Arp attack from inactive interface with diff ip

alexey
alexey Posts: 188  Master Member
First Comment Friend Collector Fifth Anniversary
edited May 2023 in Security

Many USG Flex 50W 5.35/36 connected via L2 VPN via VTI interface vpn_l2

On device many message about ARP attack from 1 device.

Possible ARP spoofing attack on IP 172.21.164.100. Current hardware address is bc:99:11:a7:7e:cf. But…

Interfaces on problem Flex:

vpn_l3

active: no
intra-link active: no

physical port: P2
description:
type: external
IP type: static
IP address: 192.168.64.100
netmask: 255.255.255.0
gateway: 192.168.64.99
current MAC address: BC:99:11:A7:7E:CF
use custom MAC address: no
custom MAC address: 00:00:00:00:00:00
default MAC address: BC:99:11:A7:7E:CF
virtual MAC address: 00:00:00:00:00:00
metric: 0
unicast: off
igmp active: yes
igmp direction: upstream
igmp version: IGMPv2
upstream: 102400
downstream: 102400
mtu: 1500
mss: 0
dhcp option 60:
tcp-ack traffic prioritize:
active : yes
bandwidth : 1048576
priority : 1
maximize-bandwidth-usage : yes

vpn_l2

active: yes
intra-link active: no

physical port: P3
description:
type: internal
IP type: static
IP address: 172.21.164.100
netmask: 255.255.0.0
gateway:
current MAC address: BC:99:11:A7:7E:D0
use custom MAC address: no
custom MAC address: 00:00:00:00:00:00
default MAC address: BC:99:11:A7:7E:D0
virtual MAC address: 00:00:00:00:00:00
metric: 0
unicast: off
igmp active: no
igmp direction: downstream
igmp version: IGMPv2
upstream: 102400
downstream: 102400
mtu: 1500
mss: 0
dhcp option 60:
tcp-ack traffic prioritize:
active : yes
bandwidth : 1048576
priority : 1
maximize-bandwidth-usage : yes

Why devices got messages about ARP from interface with mac, that: disabled, not visible to them.

«1

All Replies

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,247  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary

    Hi @alexey

    Thanks for your inquiry.
    Could you share the screenshots of the ARP attack Monitor Log message with us?
    Are VPN_I2 and vpn_l3 all Zyxel firewall devices?
    Do you configure the connectivity check on this VPN tunnel on both sites?
    Thanks.


    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • alexey
    alexey Posts: 188  Master Member
    First Comment Friend Collector Fifth Anniversary
    edited May 2023

    Hi.

    1 i can't share screenshot, i can share messages about ARP attack from central syslog server

    2 All Zyxell firewall devices. vpn_l3 & vpn_l2 interfaces on problem ZW device. All devices connected via vpn_l2 interface, its ISP L2 VPN. In logs, ARP goes from vpn_l3 mac, that disabled & don't connect to other ZW.

    3 Yes, VTI interface has configured CC. Each VTI has own /30 subnet.

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,247  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary

    Hi @alexey

    Many thanks for your update and share. Could you provide a remote Web-GUI link to us for further checking? We will send a private message to you later, please check your private message inbox, thanks.


    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • alexey
    alexey Posts: 188  Master Member
    First Comment Friend Collector Fifth Anniversary
    edited May 2023

    The problem on same device and diff interface.

    Message from syslog server:

    src="0.0.0.0:0" dst="0.0.0.0:0" msg="An ip address conflict is detected. bc:99:11:a7:7e:d3 and bc:99:11:a7:7e:d0 share the same IP address 10.0.1.64" note="" user="unknown" devID="d8ece5c45727" cat="System"

