Jump to content

ARP cache poisoning or false alarm?


Recommended Posts

Plugged in and turned on my intel computer and received a message from my ESET application that it had denied an ARP cache poisoning attempt. Please forgive me as I try to explain this as a non techie. I quickly googled what it was and performed the command prompt to check the IPs and MACs. I did find two different IPs sharing the same MAC. According to what I read this means there was an ARP spoofing? At that time I disconnected my router. I checked the log on my ESET and saw there were a few ARPs already detected and “blocked”. In those ARPs it said that the source and the target were the same IP address, and the IP address was the same for each attack.
I checked the log and saw that there were 6 attacks total spanning 3 months, all coming from the same IP and same two different MAC addresses in the “source” and “target” column. This leads me to believe it might just be two devices on my network instead of an actual attack.
Does this sound like it was a series of false alarms, or legitimate attacks?

Any advice is appreciated. I plan on returning and purchasing a new router tomorrow. This is stressing me out.

Link to comment
Share on other sites

  • Administrators

It means that 2 network adapters share the same IP address for some reason. If the device is trusted and you don't experience any issues, you can create an IDS exception for that IP address and detection.

Link to comment
Share on other sites

26 minutes ago, Marcos said:

It means that 2 network adapters share the same IP address for some reason. If the device is trusted and you don't experience any issues, you can create an IDS exception for that IP address and detection.

How can I determine which devices share the same IP? 
 

I read that if you perform a arp -a command and find two separate IPs with the same physical address then that can be a sign of an arp poisoning. I do have that condition occurring. In your opinion, in this situation do you think it is an attack or not? The IPs that share a MAC are 192.168.xx.x and 192.168.x.xxx and both type “dynamic”

Link to comment
Share on other sites

  • Administrators

If the MAC addresses are the addresses on network adapters on one machine, the detection could be safely silenced by creating an IDS exception.

Link to comment
Share on other sites

I’m going to be away from my computer for a week now, I can revisit this when I am back. If this was a legitimate ARP poisoning would replacing my router/getting new wifi and creating a strong custom password be enough to stop intrusions? I already have an ESET subscription. 

 

Link to comment
Share on other sites

  • Administrators

If the machine is connected both via wi-fi and a cable, try turning off the wi-fi or unplugging the cable and see if it makes a difference.

Link to comment
Share on other sites

It is only connected by wifi. Could it be that I have a router that is connected via lan cable to my modem? 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...