ARP Bomb
Genian ZTNA can detect high volumes of ARP request packets sent in a variety of ways. The Network Sensor counts how many ARP packets sent by each Node. If the ARP requests are sent more than the specified value, Genian ZTNA suspects the ARP Bomb and designates the Node as critical.
Possible Causes
The following is a short list of some commonly known causes of elevated ARP traffic.
- Looped switch configuration
- Duplicate IP's on the Network
- Failing Network Interface in a device
- Invalid Subent Mask on a device
- Denial of Service attack leveraging ARP (typically from malware infected endpoints)
If an ARP Bomb anomaly is detected in your network, but you confirm that there is no problem, you can reduce the sensitivity of the ARP Bomb detection, or assign an exempt node group under the Policy > Node Policy > Anomaly Definition > ARP Bomb .
Configure Settings for ARP Bomb in Anomaly Definition
- Go to Policy in the top panel.
- Go to Policy > Node Policy > Anomaly Definition in the left Policy panel.
- Click ARP Bomb.
- Find Anomaly Event section to configure more options.
- For Event Duration, optional setting to specify how long the ARP request packets are sent:
- For Number of Allowable ARP Requests, optional setting to specify the threshold to trigger the anomaly detection.
- For Attribute to Match, optional setting to find a Node sending the excessive ARP packets.
- Click Update.
Create Node Group For ARP Bomb Nodes
- Go to Policy in the top panel.
- Go to Policy > Group > Node in the left Policy panel.
- Click on Tasks > Create
- For ID: ARP Packet Bombed.
- For Status: Enabled.
- For Boolean Operator select OR.
- Find and click on Add in Condition section.
- For each Anomaly you want to add use the followings:
- Options: Anomaly.
- Operator: Detected is one of.
- Value: ARP Bomb.
- Click Add.
- Keep adding Conditions as needed.
- Click Save.