Hello.
I'm sorry if I'm in the wrong section or something, but I'm not very good with forums.
I use Panda Gold Protection and since yesterday I keep getting alerts about smart ARP intrusions that are being blocked.
I checked the MAC addresses and they all belong to devices that are used in my house. I logged into my router and I don't see any other suspicious IP.
Do you think the intrusions are from someone outside my local network and I should be worried? Or is there a possibility that an application sends packets with wrong headers?
Please give me advice on what to do next.
Thank you.
Smart ARP attack blocked- intruder's MAC belongs to my smartphone
- VirusBuster
- Official moderator
- Posts: 7595
- Joined: Mon, 02 Apr 2012, 18:53
- Location: Panda HQ - Bilbao
Re: Smart ARP attack blocked- intruder's MAC belongs to my smartphone
It seems that these devices may be sending wrong packets which are considered as Smart ARP attacks
Smart ARP is a protocol or application defense which is activated when the machine receives a response to an unsolicited packet or ARP protocol (address resolution protocol)
This avoids Man-In-The-Middle attacks in which an attacking user can modify the addresses and MACs table of the attacked machine, stating that the address of the trusted user is now, the attacking machine one (provided in that packet).
This attack can be triggered for any of the 4 causes described below depending if its in Broadcast (sending of packets to all the machines on the LAN) or not.
BROADCAST
1. Gratuitous Packet -> Source Address && Destination Address are equal.
2. Broadcast Reply -> Broadcast Reply Request without having performed ARP Request.
3. Broadcast Limit reached -> The configuration item NNS_CONFIG_IDS_ARP_MAX_BROADCAST_RCVD_PER_SECOND is greater than 20. Meaning that the machine received more than 20 ARP Broadcast packets in 1 second. Implies excessive traffic in LAN.
NO BROADCAST
1. Single packet dedicated received -> Destination MAC Address NOT NULL. The machine we have send the ARP Request to must have a valid MAC address in the MAC Destination filed of the ARP Reply packet.
Smart ARP is a protocol or application defense which is activated when the machine receives a response to an unsolicited packet or ARP protocol (address resolution protocol)
This avoids Man-In-The-Middle attacks in which an attacking user can modify the addresses and MACs table of the attacked machine, stating that the address of the trusted user is now, the attacking machine one (provided in that packet).
This attack can be triggered for any of the 4 causes described below depending if its in Broadcast (sending of packets to all the machines on the LAN) or not.
BROADCAST
1. Gratuitous Packet -> Source Address && Destination Address are equal.
2. Broadcast Reply -> Broadcast Reply Request without having performed ARP Request.
3. Broadcast Limit reached -> The configuration item NNS_CONFIG_IDS_ARP_MAX_BROADCAST_RCVD_PER_SECOND is greater than 20. Meaning that the machine received more than 20 ARP Broadcast packets in 1 second. Implies excessive traffic in LAN.
NO BROADCAST
1. Single packet dedicated received -> Destination MAC Address NOT NULL. The machine we have send the ARP Request to must have a valid MAC address in the MAC Destination filed of the ARP Reply packet.
Regards,
Jorge Torre
TechSupport Department - Panda Security
I don't reply to private messages unless I have previously requested them
Jorge Torre
TechSupport Department - Panda Security
I don't reply to private messages unless I have previously requested them