ARP Cache Poisoning attack

[eornate 4]

Hi everyone,

Hope you're doing well.

On my logs endpoint, i received many alert about "ARP Cache Poisoning attack " :

Ip 172.16.2.100 is static ip.

 

I've checked on this ip 172.16.2.100 , it just have 1 mac-address as SOURCE [00:0c:29:94:7b:98]

 

And on my endpoint , which is alert ARP Cache Poisoning attack 

So , how do i can resolve this problem ?

 

[itman 1,727]

First, refer to this Microsoft article: https://support.microsoft.com/en-au/topic/fix-duplicate-ip-address-conflicts-on-a-dhcp-network-d68499da-69a3-da3b-4630-d17e502adf50#bkmk_details .

You can also exclude the static IP address from Eset IDS detection as shown in this Eset knowledge base article: https://support.eset.com/en/kb2933-arp-icmp-or-dns-cache-poisoning-attack-in-eset-home-products-for-windows . 

[eornate 4]

2 minutes ago, itman said:

First, refer to this Microsoft article: https://support.microsoft.com/en-au/topic/fix-duplicate-ip-address-conflicts-on-a-dhcp-network-d68499da-69a3-da3b-4630-d17e502adf50#bkmk_details .

You can also exclude the static IP address from Eset IDS detection as shown in this Eset knowledge base article: https://support.eset.com/en/kb2933-arp-icmp-or-dns-cache-poisoning-attack-in-eset-home-products-for-windows . 

Hi itman,

Thanks your response.

How to can i know this alert is false positive or true positive ? I mean that may be one of my endpoints has infected and it try scan or poisioning my local network ?

[itman 1,727]

Again, the problem is with your router configuration;

Quote

This issue can also occur if a device is configured to utilize a static IP address without that address being reserved in your router. Your router will eventually attempt to assign that address to a different device, resulting in an IP conflict.

https://medium.com/@jamescuban99_23577/how-do-you-resolve-an-ip-conflict-and-what-is-it-6d4f651a3508