6 Replies Latest reply: May 14, 2014 12:58 PM by regralph RSS

    ARP Mac Address Flip Flop



      I'm seeing a lot of the Alert ARP: MAC Address Flip Flop in my NSP. About 50.000 per month.


      The description of the Alert is the following:


      "A MAC address change can be the result of normal network operation. That is,  the DHCP server allocated an IP address previously used by one machine to  another machine requesting an IP address. However, it is also possible that an  attacker made an ARP spoofing attempt. ARP spoofing can be used to forge the  identity of the target machine. After a successful ARP spoofing attempt, IP  packets sent to the target machine will be received by the host sending the  spoofed ARP packets (until the target machine reclaims its IP address). This can  result in "man in the middle" attacks or connection "hijacking." This can enable  an attacker to steal sensitive information from communications between the  target and other hosts and facilitate further exploitation of the target system.  ARP spoofing can also cause a denial-of-service condition."


      I did some packet capture to see the traffic related to this attacks. Those packets only represents normal ARP Request/ARP Reply in the perimeter of my network. I can't see any change of the MAC Address of the source or destination like is indicated in the Alert description.


      Anyone have seem this Alert? It 'll be a false positive? Any idea?


      Thanks in advanced