ATP500 Arp Spoofing detection

aait
aait Posts: 14  Freshman Member
First Comment Friend Collector First Anniversary
Hi! I have a network with two ATP 500 in HA with firmware 5.35 which detects this "An ip address conflict is detected. 00:00:00:00:00:00 and 7c:1e:b3:03:c8:35 share the same IP address 192.168.xx.xx" I can't find the source of this attack. I detect with wireshark an ARP-spoofing attack from duplicate IP address messages.
can anyone help me out?

Best Answers

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,247  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary
    Answer ✓
    Dear all users,

    Please refer to the V5.35 WK06 firmware, this firmware already fixed the issue that there are many IP conflicts messages on the Monitor log. Thanks :) .



  • PeterUK
    PeterUK Posts: 3,460  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    Answer ✓
    No more IP conflicts messages now
«134

All Replies

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    With your switch you might find on what port is connected Mac Address 7c:1e:b3:03:c8:35.
    After disconnecting that port (testing envinronment) you might look for 00:00:00:00:00:00, which is obviously a not real MacAddress... so maybe some software is doing some incorrect things.
  • aait
    aait Posts: 14  Freshman Member
    First Comment Friend Collector First Anniversary
    Hi mMontana,
    unfortunately it is not only one device to be attacked, it is trying on many devices on all internal networks (lan and vlan)
    for example: log Priority: warn Category: system Message:
    An ip address conflict is detected. 00:00:00:00:00:00 and 7c:1e:b3:03:c8:26 share the same IP address 192.168.107.166
    An ip address conflict is detected. 00:00:00:00:00:00 and 74:83:c2:96:ec:28 share the same IP address 192.168.19.111
    An ip address conflict is detected. 00:00:00:00:00:00 and 00:50:56:a4:40:4c share the same IP address 192.168.110.45
    An ip address conflict is detected. 00:00:00:00:00:00 and 7c:1e:b3:04:61:fb share the same IP address 192.168.107.220
    An ip address conflict is detected. 00:00:00:00:00:00 and 7c:1e:b3:03:bc:34 share the same IP address 192.168.107.169
    An ip address conflict is detected. 00:00:00:00:00:00 and 28:29:86:5f:aa:f3 share the same IP address 192.168.110.93
    An ip address conflict is detected. 00:00:00:00:00:00 and 7c:1e:b3:03:c8:51 share the same IP address 192.168.107.162
    An ip address conflict is detected. 00:00:00:00:00:00 and 7c:1e:b3:03:37:a1 share the same IP address 192.168.107.221
    An ip address conflict is detected. 00:00:00:00:00:00 and 7c:1e:b3:03:c0:b2 share the same IP address 192.168.107.161
    An ip address conflict is detected. 00:00:00:00:00:00 and 44:19:b6:29:2a:57 share the same IP address 192.168.107.6
    An ip address conflict is detected. 00:00:00:00:00:00 and 7c:1e:b3:03:cb:a9 share the same IP address 192.168.107.172
    An ip address conflict is detected. 00:00:00:00:00:00 and bc:99:11:cb:66:3e share the same IP address 192.168.107.234

    I can't isolate everything on the switches..
  • aait
    aait Posts: 14  Freshman Member
    First Comment Friend Collector First Anniversary
    Hi mMontana,
    unfortunately it is not only one device to be attacked, it is trying on many devices on all internal networks (lan and vlan)
    for example: log Priority: warn Category: system Message:
    An ip address conflict is detected. 00:00:00:00:00:00 and 7c:1e:b3:03:c8:26 share the same IP address 192.168.107.166
    An ip address conflict is detected. 00:00:00:00:00:00 and 74:83:c2:96:ec:28 share the same IP address 192.168.19.111
    An ip address conflict is detected. 00:00:00:00:00:00 and 00:50:56:a4:40:4c share the same IP address 192.168.110.45
    An ip address conflict is detected. 00:00:00:00:00:00 and 7c:1e:b3:04:61:fb share the same IP address 192.168.107.220
    I can't isolate everything on the switches..

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    Ok. Switches and Subnets. Interesting.
    As testing purpouse, can you selectively cut-out for testing switches and/or subnets?

    Simply: without a MacAddress expressed, find the culprit migth be like playing darts blinded, but progressively excluding subnets and switches form the dialogue with the ATP500, you might have a chance to pinpoint where the offender is connected.

    Consider that
    -I'm not aware of your network layout and composition
    -some software in your network might doing exacly whats intended/configured for (but you and ATP 500 don't know what and where is)
    -i'm expecting that at least  one of your Ip addresses, if it's a Windows Machine, can provide more info in the event viewer for sharing a IP address

  • Hi to all. Even with the usgflex700 I noticed that after upgrading to version 5.35(ABWD.0) the same problem is registered for pretty much all the ip on the lan "An ip address conflict is detected. 00:00:00:00:00:00 and 00 :50:56:be:0d:8b share the same IP address 192.168.x.x".
    I compared the logs recorded before and after the upgrade and it seems that the problem only comes out in the log file after the upgrade.
  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    Starts smelling like some software snafu...
  • DeeZee
    DeeZee Posts: 4  Freshman Member
    First Comment Second Anniversary
    Just to add to this, I just noticed exactly the same issue on my LAN. Just for the optics and the relative peace of mind, I assigned a static IP address to the MAC address 00:00:00:00:00:00 but to no avail. It is still trying to get an IP address that is already assigned to other devicess of the LAN. It doesn't matter if the known devices have a static or dynamic IP address. Sample log output:

    2023-01-22 21:06:59 warn System An ip address conflict is detected. 00:00:00:00:00:00 and 36:3b:61:37:a5:9b share the same IP address 192.168.1.18

    I applied the 
    5.35(ABFW.0) firmware earlier today.
  • Przemek
    Przemek Posts: 28  Freshman Member
    First Comment Friend Collector Fifth Anniversary
    edited January 2023
    Same here. With FW 5.35 ip conflict warnings started to appear. Is it only warning or some network action on firewall are made for listed IP?


  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
    Hello @aait
    We are already aware of this problem, and working on it, we will let you know when there is any progress, thanks.

    James
  • Bastian
    Bastian Posts: 2  Freshman Member
    First Comment Fourth Anniversary
    Same problem here. is there an solution?
    ATP200

Security Highlight