Opened 8 months ago

Closed 8 months ago

Last modified 8 months ago

#1152 closed task (invalid)

Detection of ARP Cache Poisoning on SSID:ietf-hotel at Swissotel

Reported by: kaname@… Owned by: Clemens Schrimpe
Priority: tbd Milestone: ietf-100
Component: incoming Keywords: ARP Cache Poison
Cc: Bill Fenner My Current Location: 19th floor of Swissotel
My MAC Address: a8:66:7f:16:c5:3d My OS: Mac OS X

Description

Whenever I connected to SSID:ietf-hotel at Swissotel, Symantec Endpoint Protection Client on my laptop yells that it is detecting ARP cache poison.

Source of the cache poisoning:
80:2a:a8:8f:a3:cf

I can give you a pcap file it includes the events.

Attachments (1)

ietf-hotel_detection_arp_cache_poisoning.pcap (5.7 MB) - added by kaname@… 8 months ago.
Symantec Client claims that the remote mac address of the poisoning is 80:2a:a8:8f:a3:cf

Change history (5)

comment:1 Changed 8 months ago by Bill Fenner

Cc: Bill Fenner added
Owner: changed from llynch@… to Clemens Schrimpe
Status: newassigned

The pcap file would be welcome; please attach it here

Changed 8 months ago by kaname@…

Symantec Client claims that the remote mac address of the poisoning is 80:2a:a8:8f:a3:cf

comment:2 Changed 8 months ago by Bill Fenner

80:2a:a8:8f:a3:cf is the MAC address of the router. In the pcap file I see it sending ARPs for you, and responding to ARP requests for itself. Does Symantec give any indication of what behavior it considers to be arp cache poisoning?

Does your current ARP cache contain a different resolution for 31.133.144.1?

comment:3 Changed 8 months ago by Clemens Schrimpe

Resolution: invalid
Status: assignedclosed

The address belongs to the currently active "official" router, who uses it with multiple IP addresses, hence the false warning.

Nothing to see here, please walk on ... ;-) ;-) ;-)

comment:4 Changed 8 months ago by kaname@…

Thank you for the investigation.
I'm out for the hackathon, so I can't check the ARP cache of my laptop now.
I'll check the situation after returning to the hotel.
Closing this ticket is no problem of course. thank you.

Note: See TracTickets for help on using tickets.