Advice Request ESET: ARP cache poisoning attack

[Homerr]

Hello everybody!

I'm an average user, I have been using ESET for many years with hardly a few blocked URLs. (Windows 7)

I scan my laptop routinely with Emsisoft emergency kit and I've never had any (serious) detections.

A few days ago, I started getting ESET warnings saying

"ARP cache poisoning attack, a computer on this network is sending malicious traffic...."

When I hover the mouse over "a computer" in the warning popup, I see the computer address, and it's my
router address!

So basically, my own router is sending malicious traffic to my laptop?

Does this mean that my router is infected or hijacked by a hacker?

Is it safe to be on my (compromised?) network? What should I do? Reset router?

 

[Ink]

Is your Router (Hardware) Firewall switched on?

 

[Homerr]

I don't know? It's a TP link router with default settings. I assume the router firewall must be on? (but I'm not really sure). I'm really sorry

I'll try to confirm that the router firewall is on, and I'll update my thread later.

Thank you so much for your help!

 

[BoraMurdar]

Try flushing your DNS. Open the command prompt as Administrator. Type

ipconfig /flushdns

...and press Enter. Reboot.

 

[Amelith Nargothrond]

This sounds like somebody is trying to hack your router. This is done by capturing a handshake between your laptop and your router. The handshake will only take place (usually) if you get disconnected and then reconnected to the router; the attack is called ARP injection, targets directly your MAC address (this info is easily available just by monitoring the router's activity) without being connected to the router, its purpose is to get you disconnected/reconnected in order to capture that handshake (which contains your wifi password -> this is encrypted and needs to be decrypted) and can be easily detected by a good firewall.

You should change your router's password (use a strong, complex password for your wifi). Also change your router's admin interface password, specially if you did not change the default (like 90% of people do).

P.S. If you have a IEEE 802.11ac capable router (and clients), you should disable the 2.4Ghz N standard and use only the AC. Attacks are rare with these standards.

Update: i highly recommend to do the above now.

 

[Homerr]

@Spawn @BoraMurdar @Amelith Nargothrond

Thank you so much for taking time to reply to me

I tried not to apply the suggested solutions (flushing DNS and changing the router settings) until I get to the bottom of the problem. The idea of someone trying to hack my network frightened me.

It came to my attention that these pop-ups appear ONLY when my brother plays "Heroes and General" on Steam. He started playing it a few days ago, and ESET started giving me these warnings. When he signs out of this game, the pop-ups stop. I asked him to play other Steam games, and I didn't get any ESET alerts! It's only that particular game.

I'm not sure if this of any importance, but he plays on a desktop that's connected to the router via Ethernet cable.

What's going on here? Is this game trying to change the network settings? Should I take any further measures other than asking my brother to stop playing this game? (I scanned his desktop and found only one malware, it was cleaned).

 

[Ink]

It came to my attention that these pop-ups appear ONLY when my brother plays "Heroes and General" on Steam. He started playing it a few days ago, and ESET started giving me these warnings. When he signs out of this game, the pop-ups stop. I asked him to play other Steam games, and I didn't get any ESET alerts! It's only that particular game.

This is a good starting point to identifying the issue, if it only occurs with this particular game, then you could contact ESET, Steam (Valve), and even the Developer with this information to find a solution.

 

[BoraMurdar]

I had the same notifications in the past when I used ESET. No one was trying to hack me. Router was badly configured.

 

[Homerr]

@Spawn, the problem involves two parties, there's no point in contacting them.

But I took comfort in @BoraMurdar's comment. I'll flush DNS and see how it goes.

Thank you again!

 

[BoraMurdar]

@Spawn, the problem involves two parties, there's no point in contacting them.

But I took comfort in @BoraMurdar's comment. I'll flush DNS and see how it goes.

Thank you again!

ESET also recommends flushing your DNS

Spoiler

Solution
If the ESET Personal firewall is detecting a threat to your system from DNS cache poisoning, there are two possible solutions to resolve this issue. Please begin with solution 1 and only continue on to solution 2 if the issue is not resolved.

Solution 1: Create an exception for internal IP traffic
In some cases, the ESET Personal firewall will detect internal IP traffic from a network peripheral such as a router or printer as a possible threat. Follow the step-by-step instructions below to determine if a threat is being caused by internal traffic and resolve this issue.

