Eset Smart Securties ARP poisoning attack

snoopaloop used Ask the Experts™
We have alternating devices/IP address notifying ESET Smart Securities of an ARP poisoning attack.  Eset chat support resolution was to exclude the Zone for IDS detection.  THey couldn't explain the cause and provided a bad resolution.  Any thoughts why this message pops up?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Senior Systems Admin
Top Expert 2010
ARP poisoning occurs when two devices on the network attempt to use the same MAC address and/or IP address at the same time. The attacks are generally used as a way to intercept traffic meant for another computer. If you have two systems on your network that are using the same MAC address and IP address, this alert will pop up because the ARP tables on your switches will show two different entries for the same MAC/IP combination. I would look around the network to make sure you don't have something/someone that is spoofing MAC addresses and IPs.

This is also a sign of device misconfiguration or a situation where two devices that are set up to be clones of one another get brought on line at the same time (this is extremely rare). Check for IP address conflicts on your network and go through your switches to make sure there aren't two devices on the network with the same MAC address (Only possible with Layer 2 switches). If you find two devices connected to the network at the same time with the same MAC address, figure out which one needs to be there and get the other off the network.

Edit: It's also entirely possible that ESET's definition for the ARP poisoning attack is to general and this issue is a false positive. If you can't find two devices on the network with the same MAC address and IP, that's what is happening, and making an exclusion would be necessary (but definitely talk to ESET about the poorly designed attack definition).
Distinguished Expert 2018
Companies like ESET will generally not discuss their exact detection techniques for obvious reason (the bad guys could find out as well). Adam has given a great explanation, and especially on how ESET probably has a detection technique that is highly prone to false positives (but better than missing the true ones).

Besides, you know it's bad when ESET themselves acknowledge that even normal devices like printers can potentially set off the alert.


Thanks!  I will keep this in mind.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial