Eset Smart Securties ARP poisoning attack

We have alternating devices/IP address notifying ESET Smart Securities of an ARP poisoning attack.  Eset chat support resolution was to exclude the Zone for IDS detection.  THey couldn't explain the cause and provided a bad resolution.  Any thoughts why this message pops up?
LVL 1
snoopaloopAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam BrownSr Solutions ArchitectCommented:
ARP poisoning occurs when two devices on the network attempt to use the same MAC address and/or IP address at the same time. The attacks are generally used as a way to intercept traffic meant for another computer. If you have two systems on your network that are using the same MAC address and IP address, this alert will pop up because the ARP tables on your switches will show two different entries for the same MAC/IP combination. I would look around the network to make sure you don't have something/someone that is spoofing MAC addresses and IPs.

This is also a sign of device misconfiguration or a situation where two devices that are set up to be clones of one another get brought on line at the same time (this is extremely rare). Check for IP address conflicts on your network and go through your switches to make sure there aren't two devices on the network with the same MAC address (Only possible with Layer 2 switches). If you find two devices connected to the network at the same time with the same MAC address, figure out which one needs to be there and get the other off the network.

Edit: It's also entirely possible that ESET's definition for the ARP poisoning attack is to general and this issue is a false positive. If you can't find two devices on the network with the same MAC address and IP, that's what is happening, and making an exclusion would be necessary (but definitely talk to ESET about the poorly designed attack definition).
2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
masnrockCommented:
Companies like ESET will generally not discuss their exact detection techniques for obvious reason (the bad guys could find out as well). Adam has given a great explanation, and especially on how ESET probably has a detection technique that is highly prone to false positives (but better than missing the true ones).

Besides, you know it's bad when ESET themselves acknowledge that even normal devices like printers can potentially set off the alert. http://support.eset.com/kb2933/?page=content&id=SOLN2933
0
snoopaloopAuthor Commented:
Thanks!  I will keep this in mind.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.