Karl Hui 0 Posted August 23, 2016 Share Posted August 23, 2016 Dear all, I'm new to this forum but I have using ESET Security Endpoint for a few months, starting yesterday I got "Duplicate IP addresses detected in network" and "Detected ARP cache poisoning attack" alert every few minutes. Those target and source IP are internal (192.168.80.xxx). I googled it, scan those computers with no virus, added 192.168.80.0 in Addresses excluded from active protection (IDS), however these alerts still keep poping up. I have no idea what cause this issue and seeking for help. Thank you very much. Link to comment Share on other sites More sharing options...
Karl Hui 0 Posted August 23, 2016 Author Share Posted August 23, 2016 Dear all, Found out I should use 192.168.80.0/255.255.255.0 not just 192.168.80.0 in Addresses excluded from active protection (IDS), then no "Duplicate IP addresses detected in network" and"Detected ARP cache poisoning attack" alert anymore, however I would like to know if is it a false alarm or its real an attack? Thanks Link to comment Share on other sites More sharing options...
ESET Staff MartinK 384 Posted August 23, 2016 ESET Staff Share Posted August 23, 2016 This most probably means that you have multiple computers or devices with the same IP address in your network. Link to comment Share on other sites More sharing options...
slarkins 5 Posted August 23, 2016 Share Posted August 23, 2016 I would think the fact that your IP ends in .0...i have only seen that when referencing entire subnets....most devices see that as a "network" when ending in .0....makes sense that when you add the subnet mask to the IP....your problems stop.... Link to comment Share on other sites More sharing options...
Karl Hui 0 Posted August 24, 2016 Author Share Posted August 24, 2016 Thank you for the reply. With multiple devices using the same IP, does it means my DHCP server has issue? Gonna have a look on the DHCP now Link to comment Share on other sites More sharing options...
ESET Staff MartinK 384 Posted August 24, 2016 ESET Staff Share Posted August 24, 2016 Thank you for the reply. With multiple devices using the same IP, does it means my DHCP server has issue? Gonna have a look on the DHCP now Just guessing, but maybe some device/computer is using static IP address from set of IP addresses that are also assigned by DHCP. There is also chance some device was offline for longer time and once connected to network, it uses IP address that was assigned to different device in the meantime. Also there are network devices, that are by default using specific IP addresses after reset to factory default (router, TV, ...) which may also result in this. Link to comment Share on other sites More sharing options...
Recommended Posts