ARP Cache Poisoning Attack

[Kavishka Dilshan 0]

Dear All

Every day I received one message from ESET End Point Security regarding, A device  on the network is sending malicious traffic. This can be an attempt to attack your computer. The threat was block. After received this message my internet connection suddenly disconnect. After restart my Firewall it will work. As per my knowledge this message coming because of the duplicate IP address in my network. How I fix this issue. I have DHCP pool in my firewall. I think that pool is not working properly.  some time this message coming with default gateway IP. If I disable and enable DHCP pool from my firewall it can be fix this issue?

Thanks

[itman 1,720]

1 hour ago, Kavishka Dilshan said:

I have DHCP pool in my firewall.

What do you mean here? Have you modified Eset defaul firewall rules for DHCP?

[Kavishka Dilshan 0]

14 hours ago, itman said:

What do you mean here? Have you modified Eset defaul firewall rules for DHCP?

I mean DHCP pool in my fortgate Firewall

[itman 1,720]

23 hours ago, Kavishka Dilshan said:

A device  on the network is sending malicious traffic. This can be an attempt to attack your computer. The threat was block.

Your device has been enrolled in a botnet. Refer to this Eset Knowledge Base article: https://support.eset.com/en/kb8111-detected-network-device-sending-malicious-traffic

I would start by ensuring your Fortigate firewall has applied all available security updates: https://www.linkedin.com/pulse/new-critical-vulnerability-discovered-fortinet-gustav-eriksson-pfh0c . Ditto for any other Fortinet products you are using since numerous past vulnerabilities have been discovered: https://www.cvedetails.com/vulnerability-list/vendor_id-3080/Fortinet.html

Edited yesterday at 01:37 PM by itman

[Kavishka Dilshan 0]

57 minutes ago, itman said:

Refer to this Eset Knowledge Base article: https://support.eset.com/en/kb8111-detected-network-device-sending-malicious-traffic

I would start by ensuring your Fortigate firewall has applied all available security updates: https://www.linkedin.com/pulse/new-critical-vulnerability-discovered-fortinet-gustav-eriksson-pfh0c . Ditto for any other Fortinet products you are using since numerous past vulnerabilities have been discovered.

I received this message from so many IPes in my network. 

[itman 1,720]

2 minutes ago, Kavishka Dilshan said:

I received this message from so many IPes in my network. 

Review the linked Eset article in detail. Of note;

•  If the device functions as a router, it might not be infected itself but could be configured to forward malicious traffic to your network from external sources. We recommended reviewing the router settings
• The possibly infected device is sending (or forwarding) malicious traffic to other devices in your local network

[itman 1,720]

You can also try using Eset Network Inspector: https://help.eset.com/ees/11/en-US/idh_page_sysinspector.html?zoom_highlightsub=network+inspector to scan your network and identify if your router has been compromised.

-EDIT- Apologies, it appears Eset doesn't include Network Inspector feature in its Endpoint versions.

Edited yesterday at 05:41 PM by itman

[Kavishka Dilshan 0]

What I need to do rectify this issue?

 

[itman 1,720]

On 7/2/2024 at 10:01 AM, Kavishka Dilshan said:

Every day I received one message from ESET End Point Security regarding, A device  on the network is sending malicious traffic. This can be an attempt to attack your computer. The threat was block.

As per my knowledge this message coming because of the duplicate IP address in my network.

Post a screenshot of the Eset alert for the above.

If the alert is the same as shown in this Eset forum posting: https://forum.eset.com/topic/36808-duplicate-ip/ , follow the mitigation procedure given in that posting.

Edited 2 hours ago by itman