ARP cache poisoning attak from internal trafic

[Guest Pat]

Hi, ESET tells me There was aa ARP cache poisoning attack, AND that it may be coming from a device on my network. I don't know anything about that so I look it up and find this ESET support page (link below), where it is said that ESET might be mistaking a ligit comm from a device on my network and I need to check on its IP adress. I did not think of writting this down when it popped but let's say I did and find it's another computer in my house, on my network. If so, ESET tells me I could enter this IP address on a safe list. Could it possibly be a virus on that device trying to attack my computer? I'd be letting a wolf play around with my sheep! How can I tell? Thanks!

https://support.eset.com/fr/kb2933-attaque-par-empoisonnement-de-cache-dns

[itman 1,659]

This article gets into more detail on ARP poisoning: https://www.comparitech.com/blog/vpn-privacy/arp-poisoning-spoofing-detect-prevent/ . The article section to note is How To Detect ARP Poisoning -> Command Prompt:

Quote

The table shows the IP addresses in the left column, and MAC addresses in the middle. If the table contains two different IP addresses that share the same MAC address, then you are probably undergoing an ARP poisoning attack.

The important point to note in the Eset KB article on ARP cache poisoning is:

Quote

If the IP address being detected as a threat is not within the safe range listed above, or there are no network peripherals currently in use on your network, the device being detected by the firewall is located on a public network and could be a threat to your system.

https://support.eset.com/en/kb2933-arp-icmp-or-dns-cache-poisoning-attack-in-eset-home-products-for-windows

Another source for Eset's ARP cache Poisoning detection is a malfunctioning router where auto DHCP processing is assigning the same IP address to two or more devices. Examples that have been posted in the forum include DHCP server failure resulting in duplicate assignment of IP addresses in the APIPA: https://www.webopedia.com/definitions/apipa/ address range; 169.254.0.1 through 169.254.255.254. 

It is also possible the router has been hacked.

Edited February 27, 2021 by itman

[itman 1,659]

Also an attacker needs access to a LAN device to stage an ARP poisoning attack. Once that is had, all he has to do is execute the following command:

arp -s 157.55.85.212   00-aa-00-62-c6-09

which creates a permanent static ARP cache entry specifying the IP address of his attack server and the MAC address of the Ethernet adapter of the targeted device.

Also the IP address used doesn't have to be an external address. The comparitech article link I posted notes this:

Quote

As an example, let’s say that your ARP table contains a number of different addresses. When you scan through it, you may notice that two of the IP addresses have the same physical address. You might see something like this in your ARP table if you are actually being poisoned:

Internet Address    Physical Address

192.168.0.1        00-17-31-dc-39-ab

192.168.0.105    40-d4-48-cr-29-b2

192.168.0.106    00-17-31-dc-39-ab

As you can see, both the first and the third MAC addresses match. This indicates that that the owner of the 192.168.0.106 IP address is most likely the attacker.

The above scenario would imply a gateway/router network traffic redirect to a bogus LAN device internal IP address.

Edited February 28, 2021 by itman