Troubleshooting unsolicited ARP (Address Resolution Protocol) requests detected by Endpoint Protection

book

Article ID: 156895

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

The SEP (Symantec Endpoint Protection) client displays notifications regarding unsolicited ARP traffic. And/or the same log entries are seen at SEPM for managed clients.

"Unsolicited incoming ARP reply detected, this is a kind of MAC spoofing that may consequently do harm to your computer"

"Vulnerability BLOCKED" ... "ARP Cache Poison"

Cause

SEP will detect unsolicited inbound OR outbound ARP replies if Enable anti-MAC spoofing is checked in the Protection and Stealth settings of SEP Firewall Policy.

Resolution

Not all unsolicited ARP replies are malicious. If device X receives an ARP reply it did not ask for, that reply is unsolicited. An ARP reply is usually a response to an ARP request broadcast from device X along the lines of "what is the MAC hardware address for the IP address a.b.c.d?" The device Y with that IP address is expected to reply with its MAC address and device X will use that reply to populate/refresh its ARP table (AKA "ARP cache"). This table is used to route network traffic from X to Y. A device will sometimes broadcast unsolicited ARP replies as part of routine ARP announcements. An unsolicited ARP reply that may be used maliciously to deny or re-route and intercept traffic is called ARP Spoofing. ARP Spoofing also may have a legitimate purpose: see legitimate usage of ARP spoofing. See also Address Resolution Protocol for a general description of the ARP protocol. 

You must determine yourself if the unsolicited ARP traffic is from a malicious source and deal with it appropriately. In a SEP MAC Spoofing detection the labeling (or lack of column labels) for the log entries can be confusing, but...

  • If you are looking at a SEP log export without column labels, remember that the "Remote IP", "Remote MAC" comes first, left-to-right.

  • the "Local MAC" and "Remote MAC" are always as labeled, but the meaning of "local" and "remote" in IP addresses may be reversed...

  • log entry for traffic direction is always labeled "Incoming" despite the real direction of the ARP reply. To determine the real direction and contents of reply:

    • if the "Remote Host IP" is a local IP then the ARP reply is inbound to that IP and is saying "Local Host IP" is at "Remote MAC"

    • otherwise the ARP reply is outbound to the (remote) "Local Host IP" and is saying "Remote Host IP" is at "Local MAC"

Focus on inbound detections and try to find the source of the ARP replies. The true IP address of the remote MAC may be confirmed by looking for that MAC address in the ARP table of any device on the local network, usually with command line "arp -a". It is the same command line on macOS, Windows, or Linux. You may need to populate/refresh the ARP table by pinging the local network's broadcast address, e.g. if local network is 192.168.1.x with a mask of 255.255.255.0, then you would ping 192.168.1.255. You may get "Request Timed Out" but that's OK. You may also determine the real remote IP address for the ARP source by looking for the remote MAC address in the list of address leases for the local DHCP server (if there is one). If the source is a SEP client, you should be able to confirm outbound ARP Spoofing detections in its logging as described above (no local IP address in the log entry).

Legitimate sources of unsolicited ARP replies: routers, switches, other network debugging/routing/monitoring hardware or software. If the source seems legit, then the manufacturer's technical support should be able to advise you on how to re-configure it to reduce or eliminate such traffic. If the traffic is legitimate but unavoidable, then you may disable SEP IPS pop-ups (this would just hide IPS pop-ups normally visible to end user; it would not disable detection/block or logging). If the traffic must be allowed to meet some authorized purpose, uncheck the Enable anti-MAC spoofing feature in Protection and Stealth settings of SEP Firewall Policy. 

Attachments