Oleksandr1 0 Posted March 12, 2023 Share Posted March 12, 2023 The detection tool for the ARP Cache Poisoning attack is constantly triggered. The messages are allegedly sent from the router. Please tell me how to fix this? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,278 Posted March 13, 2023 Administrators Share Posted March 13, 2023 The router is likely returning different MAC addresses for its IP address for some reason. Couldn't it be that you are connected by both wire and wi-fi to the router? Link to comment Share on other sites More sharing options...
Oleksandr1 0 Posted March 13, 2023 Author Share Posted March 13, 2023 2 hours ago, Marcos said: Маршрутизатор, вероятно, по какой-то причине возвращает разные MAC-адреса для своего IP-адреса. А не может быть, что вы подключены и по проводу, и по wi-fi к роутеру? No, I only use WiFi connection. Could this be due to the fact that the router operates in dual network mode (2.4 GHz and 5 GHz)? Link to comment Share on other sites More sharing options...
itman 1,751 Posted March 13, 2023 Share Posted March 13, 2023 Open command prompt window and enter the following command; arp -a Under the Physical Addresses column, look for duplicate MAC addresses. If your router and ISP both support IPv6, open command prompt window and enter the following command; netsh int ipv6 show neigh For the Wi-Fi interface, look for duplicate addresses under the Physical Addresses column. Link to comment Share on other sites More sharing options...
Oleksandr1 0 Posted March 13, 2023 Author Share Posted March 13, 2023 6 hours ago, itman said: Open command prompt window and enter the following command; arp -a Under the Physical Addresses column, look for duplicate MAC addresses. If your router and ISP both support IPv6, open command prompt window and enter the following command; netsh int ipv6 show neigh For the Wi-Fi interface, look for duplicate addresses under the Physical Addresses column. Интерфейс 1: Loopback Pseudo-Interface 1 IP-адрес Физический адрес Тип -------------------------------------------- ----------------- ----------- ff02::2 Постоянный ff02::c Постоянный ff02::16 Постоянный ff02::fb Постоянный ff02::1:2 Постоянный ff02::1:3 Постоянный ff02::1:ff29:5691 Постоянный ff02::1:ff39:5e66 Постоянный ff02::1:ff6e:d4ea Постоянный ff02::1:ffb1:7326 Постоянный ff02::1:ffe0:a1ae Постоянный ff02::1:fffe:6580 Постоянный Интерфейс 16: Беспроводная сеть IP-адрес Физический адрес Тип -------------------------------------------- ----------------- ----------- fe80::70fe:a380:fe29:5691 00-00-00-00-00-00 Недостижимый ff02::1 33-33-00-00-00-01 Постоянный ff02::2 33-33-00-00-00-02 Постоянный ff02::c 33-33-00-00-00-0c Постоянный ff02::16 33-33-00-00-00-16 Постоянный ff02::fb 33-33-00-00-00-fb Постоянный ff02::1:2 33-33-00-01-00-02 Постоянный ff02::1:3 33-33-00-01-00-03 Постоянный ff02::1:ff14:e3f6 33-33-ff-14-e3-f6 Постоянный ff02::1:ff39:5e66 33-33-ff-39-5e-66 Постоянный ff02::1:ffb1:7326 33-33-ff-b1-73-26 Постоянный ff02::1:fffe:6580 33-33-ff-fe-65-80 Постоянный Интерфейс 8: Подключение по локальной сети* 1 IP-адрес Физический адрес Тип -------------------------------------------- ----------------- ----------- fe80::70fe:a380:fe29:5691 00-00-00-00-00-00 Недостижимый ff02::2 33-33-00-00-00-02 Постоянный ff02::16 33-33-00-00-00-16 Постоянный ff02::fb 33-33-00-00-00-fb Постоянный ff02::1:2 