Title

What behavior to expect from Symantec Endpoint Protection client when anti-mac spoofing is enabled

Body

This is how Symantec Endpoint Protection (SEP) determines if a mac spoofing attack is in progress:


1. If the ARP packet was sent as a response to a request from the client, then SEP allows the inbound and outbound ARP traffic if an ARP request was made to that specific host. SEP blocks all other unexpected ARP traffic.

如果ARP报文是某一请求的响应,则SEP允许此两个主机间的ARP流量。其他非此类ARP流量均拦截。这意味着,如果主机A想跟主机B通信,主机A会发一个ARP请求到主机B。如果主机A发了ARP请求,那么SEP允许此请求包之后10秒内的ARP响应包。

This means that when Computer A wants to communicate with computer B, computer A may send an ARP request to computer B. If Computer A sends an ARP request message, this client allows the corresponding ARP response message within a period of 10 seconds.


2. If there is already a cached entry for this MAC address 如果ARP缓存中已有此MAC地址的记录

3. If the cached entry has a different IP-address then what is in the ARP packet如果缓存记录里的IP地址跟ARP包里的IP地址不同


If the response was not requested and If the IP address is different than the cached entry.如果ARP响应包不是源于ARP请求或ARP响应包里的IP跟缓存不同


In these cases SEP will see this as a spoofing attack and block the attack.


NOTE: If there is a third party NAC product in the network with SEP (to enable anti MAC spoofing), and if the third party NAC product is using mac spoofing technology, SEP may detect packets associated with the product as a spoofing attack.



未经请求的ARP响应(免费ARP,gratuitous ARP):

有多种原因,包括但不仅限于:

-数据包源感染病毒,即发送免费ARP报文的主机或其他设备感染病毒

-网络环境问题

-应用程序问题


关于网络环境或应用程序的未经请求的ARP响应

免费ARP是ARP是一种特殊的ARP报文,设备通过发送免费ARP主要实现以下功能:

- 确定其它设备的IP地址是否与本机的IP地址冲突。当其它设备收到免费ARP报文后,如果发现报文中的IP地址和自己的IP地址相同,则给发送免费ARP报文的设备返回一个ARP应答,告知该设备IP地址冲突

-设备改变了硬件地址,通过发送免费ARP报文通知其它设备更新ARP表项


如果怀疑报文源主机或设备中毒:

定位源主机,扫描病毒,参考http://www.symantec.com/docs/TECH122466以及可以启用SEP的风险追踪(Risk Tracer)功能来定位病毒源http://www.symantec.com/business/support/index?page=content&id=TECH94526


如果怀疑是环境或程序问题:

建议使用Wireshark来确认源。Wireshark下载http://www.wireshark.org/download.html


一般而言,如果仅是一台机器发报文,是应用程序问题,但也不完全排除环境问题;如果源是交换机或其他设备,一般是环境问题,即设备应用免费ARP来实现某些功能。应用程序问题如果不是by design的,可能是感染病毒。