has two MAC-addresses that both use the same IP (dynamic). I know I can make a rule for this IP in the "IDS-exceptions", but I have doubt about such a solution because I'm not sure if the second MAC (6A:vv:ww:xx:yy:zz) used is legitimate or not. It is just one character different from the one on the sticker on the Digicorder (68:vv:ww:xx:yy:zz). I find that very strange because those 3 first parts (68:vv:ww) are about the vendor name? So how can I determine whether this is a man-in the-middle-attack or not? Isn't it suspicious that a device has two MACs? 

thanks in advance,

Lajos

Windows10 / ESET Internet Security 13.0.22.0 / laptop via WiFi and Digicorder attached by cable, to IP-router.

esetWarnings.jpg

Edited by Lajos
I didn't want the jpg visible in my text but just as an attachement for the moderator, but i can't find out how to do that

Share this post


Link to post
Share on other sites
21 hours ago, Lajos said:

The problem seems to be the Digicorder (a device to watch and/or record digital tv) that somehow has two MAC-addresses that both use the same IP (dynamic).

As far as I am aware of, a device can have only one MAC address associated with it. Now it is possible that two devices could be housed in an enclosure giving the external appearance of one physical device. You will have to contact the manufacture of Digicorder to verify that this might be the reason for these two MAC addresses appearing.

However, MAC spoofing does exist and is in fact legal and in certain instances used for security reasons. It is also likewise used for malicious purposes. You can read about MAC spoofing here: https://en.wikipedia.org/wiki/MAC_spoofing

Edited by itman

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...