Devaus 0 Posted August 15, 2020 Posted August 15, 2020 Hi, Yesterday i saw “ARP CACHE POISONING” message on Eset security and then i could see the webpages taking time to load. I googled “ARP CACHE POISONING” and then installed and started xARP and saw “Status: ARP attacks detected” In xARP i can see a cross sign on the ip address of the pc and the router the alert screen of xARP showing these 2 messages: CorruptFilter: ethernet sender mac does not match arp sender mac MacFilter: Incoming packet but sender mac set to our own mac address I have attached the screenshots of the program. I fear but not sure that the PC and mobile phones and ipad are hacked or compromised.i also have got nvr and ip cameras on the network. Can some please help me or guide me to get rid of it Here are xARP screenshots https://drive.google.com/file/d/1_8bh5t-LFQhuw4Yg73t78TRoSc0E3grM/view Thanks
Administrators Marcos 5,461 Posted August 17, 2020 Administrators Posted August 17, 2020 Are you positive that the issue with slow loading of web pages disappear after temporarily disabling the ARP cache poisoning detection?
itman 1,806 Posted August 17, 2020 Posted August 17, 2020 Per xARP FAQ: In what network environment do I need XArp? Quote ARP-attacks can only be performend on a local network. If you got a DSL-line with dialup for a single computer, you don’t need XArp. If your computer resides in a local network, you are in risk of ARP-attacks and need XArp. An example for local networks are company networks. When you got a computer at work, this is most likely a local network. http://www.xarp.net/#download Appears this product is for commercial use. Really don't know if its results are accurate on a home network. Have you tried a hard reset on your router?
Devaus 0 Posted August 18, 2020 Author Posted August 18, 2020 On 8/17/2020 at 2:28 PM, Marcos said: Are you positive that the issue with slow loading of web pages disappear after temporarily disabling the ARP cache poisoning detection? No change after disabling xARP. However since posting this thread the pages are loading faster and everything looks normal. However today ESET popped an notification that an new device has connected to network (Screenshot Attached). the weird thing is it does not show the IP address but the MAC address shown is of My NVR but one digit higher example NVR mac is a0-4d-yf-ce-d0-c8 the new device MAC is a0-4d-yf-ce-d0-c9 and none of IP camera have this MAC. At that time i was not running xARP so could not see it in the logs. 23 hours ago, itman said: hxxp://www.xarp.net/#download Appears this product is for commercial use. Really don't know if its results are accurate on a home network. Have you tried a hard reset on your router? It is free with a nagging screen that is why i exited the program. It has a commercial version but for me it will be useless It might suit IT Security Professionals. i have not reset the Router as i will loose the settings and address reservation and it a pain adding them again. I have reset it long time back but when i imported the settings it did not import it correctly. It is Netgear D6400. I have rebooted it though. Will resetting it do any good?
itman 1,806 Posted August 18, 2020 Posted August 18, 2020 (edited) 33 minutes ago, Devaus said: However today ESET popped an notification that an new device has connected to network (Screenshot Attached). the weird thing is it does not show the IP address but the MAC address shown is of My NVR but one digit higher example NVR mac is a0-4d-yf-ce-d0-c8 the new device MAC is a0-4d-yf-ce-d0-c9 and none of IP camera have this MAC. It's possible to "spoof" an internal network device MAC but it would require specific software to do so or a registry change: Quote Change the MAC address in the registry As an alternative to the network settings, Windows users have the option to change the MAC address using the registry. This option is only recommended for experienced users, though. MAC spoofing software Instead of changing the MAC address manually using the network settings or the Windows registry, users can employ free software solutions like Technitium MAC Address Changer or Windows 7 MAC Address Changer. https://www.ionos.com/digitalguide/server/know-how/what-is-mac-spoofing/ Edited August 18, 2020 by itman
Devaus 0 Posted August 19, 2020 Author Posted August 19, 2020 13 hours ago, itman said: It's possible to "spoof" an internal network device MAC but it would require specific software to do so or a registry change: I have not tried doing it with a software or otherwise. If not then is someone else is doing that from my PC. Half an hour ago another PC which my wife uses changed IP by itself as seen in screenshot where you can see 2 IP with same MAC. She is using Sophos and Cisco Anyconnect VPN to connect to work which has currently allocated 10.1.4.56 IP. This happened after the internet got disconnected the seconnd time in 2 hour. ESET did not detect the IP change nor did Sophos so i guess everything is fine.
itman 1,806 Posted August 19, 2020 Posted August 19, 2020 9 hours ago, Devaus said: Half an hour ago another PC which my wife uses changed IP by itself as seen in screenshot where you can see 2 IP with same MAC. She is using Sophos and Cisco Anyconnect VPN to connect to work which has currently allocated 10.1.4.56 IP. This happened after the internet got disconnected the seconnd time in 2 hour. My best guess is your router allocated a new local network address to the device after the first disconnect. Xarp appears to be not able to detect what network connection is actually active for a given device perhaps.
