ATP500 Arp Spoofing detection
Freshman Member
Hi! I have a network with two ATP 500 in HA with firmware 5.35 which detects this "An ip address conflict is detected. 00:00:00:00:00:00 and 7c:1e:b3:03:c8:35 share the same IP address 192.168.xx.xx" I can't find the source of this attack. I detect with wireshark an ARP-spoofing attack from duplicate IP address messages.
can anyone help me out?
0
Best Answers
-
Dear all users,
Please refer to the V5.35 WK06 firmware, this firmware already fixed the issue that there are many IP conflicts messages on the Monitor log. Thanks
.
1 -
No more IP conflicts messages now1
Zyxel Employee
Guru Member
All Replies
-
With your switch you might find on what port is connected Mac Address 7c:1e:b3:03:c8:35.
After disconnecting that port (testing envinronment) you might look for 00:00:00:00:00:00, which is obviously a not real MacAddress... so maybe some software is doing some incorrect things.0 -
Hi mMontana,unfortunately it is not only one device to be attacked, it is trying on many devices on all internal networks (lan and vlan)for example: log Priority: warn Category: system Message:An ip address conflict is detected. 00:00:00:00:00:00 and 7c:1e:b3:03:c8:26 share the same IP address 192.168.107.166An ip address conflict is detected. 00:00:00:00:00:00 and 74:83:c2:96:ec:28 share the same IP address 192.168.19.111An ip address conflict is detected. 00:00:00:00:00:00 and 00:50:56:a4:40:4c share the same IP address 192.168.110.45An ip address conflict is detected. 00:00:00:00:00:00 and 7c:1e:b3:04:61:fb share the same IP address 192.168.107.220An ip address conflict is detected. 00:00:00:00:00:00 and 7c:1e:b3:03:bc:34 share the same IP address 192.168.107.169An ip address conflict is detected. 00:00:00:00:00:00 and 28:29:86:5f:aa:f3 share the same IP address 192.168.110.93An ip address conflict is detected. 00:00:00:00:00:00 and 7c:1e:b3:03:c8:51 share the same IP address 192.168.107.162An ip address conflict is detected. 00:00:00:00:00:00 and 7c:1e:b3:03:37:a1 share the same IP address 192.168.107.221An ip address conflict is detected. 00:00:00:00:00:00 and 7c:1e:b3:03:c0:b2 share the same IP address 192.168.107.161An ip address conflict is detected. 00:00:00:00:00:00 and 44:19:b6:29:2a:57 share the same IP address 192.168.107.6An ip address conflict is detected. 00:00:00:00:00:00 and 7c:1e:b3:03:cb:a9 share the same IP address 192.168.107.172An ip address conflict is detected. 00:00:00:00:00:00 and bc:99:11:cb:66:3e share the same IP address 192.168.107.234I can't isolate everything on the switches..0
-
Hi mMontana,
unfortunately it is not only one device to be attacked, it is trying on many devices on all internal networks (lan and vlan)
for example: log Priority: warn Category: system Message:
An ip address conflict is detected. 00:00:00:00:00:00 and 7c:1e:b3:03:c8:26 share the same IP address 192.168.107.166
An ip address conflict is detected. 00:00:00:00:00:00 and 74:83:c2:96:ec:28 share the same IP address 192.168.19.111
An ip address conflict is detected. 00:00:00:00:00:00 and 00:50:56:a4:40:4c share the same IP address 192.168.110.45
An ip address conflict is detected. 00:00:00:00:00:00 and 7c:1e:b3:04:61:fb share the same IP address 192.168.107.220
I can't isolate everything on the switches..
0 -
Ok. Switches and Subnets. Interesting.
As testing purpouse, can you selectively cut-out for testing switches and/or subnets?
Simply: without a MacAddress expressed, find the culprit migth be like playing darts blinded, but progressively excluding subnets and switches form the dialogue with the ATP500, you might have a chance to pinpoint where the offender is connected.
Consider that
-I'm not aware of your network layout and composition
-some software in your network might doing exacly whats intended/configured for (but you and ATP 500 don't know what and where is)
-i'm expecting that at least one of your Ip addresses, if it's a Windows Machine, can provide more info in the event viewer for sharing a IP address
0 -
Hi to all. Even with the usgflex700 I noticed that after upgrading to version 5.35(ABWD.0) the same problem is registered for pretty much all the ip on the lan "An ip address conflict is detected. 00:00:00:00:00:00 and 00 :50:56:be:0d:8b share the same IP address 192.168.x.x".
I compared the logs recorded before and after the upgrade and it seems that the problem only comes out in the log file after the upgrade.0 -
Starts smelling like some software snafu...
0 -
Just to add to this, I just noticed exactly the same issue on my LAN. Just for the optics and the relative peace of mind, I assigned a static IP address to the MAC address 00:00:00:00:00:00 but to no avail. It is still trying to get an IP address that is already assigned to other devicess of the LAN. It doesn't matter if the known devices have a static or dynamic IP address. Sample log output:
2023-01-22 21:06:59 warn System An ip address conflict is detected. 00:00:00:00:00:00 and 36:3b:61:37:a5:9b share the same IP address 192.168.1.18
I applied the 5.35(ABFW.0) firmware earlier today.0 -
Same here. With FW 5.35 ip conflict warnings started to appear. Is it only warning or some network action on firewall are made for listed IP?
0 -
Hello @aait
We are already aware of this problem, and working on it, we will let you know when there is any progress, thanks.
James0 -
Same problem here. is there an solution?
ATP200
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