    show interface all

    1 ge1 Inactive 0.0.0.0 0.0.0.0 DHCP client
    2 sfp Inactive 0.0.0.0 0.0.0.0 DHCP client
    3 ge2 1000M/Full 10.0.1.64 255.255.255.0 Static
    4 local 1000M/Full 172.20.64.1 255.255.255.0 Static
    5 dmz Inactive 0.0.0.0 0.0.0.0 Static
    6 ge3 100M/Full 10.0.0.64 255.255.255.0 Static
    7 cellular1 Connected 192.168.8.100 255.255.255.255 Dynamic
    8 vti1 Up 10.1.2.46 255.255.255.252 Static
    9 vti3 Up 10.2.2.46 255.255.255.252 Static
    10 vti4 Up 10.3.2.46 255.255.255.252 Static
    11 vti0 Up 10.1.1.46 255.255.255.252 Static
    12 vti2 Up 10.2.1.46 255.255.255.252 Static
    13 vti5 Up 10.3.1.46 255.255.255.252 Static

    show interface ge2
    active: yes
    intra-link active: no
    interface name: ge2
    physical port: P3
    description:
    type: internal
    IP type: static
    IP address: 10.0.1.64
    netmask: 255.255.255.0
    gateway:
    current MAC address: BC:99:11:A7:7E:D0
    use custom MAC address: no
    custom MAC address: 00:00:00:00:00:00
    default MAC address: BC:99:11:A7:7E:D0
    virtual MAC address: 00:00:00:00:00:00
    metric: 0
    unicast: off
    igmp active: no
    igmp direction: downstream
    igmp version: IGMPv2
    upstream: 102400
    downstream: 102400
    mtu: 1500
    mss: 0
    dhcp option 60:
    tcp-ack traffic prioritize:
    active : yes
    bandwidth : 1048576
    priority : 1
    maximize-bandwidth-usage : yes

    show interface ge3
    active: yes
    intra-link active: no
    interface name: ge3
    physical port: P6
    description:
    type: internal
    IP type: static
    IP address: 10.0.0.64
    netmask: 255.255.255.0
    gateway:
    current MAC address: BC:99:11:A7:7E:D3
    use custom MAC address: no
    custom MAC address: 00:00:00:00:00:00
    default MAC address: BC:99:11:A7:7E:D3
    virtual MAC address: 00:00:00:00:00:00
    metric: 0
    unicast: off
    igmp active: no
    igmp direction: downstream
    igmp version: IGMPv2
    upstream: 1048576
    downstream: 1048576
    mtu: 1500
    mss: 0
    dhcp option 60:
    tcp-ack traffic prioritize:
    active : yes
    bandwidth : 1048576
    priority : 1
    maximize-bandwidth-usage : yes

    @Zyxel_Jeff both interfaces are internal. CC can't be configured.

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,247  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary

    Hi @alexey

    Could you enable Nebula Zyxel support for us and tell us your org and site name by private message? Thanks.


    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • alexey
    alexey Posts: 188  Master Member
    First Comment Friend Collector Fifth Anniversary

    We don't use Nebula features.

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,247  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary

    Dear @alexey

    Please apologize for my misunderstanding, the CC that you mentioned means connectivity check, not Nebula Controller Center. The ARP attack could be caused by a connectivity check because the remote peer VPN site's connectivity check packets and those packets were detected by the USG Flex 50W. Could you disable connectivity check features on USG50W and the peer site device to see whether ARP attack messages would be shown? If the symptom still occurs, please share your device's Web-GUI link with us for further checking. Thanks.


    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • alexey
    alexey Posts: 188  Master Member
    First Comment Friend Collector Fifth Anniversary

    My bad. I forgot that CC can be enabled on internal interfaces, and it status not displayed via show interface command. I disabled CC on interfaces and still wait new error messages.

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,247  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary

    Hi @alexey

    OK, got it. Thanks for your update.


    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • alexey
    alexey Posts: 188  Master Member
    First Comment Friend Collector Fifth Anniversary

    Not help. I disable CC on ge2 & 3 interface

    show connectivity-check status
    Interface Status Fail Count

    cellular1 Ok 0
    vti1 Ok 0
    vti3 Failed 2
    vti4 Ok 0
    vti0 Ok 0
    vti2 Ok 0
    vti5 Ok 0

    VTI interface, that build via this interface ge2 in failed status.

    Also change error message

    Possible ARP spoofing attack on IP 10.0.1.64.

Security Highlight