September 13, 2018

ARP cache poisoning attack

After years of putting in purchase request after purchase request for an antivirus program. It took a ransomware attack for my bosses to see the light, and we finally bought ESET Endpoint Security. ESET (NOD32) has a pretty bad reputation locally for being the antivirus product that you install if you want to be infected with a virus. I'm not sure for the reason why it was so badly rated, but perhaps because everyone was running pirated versions, and maybe the pirated copies don't actually work, but that's another story for another time.

Of course, we looked at several competing products, and I almost decided on Bitdefender, but during the 30-day trial period I discovered that Bitdefender was really slow if I was scrolling through my files in Windows Explorer with my cursor keys. I asked the support people and their clever answer was: don't move around with the cursor keys, just use the mouse and click on the file you want to use. So I put in a request and bought ESET Endpoint Security.

The morning after I received the licenses in email, boss called and asked if I've finished installing the antivirus. (Oh, there's another story involving the email, which is also another story for another time.)

"Finished? I've just started downloading the setup files, and I have to setup the management server."

"Good, so after that every computer will have the new antivirus?"

"Uh... not exactly, we have to set up the management server, create policies and exceptions, then deploy the client software to the domain, shouldn't take more than a week or two. But we have some really old computers that are being replaced next month, so we'll hold off installation for those after they're replaced."

"Good, finish installing everything by noon and sign off the project."

"What? It's not a home product that I just click on setup and use the defaults, we have hundreds of computers in different configurations and it will take at least a few days to get all the policies correctly, and we must test the policies then do a phased rollout so we don't run into too many problems all at once. Plus we have to remove the old antivirus which have to be done manually since you won't buy a commercial product and all we used were free home versions."

"That's why you have your staff to help you. I'll give you some extra time, just finish everything by today."

So I booted up the management server, created a default policy, let my guys go around the office uninstalling the old antivirus (if any) and rolled everything out all at once. Less than a minute later my phones started ringing off the hook and the management server started reporting ARP cache poisoning attack. Users were reporting pop-up menu complaining ARP something something, they can't access the ERP, and they couldn't print to an old cheap printer shared from one of the computers.

Printing to the shared printer was easy, just a matter of adding an exception to the firewall, but it took longer than it should, since I was unfamiliar with ESET, and it took me more a few minutes to find the option and deploy the updated policy to the clients.

ARP cache poisoning attack was less obvious. I looked and it was coming from the SQL database server (which also explains why access to the ERP was blocked). Hmm, strange, then I realized the database server has a NIC team. Aha, some doc reading led me to adding an entry to IDS exception setting. (The ESET support pages said to add entries to Trusted zone and Addresses to be excluded from IDS didn't work at all. The entry had to be added to the Network attack protection settings page.) After that, no more ARP cache poisoning attack messages, and then I started getting warnings of duplicate IP address on the network.

Okay, add another entry to the IDS exception. Yay! All done, except the shared printer still didn't work. It's probably another non-obvious setting which I'll figure out another time.

No comments: