Hey all. Entry level Networker here so excuse me for what may seem like an obvious or basic question.
I have a site using Eset antivirus, which is flagging up that there are duplicate addresses and could potentially be an ARP attack. I've logged onto the Router (MikroTik) which is providing DHCP, however there are no duplicate leases. I asked a user to send me the ESET logs, some of which is below.
-<RECORD>
Time">09/02/2019 09:10:04
Event">ARP Cache Poisoning attack
Action">Blocked
"Source">10.1.1.111 [80:2b:f9:XX:XX:XX] (Client address)
Target">10.1.1.111 [AA:AA:AA:AA:AA:AA] (Routers MAC address)
Protocol">ARP
Rule/worm name"/>
Application"/>
User"/>
-<RECORD>
Time">09/02/2019 10:57:04
Event">Duplicate IP addresses on network>
Action">Blocked
Source">10.1.1.193 [a4:77:33:XX:XX:XX] (Client address)
Target">10.1.1.193 [AA:AA:AA:AA:AA:AA] (Routers MAC address)
Protocol">ARP
Rule/worm name"/>
Application"/>
User"/>
This has happened on a few different devices, but only flags up in Eset.. Not Windows.
Does anyone have any idea why Eset may report that Router is being given the same IP address as the client?
No comments:
Post a Comment