cancel
Showing results for 
Search instead for 
Did you mean: 

ARP Mac Address Flip Flop

Hi:

I'm seeing a lot of the Alert ARP: MAC Address Flip Flop in my NSP. About 50.000 per month.

The description of the Alert is the following:

"A MAC address change can be the result of normal network operation. That is,  the DHCP server allocated an IP address previously used by one machine to  another machine requesting an IP address. However, it is also possible that an  attacker made an ARP spoofing attempt. ARP spoofing can be used to forge the  identity of the target machine. After a successful ARP spoofing attempt, IP  packets sent to the target machine will be received by the host sending the  spoofed ARP packets (until the target machine reclaims its IP address). This can  result in "man in the middle" attacks or connection "hijacking." This can enable  an attacker to steal sensitive information from communications between the  target and other hosts and facilitate further exploitation of the target system.  ARP spoofing can also cause a denial-of-service condition."

I did some packet capture to see the traffic related to this attacks. Those packets only represents normal ARP Request/ARP Reply in the perimeter of my network. I can't see any change of the MAC Address of the source or destination like is indicated in the Alert description.

Anyone have seem this Alert? It 'll be a false positive? Any idea?

Thanks in advanced

6 Replies
epo909
Level 9
Report Inappropriate Content
Message 2 of 7

Re: ARP Mac Address Flip Flop

Yes, we see a lot of those. In our case it was mostly related with vip interfaces that mixed the sensor up, because of dupe mac addrs.

But this can also happen if the sensor doesn't see the arp request.

Check this KB: https://kc.mcafee.com/corporate/index?page=content&id=KB55910

robrod
Level 9
Report Inappropriate Content
Message 3 of 7

Re: ARP Mac Address Flip Flop

The most common cause I have seen to trigger this alert is use of a SPAN or MIRROR session on the network switch. You mention that you capture packets at the network perimeter, which is usually where a SPAN port will exist (via the Core Switch/Router). This is expected behavior a vast majority of the time.

To confirm, you must review the packet flow and figure out how your SPAN session is configured.

To review flow data, you must open the applied policy and enable the logging feature for the ARP: MAC Address Flip-Flop alert.

Whether you have a SPAN session or not, you should be able to review the traffic flow and determine which IP Addresses have flip-flopped MAC Addresses by looking at the packet capture once you've enable logging.

Re: ARP Mac Address Flip Flop

In my network the ARP: MAC Address Flip Flop alert was triggered when we swapped out a FW. So I know which IP has flip-flopped, but do not know where in the IPS to reconfigure the MAC address. Can anyone help?

Re: ARP Mac Address Flip Flop

Hi,

Did You solve this problem?

Regards

Re: ARP Mac Address Flip Flop

Hi Krzysztof.,

Yes the change needed to be done in the IPS sensor using the cli using the command arp delete <ip address>.

Definitely solved the issue for us.

Regards

Re: ARP Mac Address Flip Flop

Good Afternoon,

I have a question. Last month, my network team replaced one of the switches during a mainteance window. Every since then, we have been seeing about 400 or 500 hits a hour with the ARP: ARP Spoofing Detected signature. I have already tried to delete  the arp from the cli. No changes. I was wonderiing how long does it take to kick in? if that's not the case, Does anybody have any suggestions?

Message was edited by: regralph on 5/14/14 12:58:28 PM CDT