ATP500 Arp Spoofing detection

Options
aait
aait Posts: 14  Freshman Member
First Anniversary 10 Comments Friend Collector
Hi! I have a network with two ATP 500 in HA with firmware 5.35 which detects this "An ip address conflict is detected. 00:00:00:00:00:00 and 7c:1e:b3:03:c8:35 share the same IP address 192.168.xx.xx" I can't find the source of this attack. I detect with wireshark an ARP-spoofing attack from duplicate IP address messages.
can anyone help me out?

Best Answers

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,113  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options
    Dear all users,

    Please refer to the V5.35 WK06 firmware, this firmware already fixed the issue that there are many IP conflicts messages on the Monitor log. Thanks :) .



  • PeterUK
    PeterUK Posts: 2,906  Guru Member
    Community MVP First Anniversary 10 Comments Friend Collector
    Answer ✓
    Options
    No more IP conflicts messages now
«134

All Replies

  • mMontana
    mMontana Posts: 1,344  Guru Member
    Community MVP First Anniversary 10 Comments Friend Collector
    Options
    With your switch you might find on what port is connected Mac Address 7c:1e:b3:03:c8:35.
    After disconnecting that port (testing envinronment) you might look for 00:00:00:00:00:00, which is obviously a not real MacAddress... so maybe some software is doing some incorrect things.
  • aait
    aait Posts: 14  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Options
    Hi mMontana,
    unfortunately it is not only one device to be attacked, it is trying on many devices on all internal networks (lan and vlan)
    for example: log Priority: warn Category: system Message:
    An ip address conflict is detected. 00:00:00:00:00:00 and 7c:1e:b3:03:c8:26 share the same IP address 192.168.107.166
    An ip address conflict is detected. 00:00:00:00:00:00 and 74:83:c2:96:ec:28 share the same IP address 192.168.19.111
    An ip address conflict is detected. 00:00:00:00:00:00 and 00:50:56:a4:40:4c share the same IP address 192.168.110.45
    An ip address conflict is detected. 00:00:00:00:00:00 and 7c:1e:b3:04:61:fb share the same IP address 192.168.107.220
    An ip address conflict is detected. 00:00:00:00:00:00 and 7c:1e:b3:03:bc:34 share the same IP address 192.168.107.169
    An ip address conflict is detected. 00:00:00:00:00:00 and 28:29:86:5f:aa:f3 share the same IP address 192.168.110.93
    An ip address conflict is detected. 00:00:00:00:00:00 and 7c:1e:b3:03:c8:51 share the same IP address 192.168.107.162
    An ip address conflict is detected. 00:00:00:00:00:00 and 7c:1e:b3:03:37:a1 share the same IP address 192.168.107.221
    An ip address conflict is detected. 00:00:00:00:00:00 and 7c:1e:b3:03:c0:b2 share the same IP address 192.168.107.161
    An ip address conflict is detected. 00:00:00:00:00:00 and 44:19:b6:29:2a:57 share the same IP address 192.168.107.6
    An ip address conflict is detected. 00:00:00:00:00:00 and 7c:1e:b3:03:cb:a9 share the same IP address 192.168.107.172
    An ip address conflict is detected. 00:00:00:00:00:00 and bc:99:11:cb:66:3e share the same IP address 192.168.107.234

    I can't isolate everything on the switches..
  • aait
    aait Posts: 14  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Options
    Hi mMontana,
    unfortunately it is not only one device to be attacked, it is trying on many devices on all internal networks (lan and vlan)
    for example: log Priority: warn Category: system Message:
    An ip address conflict is detected. 00:00:00:00:00:00 and 7c:1e:b3:03:c8:26 share the same IP address 192.168.107.166
    An ip address conflict is detected. 00:00:00:00:00:00 and 74:83:c2:96:ec:28 share the same IP address 192.168.19.111
    An ip address conflict is detected. 00:00:00:00:00:00 and 00:50:56:a4:40:4c share the same IP address 192.168.110.45
    An ip address conflict is detected. 00:00:00:00:00:00 and 7c:1e:b3:04:61:fb share the same IP address 192.168.107.220
    I can't isolate everything on the switches..

  • mMontana
    mMontana Posts: 1,344  Guru Member
    Community MVP First Anniversary 10 Comments Friend Collector
    Options
    Ok. Switches and Subnets. Interesting.
    As testing purpouse, can you selectively cut-out for testing switches and/or subnets?

    Simply: without a MacAddress expressed, find the culprit migth be like playing darts blinded, but progressively excluding subnets and switches form the dialogue with the ATP500, you might have a chance to pinpoint where the offender is connected.

    Consider that
    -I'm not aware of your network layout and composition
    -some software in your network might doing exacly whats intended/configured for (but you and ATP 500 don't know what and where is)
    -i'm expecting that at least  one of your Ip addresses, if it's a Windows Machine, can provide more info in the event viewer for sharing a IP address

  • static_user
    Options
    Hi to all. Even with the usgflex700 I noticed that after upgrading to version 5.35(ABWD.0) the same problem is registered for pretty much all the ip on the lan "An ip address conflict is detected. 00:00:00:00:00:00 and 00 :50:56:be:0d:8b share the same IP address 192.168.x.x".
    I compared the logs recorded before and after the upgrade and it seems that the problem only comes out in the log file after the upgrade.
  • mMontana
    mMontana Posts: 1,344  Guru Member
    Community MVP First Anniversary 10 Comments Friend Collector
    Options
    Starts smelling like some software snafu...
  • DeeZee
    DeeZee Posts: 4
    First Anniversary First Comment
    Options
    Just to add to this, I just noticed exactly the same issue on my LAN. Just for the optics and the relative peace of mind, I assigned a static IP address to the MAC address 00:00:00:00:00:00 but to no avail. It is still trying to get an IP address that is already assigned to other devicess of the LAN. It doesn't matter if the known devices have a static or dynamic IP address. Sample log output:

    2023-01-22 21:06:59 warn System An ip address conflict is detected. 00:00:00:00:00:00 and 36:3b:61:37:a5:9b share the same IP address 192.168.1.18

    I applied the 
    5.35(ABFW.0) firmware earlier today.
  • Przemek
    Przemek Posts: 28  Freshman Member
    First Anniversary 10 Comments Friend Collector
    edited January 2023
    Options
    Same here. With FW 5.35 ip conflict warnings started to appear. Is it only warning or some network action on firewall are made for listed IP?


  • Zyxel_James
    Zyxel_James Posts: 630  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hello @aait
    We are already aware of this problem, and working on it, we will let you know when there is any progress, thanks.

    James
  • Bastian
    Options
    Same problem here. is there an solution?
    ATP200

Security Highlight