topic Re: ARP Reply-to-Broadcast in Network Security

ARP Reply-to-Broadcast

Diego Armando Cambronero Arias — Sun, 10 Mar 2019 12:03:21 GMT

Hello,

Im seeing a Huge amount of events related with the signature ARP Reply-to-Broadcast 7102.

The sensor saw an ARP Reply packet with its payload Destination MAC containing a broadcast address. This is not normal traffic and can indicate an ARP poisioning attack. Note: This signature is only available in Cisco IDS versions 4.0 and greater.

Benign Triggers

No known triggers.

It says that there are not Benign triggers. Im Dropping the packets related with this signature.... Should I Drop the packets to avoid ARP Poisioning??

I do not want to drops benign packets but it seems that this signature will not fire with benign packets. Any advise will be really appreciated.

Re: ARP Reply-to-Broadcast

terrygwazdosky — Sun, 11 Jul 2010 11:45:28 GMT

Is the traffic coming from your network or the outside? If inside, I'd track it down and investigate the device sending the packets. If outside, contact the admin of that network and discuss with them.

Re: ARP Reply-to-Broadcast

rhermes — Tue, 13 Jul 2010 15:06:58 GMT

This can be caused by devices that perform an unsolicited, or Gratuitous ARP replies.

Load balancers, High Availbility pairs (dual NICs in a host, dual firewalls, etc) will send a broad cast ARP reply to update everyones ARP table so that know what MAC to send frames for the shared IP address.

Here's some reading on the subject:

http://linux-ip.net/html/ether-arp.html

http://fixunix.com/tcp-ip/66247-arp-behaviour.html

You should trace down the device by i's MAC address to determine if this is the case or not.

- Bob

Re: ARP Reply-to-Broadcast

Justin Teixeira — Tue, 13 Jul 2010 15:18:30 GMT

Bob's answer regarding gratuitous ARP from clustering/HA is spot on. I'll look into getting the SIO entry updated to reflect the fact that these are known benign triggers.

-juteixei