ARP Reply-to-Broadcast

Unanswered Question
Jul 10th, 2010
User Badges:
  • Bronze, 100 points or more

Hello,


Im seeing a Huge amount of events related with the signature ARP Reply-to-Broadcast 7102.


The sensor saw an ARP Reply packet with its payload Destination MAC containing a broadcast address. This is not normal traffic and can indicate an ARP poisioning attack. Note: This signature is only available in Cisco IDS versions 4.0 and greater.



Benign Triggers
No known triggers.



It says that there are not Benign triggers. Im Dropping the packets related with this signature.... Should I Drop the packets to avoid ARP Poisioning??


I do not want to drops benign packets but it seems that this signature will not fire with benign packets.  Any advise will be really appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
terrygwazdosky Sun, 07/11/2010 - 04:45
User Badges:

Is the traffic coming from your network or the outside?  If inside, I'd track it down and investigate the device sending the packets.  If outside, contact the admin of that network and discuss with them.

rhermes Tue, 07/13/2010 - 08:06
User Badges:
  • Gold, 750 points or more

This can be caused by devices that perform an unsolicited, or Gratuitous ARP replies.

Load balancers, High Availbility pairs (dual NICs in a host, dual firewalls, etc) will send a broad cast ARP reply to update everyones ARP table so that know what MAC to send frames for the shared IP address.

Here's some reading on the subject:

http://linux-ip.net/html/ether-arp.html

http://fixunix.com/tcp-ip/66247-arp-behaviour.html


You should trace down the device by i's MAC address to determine if this is the case or not.


- Bob

Justin Teixeira Tue, 07/13/2010 - 08:18
User Badges:
  • Bronze, 100 points or more

Bob's answer regarding gratuitous ARP from clustering/HA is spot on.  I'll look into getting the SIO entry updated to reflect the fact that these are known benign triggers.


-juteixei

Actions

This Discussion