During routine network monitoring, we captured an unusual ARP pattern where multiple hosts simultaneously sent "who has" requests for the same target IPs (10.10.0.40 and others), each specifying different tell addresses. Normal ARP behavior typically shows consistent tell addresses (like the DHCP server), making this pattern immediately suspicious.
Here's a simplified version of what we saw in Wireshark:
No. Source Destination Protocol Info
1 10.10.0.15 Broadcast ARP Who has 10.10.0.40? Tell 10.10.0.100
2 10.10.0.22 Broadcast ARP Who has 10.10.0.40? Tell 10.10.0.101
3 10.10.0.37 Broadcast ARP Who has 10.10.0.40? Tell 10.10.0.102
...
15 10.10.0.199 Broadcast ARP Who has 10.10.0.40? Tell 10.10.0.103
- ARP Cache Poisoning Attack: Multiple compromised hosts trying to redirect traffic
- Misconfigured Network Devices: Faulty NICs or switches generating malformed ARP packets
- VLAN Configuration Issues: Broadcast traffic leaking between VLANs
- New Network Scanning Tool: Security software performing aggressive discovery
Here's a Python script to help analyze ARP patterns (requires scapy):
from scapy.all import sniff, ARP
def analyze_arp(pkt):
if ARP in pkt and pkt[ARP].op == 1: # who-has
if pkt[ARP].pdst == "10.10.0.40":
print(f"ARP request for 10.10.0.40 from {pkt[ARP].psrc} (Tell: {pkt[ARP].pdst})")
sniff(filter="arp", prn=analyze_arp, store=0)
Immediate Actions:
- Enable DHCP snooping on network switches
- Implement dynamic ARP inspection (DAI)
- Isolate suspicious hosts for further investigation
Long-term Solutions:
- Deploy network segmentation with proper VLANs
- Implement 802.1X port authentication
- Monitor ARP tables with tools like arpwatch
Use these filters to quickly identify problematic ARP traffic:
arp.opcode == 1 && arp.dst.proto_ipv4 == 10.10.0.40
arp.duplicate-address-detected
arp.src.hw_mac == ff:ff:ff:ff:ff:ff
During routine network monitoring, we observed an unusual pattern in Wireshark captures where multiple hosts were generating ARP "who has" requests for the same target IPs (notably 10.10.0.40), but with varying "tell" addresses. Normally, ARP resolution follows predictable patterns where:
Standard ARP Flow: 1. Host A (10.10.0.10) → ARP "who has 10.10.0.40? tell 10.10.0.10" 2. Host B (10.10.0.40) responds directly to 10.10.0.10
The abnormal traffic pattern suggests one of these scenarios:
- Network scanning activity (potentially malicious)
- Misconfigured DHCP servers creating IP conflicts
- Faulty network equipment broadcasting corrupted frames
- ARP spoofing attempts
Here's a Python snippet to analyze pcap files for similar patterns:
from scapy.all import *
def detect_arp_anomaly(pcap_file):
pkts = rdpcap(pcap_file)
arp_requests = {}
for pkt in pkts:
if pkt.haslayer(ARP) and pkt[ARP].op == 1: # who-has
target_ip = pkt[ARP].pdst
sender_mac = pkt[ARP].hwsrc
if target_ip not in arp_requests:
arp_requests[target_ip] = set()
arp_requests[target_ip].add(sender_mac)
for ip, macs in arp_requests.items():
if len(macs) > 5: # Threshold for suspicion
print(f"Suspicious ARP activity for {ip} from {len(macs)} unique MACs")
detect_arp_anomaly("capture.pcap")
For Linux systems, implement these protective measures:
# Enable ARP inspection echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce # Rate limit ARP requests iptables -A INPUT -p arp -m limit --limit 1/sec --limit-burst 3 -j ACCEPT iptables -A INPUT -p arp -j DROP
To identify the source(s) of the anomalous ARP traffic, consider:
- MAC address analysis (OUI lookup for vendor identification)
- Correlating timestamps with other security events
- Checking switch port mappings for the suspect MACs
Example tshark command for deeper analysis:
tshark -r capture.pcap -Y "arp.opcode == 1" \ -T fields -e frame.time -e arp.src.hw_mac -e arp.dst.proto_ipv4 \ | sort | uniq -c | sort -n
In modern environments, implement these architectural controls:
- Private VLANs to isolate suspicious hosts
- Port security features on network switches
- Network Access Control (NAC) solutions
- ARP inspection on L3 switches