Devaus 0 Posted August 21, 2020 Author Posted August 21, 2020 On 8/19/2020 at 11:30 PM, itman said: Xarp appears to be not able to detect what network connection is actually active for a given device perhaps. You are right. As soon as a new device connects i can see a "ARP Attack" message popup but funnily enough it did not do so when i connected first 2 devices which were Wife's PC and and iPhone. So got 4 popup message each time i connected my media PC, Galaxy Tablet, and iPad. But XARP went crazy when i connected my PC so i guess there is something in my PC so i will reformat it and see how i go. I have changed the router and i am using my old Dlink DIR-635 for the time being. Both ESET & Sophos have not given any warning about ARP attack so i guess everything is good. Big Thanks to you and Marcos.🙏🙏
ESET Insiders suomynonayats 0 Posted August 22, 2020 ESET Insiders Posted August 22, 2020 I experienced the same thing. I tracked it down and it was a known computer on my network. I received these while my physical line was upgraded in the neighborhood. Do you have a router, and a separate switch? I finally hard wired everything to the router, bypassing the switch, and the alerts subsided. If I'm not mistaken I also remember these as a "HIPS" alert, and I had mine set to something like insanely paranoid or something. Maybe back the security level a notch back? I'm going to do more work on this, since it seems like only one or two possibilities.
itman 1,806 Posted August 23, 2020 Posted August 23, 2020 (edited) 16 hours ago, suomynonayats said: If I'm not mistaken I also remember these as a "HIPS" alert, and I had mine set to something like insanely paranoid or something. Maybe back the security level a notch back? The Eset alert clearly indicates its source is IDS protection where ARP poisoning monitoring is enabled by default. 16 hours ago, suomynonayats said: Do you have a router, and a separate switch? I finally hard wired everything to the router, bypassing the switch, and the alerts subsided. I can see how a switch will be problematic to Eset's ARP poisioning protection. First, read this: https://community.fs.com/blog/switch-mac-address-whats-it-and-how-does-it-work.html for all the "nitty gritty" details of switches and MAC. Of note: Quote You may have noticed that every piece of hardware on your local network has a MAC address in addition to the IP address. Except for switches which have switch MAC address, all devices that connected to the Internet have this unique identifying number, from desktop computers, laptops, cell phones, tablets to wireless security cameras, and even your connected refrigerator have a MAC address I suspect your switch is set to dynamically store device MAC's it encounters in it's internal MAC table. Eset's IDS appears to treating this as some type of MAC spoofing activity. The solution here is to exclude the switch from Eset IDS ARP poisoning detection. The problem is IDS exclusion requires a IP address and switches don't always have an assigned IP address: Quote Well, this depends on what kind of switch you are using. If It’s an Unmanaged switch then no. Unmanaged switch does not have an IP address. It is a ethernet switch and its Switches ethernet packets and on the level of ethernet packets there are no IP addresses. While a Managed switch has its own IP address, and has a telnet and a web-based interface to monitor and secure access to each port on the switch. https://www.quora.com/Do-switches-have-IP-addresses?share=1 Refer to the above link article for other ways an IP address might be assigned to a switch. Finally if the switch does not have an assigned IP address, this also could be the source of Eset's IDS ARP poisoning detection. However, I have an Ethernet switch on my LAN; i.e. no assigned IP address, and I have never received an Eset ARP poisoning alert due to it. Edited August 23, 2020 by itman
Devaus 0 Posted August 24, 2020 Author Posted August 24, 2020 On 8/23/2020 at 7:30 AM, suomynonayats said: I tracked it down and it was a known computer on my network. Yes one of my PC was doing something which xARP didn't like so that PC is offline since then. Will reset it once i have time and re-connect to network. On 8/23/2020 at 7:30 AM, suomynonayats said: Do you have a router, and a separate switch? I finally hard wired everything to the router, bypassing the switch, and the alerts subsided. Yes my i unmanaged/dumb Netgear GS116 v2 Switch that connected 2 PC and NETGEAR GS108Tv2 ProSafe 8-Port which connected my NAS with link aggregation and 1 PoE switch that connects my 2 IP cameras are connected to Router. All switch are offline now. But whenever i connect devices from any switch i can see those warnings in xARP constantly but nothing in ESET. Now i have only 2 PC connected directly to router and xARP only showed warning when the PC were connected. After that xARP has been quiet. MY NVR is not connected to network and so are 2 IP cameras which connected via PoE switch. My previous network https://drive.google.com/file/d/1O92zls2FlUyApOk8U8gq8HshFT4Bn_Yq/view?usp=sharing Current Network https://drive.google.com/file/d/1Thbmf-1In4OdhzGwgZ64DMW-bXtdwT_z/view?usp=sharing
