ARP Cache Poisoning and ARP Spoofing

book

Article ID: 177762

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Does Symantec Endpoint Protection prevent ARP Cache Poisoning and ARP Spoofing?
 

Traffic and Stealth Settings are not enabled by default. You can enable the traffic settings on the client to detect and block the traffic that communicates through drivers, NetBIOS, and token rings. You can also configure settings to detect the traffic that uses more invisible attack methods, like ARP Cache Poisoning or MAC Spoofing.

Cause

ARP (Address Resolution Protocol) Spoofing and ARP Cache Poisoning is a way of attacking a computer. This can allow the attacker to sniff specific data from the attacked computer; for example: passwords, account numbers, etc. The attacker can stop traffic, change traffic or modify anything that can be used on the network that makes use of ARP.

Resolution

Information about the option "Enable anti-MAC spoofing":

This allows the inbound and outbound ARP (Address Resolution Protocol) traffic only if an ARP request was made to that specific host. It blocks all other unexpected ARP traffic and logs it in the Security Log. Media access control (MAC) addresses are the hardware addresses that identify the computers, the servers, and the routers. Some hackers use MAC spoofing to try to hijack a communication session between two computers. When computer A wants to communicate with computer B, computer A may send an ARP packet to computer B. Anti-MAC spoofing protects a computer from letting another computer reset a MAC address table. If a computer sends an ARP REQUEST message, the client allows the corresponding ARP RESPOND message within a period of 10 seconds. All clients reject all unsolicited ARP RESPOND messages.

Note: This option is disabled by default.  To enable anti-MAC spoofing, edit your firewall policy and modify your traffic and stealth web browsing and check Enable anti-MAC spoofing