Jump to content

Keep getting "Detected ARP cache poisoning attack" alert

Karl Hui

By Karl Hui
in ESET Endpoint Products

 Share

Recommended Posts

Karl Hui

Karl Hui 0

Posted
Posted

Dear all,

 

I'm new to this forum but I have using ESET Security Endpoint for a few months, starting yesterday I got "Duplicate IP addresses detected in network" and "Detected ARP cache poisoning attack" alert every few minutes.  Those target and source IP are internal (192.168.80.xxx).  

 

I googled it, scan those computers with no virus, added 192.168.80.0 in Addresses excluded from active protection (IDS), however these alerts still keep poping up.

 

I have no idea what cause this issue and seeking for help.

 

Thank you very much.

Link to comment
Share on other sites
Karl Hui

Karl Hui 0

Posted
  • Author
Posted

Dear all,

 

Found out I should use 192.168.80.0/255.255.255.0 not just 192.168.80.0 in Addresses excluded from active protection (IDS), then no "Duplicate IP addresses detected in network" and"Detected ARP cache poisoning attack" alert anymore, however I would like to know if is it a false alarm or its real an attack?

 

Thanks

Link to comment
Share on other sites
slarkins

slarkins 5

Posted
Posted

I would think the fact that your IP ends in .0...i have only seen that when referencing entire subnets....most devices see that as a "network" when ending in .0....makes sense that when you add the subnet mask to the IP....your problems stop....

Link to comment
Share on other sites
Karl Hui

Karl Hui 0

Posted
  • Author
Posted

Thank you for the reply.  With multiple devices using the same IP, does it means my DHCP server has issue?  Gonna have a look on the DHCP now

Link to comment
Share on other sites
  • ESET Staff
MartinK

MartinK 378

Posted
  • ESET Staff
Posted

Thank you for the reply.  With multiple devices using the same IP, does it means my DHCP server has issue?  Gonna have a look on the DHCP now

 

Just guessing, but maybe some device/computer is using static IP address from set of IP addresses that are also assigned by DHCP. There is also chance some device was offline for longer time and once connected to network, it uses IP address that was assigned to different device in the meantime. Also there are network devices, that are by default using specific IP addresses after reset to factory default (router, TV, ...) which may also result in this.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...