I'm seeing a lot of the Alert ARP: MAC Address Flip Flop in my NSP. About 50.000 per month.
The description of the Alert is the following:
"A MAC address change can be the result of normal network operation. That is, the DHCP server allocated an IP address previously used by one machine to another machine requesting an IP address. However, it is also possible that an attacker made an ARP spoofing attempt. ARP spoofing can be used to forge the identity of the target machine. After a successful ARP spoofing attempt, IP packets sent to the target machine will be received by the host sending the spoofed ARP packets (until the target machine reclaims its IP address). This can result in "man in the middle" attacks or connection "hijacking." This can enable an attacker to steal sensitive information from communications between the target and other hosts and facilitate further exploitation of the target system. ARP spoofing can also cause a denial-of-service condition."
I did some packet capture to see the traffic related to this attacks. Those packets only represents normal ARP Request/ARP Reply in the perimeter of my network. I can't see any change of the MAC Address of the source or destination like is indicated in the Alert description.
Anyone have seem this Alert? It 'll be a false positive? Any idea?
Thanks in advanced
Yes, we see a lot of those. In our case it was mostly related with vip interfaces that mixed the sensor up, because of dupe mac addrs.
But this can also happen if the sensor doesn't see the arp request.
The most common cause I have seen to trigger this alert is use of a SPAN or MIRROR session on the network switch. You mention that you capture packets at the network perimeter, which is usually where a SPAN port will exist (via the Core Switch/Router). This is expected behavior a vast majority of the time.
To confirm, you must review the packet flow and figure out how your SPAN session is configured.
To review flow data, you must open the applied policy and enable the logging feature for the ARP: MAC Address Flip-Flop alert.
Whether you have a SPAN session or not, you should be able to review the traffic flow and determine which IP Addresses have flip-flopped MAC Addresses by looking at the packet capture once you've enable logging.
In my network the ARP: MAC Address Flip Flop alert was triggered when we swapped out a FW. So I know which IP has flip-flopped, but do not know where in the IPS to reconfigure the MAC address. Can anyone help?
Yes the change needed to be done in the IPS sensor using the cli using the command arp delete <ip address>.
Definitely solved the issue for us.