Jump to content

ARP cache poisoning attak from internal trafic

Recommended Posts

Hi, ESET tells me There was aa ARP cache poisoning attack, AND that it may be coming from a device on my network. I don't know anything about that so I look it up and find this ESET support page (link below), where it is said that ESET might be mistaking a ligit comm from a device on my network and I need to check on its IP adress. I did not think of writting this down when it popped but let's say I did and find it's another computer in my house, on my network. If so, ESET tells me I could enter this IP address on a safe list. Could it possibly be a virus on that device trying to attack my computer? I'd be letting a wolf play around with my sheep! How can I tell? Thanks!


Link to comment

This article gets into more detail on ARP poisoning: https://www.comparitech.com/blog/vpn-privacy/arp-poisoning-spoofing-detect-prevent/ . The article section to note is How To Detect ARP Poisoning -> Command Prompt:


The table shows the IP addresses in the left column, and MAC addresses in the middle. If the table contains two different IP addresses that share the same MAC address, then you are probably undergoing an ARP poisoning attack.

The important point to note in the Eset KB article on ARP cache poisoning is:


If the IP address being detected as a threat is not within the safe range listed above, or there are no network peripherals currently in use on your network, the device being detected by the firewall is located on a public network and could be a threat to your system.


Another source for Eset's ARP cache Poisoning detection is a malfunctioning router where auto DHCP processing is assigning the same IP address to two or more devices. Examples that have been posted in the forum include DHCP server failure resulting in duplicate assignment of IP addresses in the APIPA: https://www.webopedia.com/definitions/apipa/ address range; through 

It is also possible the router has been hacked.

Edited by itman
Link to comment

Also an attacker needs access to a LAN device to stage an ARP poisoning attack. Once that is had, all he has to do is execute the following command:

arp -s   00-aa-00-62-c6-09

which creates a permanent static ARP cache entry specifying the IP address of his attack server and the MAC address of the Ethernet adapter of the targeted device.

Also the IP address used doesn't have to be an external address. The comparitech article link I posted notes this:


As an example, let’s say that your ARP table contains a number of different addresses. When you scan through it, you may notice that two of the IP addresses have the same physical address. You might see something like this in your ARP table if you are actually being poisoned:

Internet Address    Physical Address        00-17-31-dc-39-ab    40-d4-48-cr-29-b2    00-17-31-dc-39-ab

As you can see, both the first and the third MAC addresses match. This indicates that that the owner of the IP address is most likely the attacker.

The above scenario would imply a gateway/router network traffic redirect to a bogus LAN device internal IP address.

Edited by itman
Link to comment
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...