Shulou(Shulou.com)06/01 Report--

Title

What behavior to expect from Symantec Endpoint Protection client when anti-mac spoofing is enabled

Body

This is how Symantec Endpoint Protection (SEP) determines if a mac spoofing attack is in progress:

1. If the ARP packet was sent as a response to a request from the client, then SEP allows the inbound and outbound ARP traffic if an ARP request was made to that specific host. SEP blocks all other unexpected ARP traffic.

If the ARP message is a response to a request, SEP allows ARP traffic between the two hosts. Other non-such ARP traffic is blocked. This means that if host A wants to communicate with host B, host A sends an ARP request to host B. If host A sends an ARP request, then SEP allows the ARP response packet within 10 seconds of the request packet.

This means that when Computer A wants to communicate with computer B, computer A may send an ARP request to computer B. If Computer A sends an ARP request message, this client allows the corresponding ARP response message within a period of 10 seconds.

2. If there is already a cached entry for this MAC address if there is a record of this MAC address in the ARP cache

3. If the cached entry has a different IP-address then what is in the ARP packet if the IP address in the cache record is different from the IP address in the ARP package

If the response was not requested and If the IP address is different than the cached entry. If the ARP response package does not originate from the ARP request or the IP in the ARP response package is different from the cache

In these cases SEP will see this as a spoofing attack and block the attack.

NOTE: If there is a third party NAC product in the network with SEP (to enable anti MAC spoofing), and if the third party NAC product is using mac spoofing technology, SEP may detect packets associated with the product as a spoofing attack.

Unsolicited ARP response (free ARP,gratuitous ARP):

There are a number of reasons, including but not limited to:

-the source of the packet is infected with the virus, that is, the host or other device that sends free ARP messages is infected with the virus

-Network environment issues

-Application issu

Unsolicited ARP response to a network environment or application

Free ARP is ARP, which is a special ARP message. The device mainly implements the following functions by sending free ARP:

-determine if the IP address of another device conflicts with the IP address of the local machine. When other devices receive a free ARP message, if they find that the IP address in the message is the same as their own IP address, they will return an ARP reply to the device that sends the free ARP message, informing the device that the IP address conflicts

-the device changes the hardware address and notifies other devices to update the ARP entry by sending a free ARP message

If the message source host or device is suspected to be poisoned:

Locate the source host, scan for viruses, refer to http://www.symantec.com/docs/TECH122466, and enable SEP's risk tracking (Risk Tracer) feature to locate the virus source http://www.symantec.com/business/support/index?page=content&id=TECH94526

If an environmental or procedural problem is suspected:

It is recommended that you use Wireshark to confirm the source. Wireshark downloads http://www.wireshark.org/download.html

Generally speaking, if only one machine sends a message, it is an application problem, but it does not completely rule out the environmental problem; if the source is a switch or other device, it is generally an environmental problem, that is, the device uses free ARP to achieve some functions. If the problem with the application is not by design, it may be infected with a virus.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.