Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
7093 Views 5 Replies Latest reply: Mar 27, 2014 8:36 AM by foofightersecurity RSS
mario.medina Newcomer 2 posts since
Nov 10, 2009
Currently Being Moderated

Dec 16, 2010 2:46 PM

ARP Mac Address Flip Flop

Hi:

 

I'm seeing a lot of the Alert ARP: MAC Address Flip Flop in my NSP. About 50.000 per month.

 

The description of the Alert is the following:

 

"A MAC address change can be the result of normal network operation. That is,  the DHCP server allocated an IP address previously used by one machine to  another machine requesting an IP address. However, it is also possible that an  attacker made an ARP spoofing attempt. ARP spoofing can be used to forge the  identity of the target machine. After a successful ARP spoofing attempt, IP  packets sent to the target machine will be received by the host sending the  spoofed ARP packets (until the target machine reclaims its IP address). This can  result in "man in the middle" attacks or connection "hijacking." This can enable  an attacker to steal sensitive information from communications between the  target and other hosts and facilitate further exploitation of the target system.  ARP spoofing can also cause a denial-of-service condition."

 

I did some packet capture to see the traffic related to this attacks. Those packets only represents normal ARP Request/ARP Reply in the perimeter of my network. I can't see any change of the MAC Address of the source or destination like is indicated in the Alert description.

 

Anyone have seem this Alert? It 'll be a false positive? Any idea?

 

Thanks in advanced

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points