Advice Request ARP attacks-CIS

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.
Nestor

Nestor

Level 9
Thread author
Verified
Well-known
Apr 21, 2018
397
I am using CIS in my system and the last days,almost every day, i keep getting firewall alerts for ARP attacks.The attacted subject is windows operating system and the source IP is diferrent from the destination IP.iI have checked ARP protection at firewall settings.Does anyone know is this a FP or it's real?
 
  • Like
Reactions: InnoScorpio, AtlBo, lowdetection and 1 other person
lowdetection

lowdetection

Level 7
Verified
Well-known
Jul 1, 2017
317
Just a little head-up in case OP is interested, with dd-wrt we have ARP protection inside the router:

PJ8hMB.png
 
  • Like
Reactions: ZeroDay, AtlBo, Nestor and 1 other person
F

ForgottenSeer 58943

Nestor said:
I am using CIS in my system and the last days,almost every day, i keep getting firewall alerts for ARP attacks.The attacted subject is windows operating system and the source IP is diferrent from the destination IP.iI have checked ARP protection at firewall settings.Does anyone know is this a FP or it's real?
Click to expand...

Assuming the subject and target are on your local domain/subnet, which is where it probably is then you need to tell us the source and IP addresses, and identify the local subject attempting to poison your ARP. Utilize Advanced IP Scanner to find the bad actor;

Advanced IP Scanner - Download Free Network Scanner.

ARP is a protocol which is being used inside a network (layer 2) to convert IP addresses to MAC addresses. ARP requests are very spoofable since they aren't secured in any way. So you may have a bad actor on your network and simply need to identify it. Some devices, like Fingbox utilize ARP manipulation to conduct their operations, which is not ideal. Make sure you don't have a second router on the network or a L3 managed switch malfunctioning as well. Anything tampering with your ARP tables should be removed from the network. Also, you should have a device to protect ARP integrity on the device handing out DHCP. Fortunately, a growing number of routers and ALL UTM's provide some level of ARP protection. I was shocked - recently - to find Linksys's higher end routers are ARP secured out of the box. Crap routers(most) will be oblivious to ARP manipulation.

Identify the bad actor, remove it. It's possible the bad actor is a benign piece of equipment that's been hijacked. Factory reset it, if it can't be reset, toss it in the trash. It could be a transient device as well, so work on ID.
 
  • Like
Reactions: InnoScorpio, harlan4096, AtlBo and 3 others
Nestor

Nestor

Level 9
Thread author
Verified
Well-known
Apr 21, 2018
397
ForgottenSeer 58943 said:
Assuming the subject and target are on your local domain/subnet, which is where it probably is then you need to tell us the source and IP addresses, and identify the local subject attempting to poison your ARP. Utilize Advanced IP Scanner to find the bad actor;

Advanced IP Scanner - Download Free Network Scanner.

ARP is a protocol which is being used inside a network (layer 2) to convert IP addresses to MAC addresses. ARP requests are very spoofable since they aren't secured in any way. So you may have a bad actor on your network and simply need to identify it. Some devices, like Fingbox utilize ARP manipulation to conduct their operations, which is not ideal. Make sure you don't have a second router on the network or a L3 managed switch malfunctioning as well. Anything tampering with your ARP tables should be removed from the network. Also, you should have a device to protect ARP integrity on the device handing out DHCP. Fortunately, a growing number of routers and ALL UTM's provide some level of ARP protection. I was shocked - recently - to find Linksys's higher end routers are ARP secured out of the box. Crap routers(most) will be oblivious to ARP manipulation.

Identify the bad actor, remove it. It's possible the bad actor is a benign piece of equipment that's been hijacked. Factory reset it, if it can't be reset, toss it in the trash. It could be a transient device as well, so work on ID.
Click to expand...
Thank you for your help,i will try it!
I don't have second router on the network,the router is an old netfaster WLAN3.
 
  • Like
Reactions: AtlBo, vtqhtr413 and lowdetection
lowdetection

lowdetection

Level 7
Verified
Well-known
Jul 1, 2017
317
That confirms that the device is vulnerable, and maybe already compromised;

honestly from when I am on dd-wrt, I faced some issues, but at least the firmware is updated, Index of /dd-wrtv2/downloads/betas/2018/08-14-2018-r36596/

unfortunately they don't support the tee for making a little IDS project I wanted make, but they are awesome,

I suggest you find a valid replacement and load dd-wrt on it :)

You probably are exposed also to various others security problem like Krack...

My router is an old TPLINK WDR3600, and is not updated from years from vendors, also, they have a known bug with Hitman.Pro Alert loading the WEB-GUI, so back then I researched what I can use, and that fitted me so good, also I can remote SSH into it, and reboot, that is the best thing I need, I was using antiARP-Spoofing application on Android, but then I removed it and ticked the option inside the router.
 
Last edited:
  • Like
Reactions: Nestor
F

ForgottenSeer 58943

Netfaster if I recall was an old rebrand of old SMC routers. That router has to be over a decade old, isn't it?

I do not believe it has any ARP protection at all on it like LD says. Still, you should identify the offending agent on your network, which may turn out to be the router itself. You are incredibly vulnerable with an old SMC/Netfaster.
 
  • Like
Reactions: lowdetection and Nestor
Nestor

Nestor

Level 9
Thread author
Verified
Well-known
Apr 21, 2018
397
lowdetection said:
That confirms that the device is vulnerable, and maybe already compromised;

honestly from when I am on dd-wrt, I faced some issues, but at least the firmware is updated, Index of /dd-wrtv2/downloads/betas/2018/08-14-2018-r36596/

unfortunately they don't support the tee for making a little IDS project I wanted make, but they are awesome,

I suggest you find a valid replacement and load dd-wrt on it :)

You probably are exposed also to various others security problem like Krack...
Click to expand...
I just checked it with F-Secure Router Checher for possible hijacks and says it's fine.:)
 
  • Like
Reactions: lowdetection
Nestor

Nestor

Level 9
Thread author
Verified
Well-known
Apr 21, 2018
397
ForgottenSeer 58943 said:
Netfaster if I recall was an old rebrand of old SMC routers. That router has to be over a decade old, isn't it?

I do not believe it has any ARP protection at all on it like LD says. Still, you should identify the offending agent on your network, which may turn out to be the router itself. You are incredibly vulnerable with an old SMC/Netfaster.
Click to expand...
Yes it's old, probably a decade, i have to change it but i will try to reset although according to F-Secure router checker it's not hijacked.
 
  • Like
Reactions: lowdetection
Status
Not open for further replies.

Similar threads

Brownie2019
On Sale! Norton 360 Premium 2024 / 10 Device / 2-YR / EUR 22.99
Replies
0
Views
139
Discounts and Deals
Brownie2019
Brownie2019
G
Advice Request Need help interpreting Firewall AI logs
Replies
3
Views
629
General Security Discussions
JoelS
J
Michael Pare
    • Like
Unlimited Giveaway Webroot SecureAnywhere AntiVirus CE 24.3 - free license for 6 months
Replies
15
Views
2,955
Giveaways, Promotions and Contests
thomaslee85
T

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top