We are getting a lot of Smart ARP attacks reported by the firewall protection on several client machines. These look to be originating from our servers. I've ran Panda scans on these servers, they look clean.
Is there anything I can do to get more information on what is happening here?
Thanks
Firewall protection
-
- Official moderator
- Posts: 1568
- Joined: Tue, 24 Oct 2017, 12:04
Re: Firewall protection
dear client
Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address that is recognized in the local network. For example, in IP Version 4, the most common level of IP in use today, an address is 32 bits long. In an Ethernet local area network, however, addresses for attached devices are 48 bits long. (The physical machine address is also known as a Media Access Control or MAC address.) A table, usually called the ARP cache, is used to maintain a correlation between each MAC address and its corresponding IP address. ARP provides the protocol rules for making this correlation and providing address conversion in both directions.
Panda detects all arpscans not requested by us, so, if your servers do need to create an arp cache for whatever the reason (they are dns servers, they are the DC, there is the printer servers there as well) is normal you do find this servers requesting macs and ips to all computers on your network.
It also coudl be due to a failing network card, but this seems to be a bit less normal.
If you receive arpscans in excess you can uncheck that from the Firewall settings. or get your servers on the "whitelist" for IP´s not scanned, which is a bit more unsecure that unticking "arp scans"
regards.
Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address that is recognized in the local network. For example, in IP Version 4, the most common level of IP in use today, an address is 32 bits long. In an Ethernet local area network, however, addresses for attached devices are 48 bits long. (The physical machine address is also known as a Media Access Control or MAC address.) A table, usually called the ARP cache, is used to maintain a correlation between each MAC address and its corresponding IP address. ARP provides the protocol rules for making this correlation and providing address conversion in both directions.
Panda detects all arpscans not requested by us, so, if your servers do need to create an arp cache for whatever the reason (they are dns servers, they are the DC, there is the printer servers there as well) is normal you do find this servers requesting macs and ips to all computers on your network.
It also coudl be due to a failing network card, but this seems to be a bit less normal.
If you receive arpscans in excess you can uncheck that from the Firewall settings. or get your servers on the "whitelist" for IP´s not scanned, which is a bit more unsecure that unticking "arp scans"
regards.
Technical support – Panda Security
www.pandasecurity.com
www.pandasecurity.com