Only add an IP address to the trusted zone if you know it is safe.

1. Determine if the IP address detected in the notification is a number that falls within the following range (where "x" is 0-255):
   • 172.16.x.x - 172.31.x.x
   • 192.168.x.x
   • 10.x.x.x
     
2. If the IP address detected is within the safe range listed above, open your Windows ESET product. How do I open my ESET product? Skip to step 4 and continue with solution 1.
   
   
   
3. If the IP address being detected as a threat is not within the safe range listed above, or there are no network peripherals currently in use on your network, the device being detected by the Personal firewall is located on a public network and could be a threat to your system. See solution 2 to download the ESET DNS-Flush tool and use it to repair any files that may have been damaged by DNS cache poisoning.
   
4. Press the F5 key on your keyboard to access the Advanced setup window.
   
5. Click Personal Firewall, expand Advanced and then click Edit next to Zones.
   
   If you are running version 8.x: Expand Network → Personal firewall and then click Rules and zones.
   In the Zone and rule editor pane, click Setup. Click here for a V8.x screenshot.

Figure 1-1

1. In the Firewall zones window, select Trusted zone and click Edit.
   
   If you are running version 8.x: Click the Zones tab, select Addresses excluded from active protection (IDS) and then click Edit. Click here for a V8.x screenshot.
   
   In the Zone setup window, click Add IPv4 address. Click here for a V8.x screenshot.

Figure 1-2

1. Type the IP address of the device being incorrectly detected as a threat in the Remote computer address (IPv4, IPv6, range, mask) field.
   
   If you are running version 8.x: Select Single address, and then enter the IP address of the device being incorrectly detected as a threat. Click here for a V8.x screenshot.

Figure 1-3

1. Click OK three times to exit Advanced setup and save your changes. You should no longer see any messages about attacks coming from an internal IP address that you know to be safe. If you continue to experience this issue, proceed to solution 2 below.
   
   If you are running version 8.x: Click OK four times to exit the Advanced setup tree and save your changes.

Figure 1-4

Download the DNS-Flush.exe tool and save the file to your Desktop.

• Once the download is complete, navigate to your Desktop and double-click DNS-Flush.exe (if you are prompted to continue click Yes). The tool will automatically flush and register your DNS cache.

• After your computer restarts, open your ESET product and run a Computer scan. For assistance, refer to the following Knowledgebase articles:
  • How do I run a Computer scan?

The Computer scan performed in step 4 should complete without detecting an infection. If no threat is detected, you are finished.

If you are still unable to resolve your issue, please contact ESET Customer Care.

Notifications stopped after flushing DNS on my side but reappeared after some time. It completely stopped after resetting and reconfiguring the router settings.

 

[Amelith Nargothrond]

@Spawn @BoraMurdar @Amelith Nargothrond

Thank you so much for taking time to reply to me

I tried not to apply the suggested solutions (flushing DNS and changing the router settings) until I get to the bottom of the problem. The idea of someone trying to hack my network frightened me.

It came to my attention that these pop-ups appear ONLY when my brother plays "Heroes and General" on Steam. He started playing it a few days ago, and ESET started giving me these warnings. When he signs out of this game, the pop-ups stop. I asked him to play other Steam games, and I didn't get any ESET alerts! It's only that particular game.

I'm not sure if this of any importance, but he plays on a desktop that's connected to the router via Ethernet cable.

What's going on here? Is this game trying to change the network settings? Should I take any further measures other than asking my brother to stop playing this game? (I scanned his desktop and found only one malware, it was cleaned).

I'm glad you didn't got hacked. The symptoms are quite similar, though it may depend on how the firewall interprets the received packets.
And btw, anybody can attack any network and anybody can capture the handshake i was talking about. What will make the difference is the password complexity. If it's complex, the handshake is almost useless as the "hacker" needs a looot of time to bruteforce-decrypt it.

Stay safe

 

[Myriad]

Try flushing your DNS. Open the command prompt as Administrator. Type

ipconfig /flushdns

...and press Enter. Reboot.

I don't mean to take the thread off-topic , but for really easy handling of most DNS related tasks ,
have a look at DNSJumper from Sordum .

A great example of coding at it's very finest IMO
No froth , no whizz-bang ..... light as a feather , rock solid and it doesn't clash with anything .