Smart ARP attack blocked- intruder's MAC belongs to my smartphone

Problems with virus, rootkits, rogueware...? The community and the Panda experts will get your queries solved!
Post Reply
Registered user
Registered user
Posts: 1
Joined: Thu, 06 Apr 2017, 00:02

Smart ARP attack blocked- intruder's MAC belongs to my smartphone

Post by mariebill » Thu, 06 Apr 2017, 00:23


I'm sorry if I'm in the wrong section or something, but I'm not very good with forums.

I use Panda Gold Protection and since yesterday I keep getting alerts about smart ARP intrusions that are being blocked.

I checked the MAC addresses and they all belong to devices that are used in my house. I logged into my router and I don't see any other suspicious IP.
Do you think the intrusions are from someone outside my local network and I should be worried? Or is there a possibility that an application sends packets with wrong headers?

Please give me advice on what to do next.

Thank you.

User avatar
Official moderator
Official moderator
Posts: 7596
Joined: Mon, 02 Apr 2012, 18:53
Location: Panda HQ - Bilbao

Re: Smart ARP attack blocked- intruder's MAC belongs to my smartphone

Post by VirusBuster » Wed, 03 May 2017, 10:25

It seems that these devices may be sending wrong packets which are considered as Smart ARP attacks

Smart ARP is a protocol or application defense which is activated when the machine receives a response to an unsolicited packet or ARP protocol (address resolution protocol)
This avoids Man-In-The-Middle attacks in which an attacking user can modify the addresses and MACs table of the attacked machine, stating that the address of the trusted user is now, the attacking machine one (provided in that packet).

This attack can be triggered for any of the 4 causes described below depending if its in Broadcast (sending of packets to all the machines on the LAN) or not.

1. Gratuitous Packet -> Source Address && Destination Address are equal.
2. Broadcast Reply -> Broadcast Reply Request without having performed ARP Request.
3. Broadcast Limit reached -> The configuration item NNS_CONFIG_IDS_ARP_MAX_BROADCAST_RCVD_PER_SECOND is greater than 20. Meaning that the machine received more than 20 ARP Broadcast packets in 1 second. Implies excessive traffic in LAN.

1. Single packet dedicated received -> Destination MAC Address NOT NULL. The machine we have send the ARP Request to must have a valid MAC address in the MAC Destination filed of the ARP Reply packet.

Jorge Torre
TechSupport Department - Panda Security

I don't reply to private messages unless I have previously requested them

Post Reply

Return to “Virus - Issues”