ARP Bomb
========

Genian NAC can detect high volumes of ARP request packets sent in a variety of
ways. The Network Sensor counts how many ARP packets sent by each Node. If the
ARP requests are sent more than the specified value, Genian NAC suspects the
ARP Bomb and designates the Node as critical.

Possible Causes 
---------------

The following is a short list of some commonly known causes of elevated ARP traffic. 

- Looped switch configuration
- Duplicate IP's on the Network
- Failing Network Interface in a device
- Invalid Subent Mask on a device
- Denial of Service attack leveraging ARP (typically from malware infected endpoints)

If an ARP Bomb anomaly is detected in your network, but you confirm that there is no problem,
you can reduce the sensitivity of the ARP Bomb detection, or assign an exempt node group under the **Policy > Node Policy > Anomaly Definition > ARP Bomb** . 

Configure Settings for ARP Bomb in Anomaly Definition
-----------------------------------------------------

#. Go to **Policy** in the top panel.
#. Go to **Policy > Node Policy > Anomaly Definition** in the left Policy
   panel.
#. Click **ARP Bomb.**
#. Find **Anomaly Event** section to configure more options.

   - For **Event Duration**, optional setting to specify how long the ARP
     request packets are sent:
   - For **Number of Allowable ARP Requests**, optional setting to specify the
     threshold to trigger the anomaly detection.
   - For **Attribute to Match**, optional setting to find a Node sending the
     excessive ARP packets.

#. Click **Update.**

Create Node Group For ARP Bomb Nodes
------------------------------------

#. Go to **Policy** in the top panel.
#. Go to **Policy > Group > Node** in the left Policy panel.
#. Click on **Tasks > Create**
#. For **ID:** ARP Packet Bombed.
#. For **Status:** Enabled.
#. For **Boolean Operator**  select **OR.**
#. Find and click on **Add** in **Condition** section.
#. For each **Anomaly** you want to add use the followings:

   - **Options:** Anomaly.
   - **Operator:** Detected is one of.
   - **Value:** ARP Bomb.

#. Click **Add.**
#. Keep adding **Conditions** as needed.
#. Click **Save.**