Devaus 0 Posted August 24, 2020 Author Posted August 24, 2020 Correct link to Previous Network https://drive.google.com/file/d/15CzC4mlg6cf0YJOI3F3TpFW-pwlCG2KO/view?usp=sharing
itman 1,806 Posted August 24, 2020 Posted August 24, 2020 (edited) 11 hours ago, Devaus said: But whenever i connect devices from any switch i can see those warnings in xARP constantly but nothing in ESET. Read through this: http://articles.manugarg.com/arp_spoofing.pdf . As far as I am aware of, a switch can only be compromised to conduct ARP spoofing from another compromised device on your LAN. Also, it is debatable if Eset's ARP spoofing protection can detect switch ARP spoofing. As I interpret it, it is designed to detect spoofing activities at the gateway/router level. You can verify xARP's findings using another utility from Nirsoft: https://www.nirsoft.net/utils/wireless_network_watcher.html . Although designed for wireless networks, it also works for small wired networks. I really believe the issue here is xARP: Quote I am getting false alerts from XArp, what can I do? The security levels employed by XArp are made up of a collection of filter modules and network discoverers. When you are getting false alerts, you have two options: switching to a lower security level or fine-tuning the configuration. Switch to a lower security level is done in the normal user interface. Fine tuning is performed in the advanced user interface. Edited August 24, 2020 by itman
itman 1,806 Posted August 24, 2020 Posted August 24, 2020 17 hours ago, Devaus said: My previous network https://drive.google.com/file/d/1O92zls2FlUyApOk8U8gq8HshFT4Bn_Yq/view?usp=sharing Current Network https://drive.google.com/file/d/1Thbmf-1In4OdhzGwgZ64DMW-bXtdwT_z/view?usp=sharing The only thing I see here is you connected your managed switch to your unmanaged one. This adds zip security-wise since all packet are auto forwarded unrestricted by the unmanaged switch. You need to search the web on how to properly secure your managed switch. This first thing would be to ditch Telnet in favor of SSH if there is any remote access to the switch.
Devaus 0 Posted August 25, 2020 Author Posted August 25, 2020 11 hours ago, itman said: Read through this: hxxp://articles.manugarg.com/arp_spoofing.pdf Thanks for this article. 11 hours ago, itman said: You can verify xARP's findings using another utility from Nirsoft: https://www.nirsoft.net/utils/wireless_network_watcher.html Thanks for this nifty Software. I can verify that data in both match. https://drive.google.com/file/d/1Ons_m0lXsT36v9_dCfq-HbQqqY9fGHXs/view?usp=sharing 4 hours ago, itman said: The only thing I see here is you connected your managed switch to your unmanaged one. This adds zip security-wise since all packet are auto forwarded unrestricted by the unmanaged switch. Thanks for pointing that out i will correct that. I cannot fine tune the configuration in xARP as they are only available in Pro version but i am happy with the basic settings.
itman 1,806 Posted August 25, 2020 Posted August 25, 2020 (edited) 13 hours ago, Devaus said: Thanks for this nifty Software. I can verify that data in both match. https://drive.google.com/file/d/1Ons_m0lXsT36v9_dCfq-HbQqqY9fGHXs/view?usp=sharing Of note is the IP address for your managed switch does not show in either xARP or wnetwatcher output display. It really appears to me that xARP is falsely identifying the switch as source of the ARP spoofing attack. You can try to enter: arp -a from a command prompt window and see if it shows the MAC for the managed switch. One possibility is the physical placement of the managed switch behind the unmanaged one is hiding it from the router. Edited August 25, 2020 by itman
Devaus 0 Posted August 26, 2020 Author Posted August 26, 2020 12 hours ago, itman said: Of note is the IP address for your managed switch does not show in either xARP or wnetwatcher output display. This is because at the moment i have only connected 2 PC hardwired to Router and my phone and tablet connected wirelessly. My NAS and Managed + unmanaged switch are switched off and not connected. On 8/25/2020 at 6:38 AM, itman said: Current Network https://drive.google.com/file/d/1Thbmf-1In4OdhzGwgZ64DMW-bXtdwT_z/view?usp=sharing 12 hours ago, itman said: You can try to enter: arp -a from a command prompt window and see if it shows the MAC for the managed switch. One possibility is the physical placement of the managed switch behind the unmanaged one is hiding it from the router. Thanks I will try this once i have connected all the previous equipment and post it here and this time i will follow your advice and directly connect the Managed switch to Router not connect to unmanaged switch.
Recommended Posts