KES11.1 ARP/MAC Spoof Feature

[ak01]

I installed new KES11.1 (11.1.0.15919) on two laptops and activated new ARP/MAC Spoof detection (not prevent, second option) feature. On my laptop, whenever I switch between Wifi and wired connection, I get the message below. A colleague of mine uses a docking station where the laptop is connected with wifi and wired connection (docking station) and he permanently get the same message. I disabled the feature for the moment. How does this feature exactly work? How do you recognize a network attack? I assumed that you search for unrequested ARP Replies on the network or you remember the correct MAC of (at least) the gateway IP and if that changes, that might be an attack. Ereignistyp: Ein Netzwerkangriff wurde erkannt. Programm\Name: Kaspersky Endpoint Security für Windows Benutzer: xxx\xxx (Aktiver Benutzer) Komponente: Schutz vor Netzwerkbedrohungen Ergebnis\Beschreibung: Erlaubt Objekt: von mehreren unterschiedlichen Quellen Objekt\Typ: Netzwerkpaket Objekt\Name: von mehreren unterschiedlichen Quellen Objekt\Erweitert: Verdächtig: Datenbanken vom: 21.03.2019 03:11:00 Das Ereignis Ein Netzwerkangriff wurde erkannt. trat ein auf dem Computer XXX in der Domäne XXX Dienstag, 26. März 2019 11:41:07 (GMT+01:00) Ereignistyp: Ein Netzwerkangriff wurde erkannt. Programm\Name: Kaspersky Endpoint Security für Windows Benutzer: XXX\XXX (Aktiver Benutzer) Komponente: Schutz vor Netzwerkbedrohungen Ergebnis\Beschreibung: Erlaubt Objekt: von mehreren unterschiedlichen Quellen Objekt\Typ: Netzwerkpaket Objekt\Name: von mehreren unterschiedlichen Quellen Objekt\Erweitert: Verdächtig: Datenbanken vom: 05.02.2019 21:32:00

[ak01]

Does anyone know something about this new feature?

[ak01]

I found the root cause: When you look into the reports on local KES interface, there is additional information (MAC and IP of threat) -> why not on KSC? In my case, it is a QNAP NAS (with Linux on it) which is configured for bonding (mode: balance-alb). “When a link is reconnected or a new slave joins the bond the receive traffic is redistributed among all active slaves in the bond by initiating ARP Replies with the selected mac address to each of the clients. The updelay parameter (detailed below) must be set to a value equal or greater than the switch's forwarding delay so that the ARP Replies sent to the peers will not be blocked by the switch.” https://wiki.linuxfoundation.org/networking/bonding I also checked the arp packets and sometimes, the nas responds with the 2nd mac (as described above). This triggers the network attach warning mentioned (because the arp cache learned the 1st mac -> it seems that this feature monitors arp cache changes). The two mac addresses are in my case upward (24-5E-BE-0A-83-EC and 24-5E-BE-0A-83-ED) so maybe this could be a work around. Could you please consider also such use cases (teaming/bonding of NICs for servers which may use two mac addresses for the same IP) so that this new ARP protection feature covers that as well?

[ak01]

The other issue is when I switch between Wifi and LAN or between different VLANs (on LAN interface), especially when the gateway uses VRRP. Therefore, the gateway IP and MAC changes and I think that this KES feature tracks that as well (I have to investigate that further). On every switch, I gate one “network attack” message (with the gateway IP mentioned).

[ak01]

any new on that? The change between different VLANs or LANWifi still triggers that detection. LAN and Wifi is a different VLAN with different Gateway (and MAC) so it seems that you monitor the MAC of the gateway.