33-33-00-01-00-02 Постоянный ff02::1:3 33-33-00-01-00-03 Постоянный ff02::1:ff29:5691 33-33-ff-29-56-91 Постоянный ff02::1:ff39:5e66 33-33-ff-39-5e-66 Постоянный ff02::1:ff6e:d4ea 33-33-ff-6e-d4-ea Постоянный ff02::1:ffb1:7326 33-33-ff-b1-73-26 Постоянный ff02::1:ffe0:a1ae 33-33-ff-e0-a1-ae Постоянный ff02::1:fffe:6580 33-33-ff-fe-65-80 Постоянный Интерфейс 14: Подключение по локальной сети* 10 IP-адрес Физический адрес Тип -------------------------------------------- ----------------- ----------- fe80::70fe:a380:fe29:5691 00-00-00-00-00-00 Недостижимый ff02::2 33-33-00-00-00-02 Постоянный ff02::16 33-33-00-00-00-16 Постоянный ff02::fb 33-33-00-00-00-fb Постоянный ff02::1:2 33-33-00-01-00-02 Постоянный ff02::1:3 33-33-00-01-00-03 Постоянный ff02::1:ff29:5691 33-33-ff-29-56-91 Постоянный ff02::1:ff39:5e66 33-33-ff-39-5e-66 Постоянный ff02::1:ff6e:d4ea 33-33-ff-6e-d4-ea Постоянный ff02::1:ffb1:7326 33-33-ff-b1-73-26 Постоянный ff02::1:ffe0:a1ae 33-33-ff-e0-a1-ae Постоянный ff02::1:fffe:6580 33-33-ff-fe-65-80 Постоянный Link to comment Share on other sites More sharing options...
itman 1,751 Posted March 13, 2023 Share Posted March 13, 2023 14 hours ago, Marcos said: Couldn't it be that you are connected by both wire and wi-fi to the router? Translating your posted netsh output, you have multiple network connections established all using the same physical addresses: Interface 16: Wireless network Interface 8: LAN connection* 1 Interface 14: Local Area Connection* 10 Here's Eset's knowledge base article on ARP cache poisoning: https://support.eset.com/en/kb2933-arp-icmp-or-dns-cache-poisoning-attack-in-eset-home-products-for-windows Maybe @Marcos has an idea on the best way to proceed here. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,278 Posted March 14, 2023 Administrators Share Posted March 14, 2023 I assume a pcap log would elucidate what triggers the detection. Enable advanced logging under Help and support -> Technical support Reboot the machine Wait until the detection occurs (unless it takes long after the reboot) Stop logging Collect logs with ESET Log Collector and upload the generated archive here. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,278 Posted March 15, 2023 Administrators Share Posted March 15, 2023 The router broadcasts from 2 different MAC addresses as logged by ESET: 14. 3. 2023 21:31:55 ARP Cache Poisoning attack Blocked 192.168.97.1 [6c:e8:73:a4:54:d4] 192.168.97.1 [6c:e8:73:a4:54:d3] Link to comment Share on other sites More sharing options...
Oleksandr1 0 Posted March 15, 2023 Author Share Posted March 15, 2023 4 hours ago, Marcos said: The router broadcasts from 2 different MAC addresses as logged by ESET: 14. 3. 2023 21:31:55 ARP Cache Poisoning attack Blocked 192.168.97.1 [6c:e8:73:a4:54:d4] 192.168.97.1 [6c:e8:73:a4:54:d3] Thanks a lot. So, is it ok? Or should I do something about it? Link to comment Share on other sites More sharing options...
Solution itman 1,751 Posted March 15, 2023 Solution Share Posted March 15, 2023 1 hour ago, Oleksandr1 said: Or should I do something about it? If you don't want to be continually alerted about the ARP poisoning, refer to the Eset knowledge base article link I posted previously. You will need to add IP address, 192.168.97.1, to Addresses excluded from IDS section. Link to comment Share on other sites More sharing options...
Recommended Posts