g'day a few hints on ARP false positives oh, and actual issues.
I do understand what arp is and how it works,
however it does not have to be someone actually sitting on the network at that time (the end result is usually MIM, but not always), U could easily use arp poisoning to create DOS attacks with a simple script running on an unsuspecting computer inside the local network? Which if its a small network with general admin staff, i would still suspect somekind of malware.
if u simply google arp poisoning malware u get hits on VIRUSES etc with the intent of arp spoofing
eg
http://securitylabs.websense.com/content/Blogs/2885.aspx
it could be false readings, but rather safe than sorry..
G'day ARP Poisoning attacks are rare and not a very undetectable snooping tatic on a small home network.
firstly, it is more than likely a false positive, for ESS(eset) goto the firewall settings, goto advanced settings or detection and disable arp and dns attack detection.
this false positive can be caused by a router, or rather a modem/router combo that causes dual ARP query to the same ip from two different ip eg: 10.0.0.138 > who has > 10.0.0.2 ?? and 192.168.0.1 > who has > 10.0.0.2. ps, this can also be caused by software, querying a lan device for example a printer driver querying the status of a wireless printer in the network.
Essentially on a modern NAT enabled home network you can safly ignore (de-activate) the arp and dns spoofing and poisoning attack detection. as it is not possible for an external device from the NAT (the internet) from spoofing the arp querys.
However, it is possible for a computer or device inside the NAT from causing REAL damage.
here is how the attack would go. the device (pc) is infected with a trojan or sililar payload, this payload deposits a program that tunnels through the network and creates its own access to the internet (phones home) and connect to a external monitoring pc or botnet.
This then enables the pc on the NAT to spoof or "fake" ARP queries and essentially show the external botnet or pc what is occurring. and snoop packets.
HOWEVER this is a very very uncommon attack. fortly the firewall on the infected pc will take much issue to the incoming data from the LAN or WAN (if its set to strict protection) and MOST importantly this attack causes HUGE LATENCY as usually the botnet or pc loop created by the ARP spoof is thousands of miliseconds long each way. meaning if you tested your IP speed eg: speedtest.net your ping of usually 10~70 for adsl or adsl2+ and 50~200 for 3g or 4g wireless devices. if it is unusually long (especially after a modem reset) there is a potential security issue on your network. if your ping is low then it is more than likely a false positive.
a good and simple way of determining the location of the issue is resetting the modem (factory reset) (this clears and bad settings) then once all up and running attatch each device, one at a time looking out for the arp poision flag. usually for a false positive the source of the issue is either a software false positive ON the device its getting flagged on. or it is the modem/router combo device giving out ARP querys in an unusual manner.
tl:dr
deactivate ARP and DNS spoofing/poisoning attack detection on your firewall, but first determine the origin device and test your ping. via speedtest.net or via cmd > ping -r 4 -4 google.com the ping should be under 250.
tl:dr more clued up users (plz has degree) use wireshark or arping querys to determine device mac address origin of arp query issues and asses firmware of modem device for update and run a full router diagnostic. (just incase =))
-cheers from Australia the land of kangaroos and TF2:wtf:
