TitleWhat behavior to expect from Symantec Endpoint Protection client when anti-mac spoofing is enabledBodyThis is how Symantec Endpoint Protection (SEP) determines if a mac spoofing attack is in progress:
1. If the ARP packet was sent as a response to a request from the client, then SEP allows the inbound and outbound ARP traffic if an ARP request was made to that specific host. SEP blocks all other unexpected ARP traffic.如果ARP报文是某一请求的响应,则SEP允许此两个主机间的ARP流量。其他非此类ARP流量均拦截。这意味着,如果主机A想跟主机B通信,主机A会发一个ARP请求到主机B。如果主机A发了ARP请求,那么SEP允许此请求包之后10秒内的ARP响应包。This means that when Computer A wants to communicate with computer B, computer A may send an ARP request to computer B. If Computer A sends an ARP request message, this client allows the corresponding ARP response message within a period of 10 seconds.
2. If there is already a cached entry for this MAC address 如果ARP缓存中已有此MAC地址的记录3. If the cached entry has a different IP-address then what is in the ARP packet如果缓存记录里的IP地址跟ARP包里的IP地址不同
If the response was not requested and If the IP address is different than the cached entry.如果ARP响应包不是源于ARP请求或ARP响应包里的IP跟缓存不同
In these cases SEP will see this as a spoofing attack and block the attack.
NOTE: If there is a third party NAC product in the network with SEP (to enable anti MAC spoofing), and if the third party NAC product is using mac spoofing technology, SEP may detect packets associated with the product as a spoofing attack.
未经请求的ARP响应(免费ARP,gratuitous ARP):有多种原因,包括但不仅限于:-数据包源感染病毒,即发送免费ARP报文的主机或其他设备感染病毒-网络环境问题-应用程序问题
关于网络环境或应用程序的未经请求的ARP响应免费ARP是ARP是一种特殊的ARP报文,设备通过发送免费ARP主要实现以下功能:- 确定其它设备的IP地址是否与本机的IP地址冲突。当其它设备收到免费ARP报文后,如果发现报文中的IP地址和自己的IP地址相同,则给发送免费ARP报文的设备返回一个ARP应答,告知该设备IP地址冲突-设备改变了硬件地址,通过发送免费ARP报文通知其它设备更新ARP表项
如果怀疑报文源主机或设备中毒:定位源主机,扫描病毒,参考http://www.symantec.com/docs/TECH122466以及可以启用SEP的风险追踪(Risk Tracer)功能来定位病毒源http://www.symantec.com/business/support/index?page=content&id=TECH94526
如果怀疑是环境或程序问题:建议使用Wireshark来确认源。Wireshark下载http://www.wireshark.org/download免费云主机域名.html
一般而言,如果仅是一台机器发报文,是应用程序问题,但也不完全排除环境问题;如果源是交换机或其他设备,一般是环境问题,即设备应用免费ARP来实现某些功能。应用程序问题如果不是by design的,可能是感染病毒。
这篇文章主要讲解了“linux中platform是什么”,文中的讲解内容简单清晰,易于学习与理解,下面请大家跟着小编的思路慢慢深入,一起来研究和学习“linux中platform是什么”吧! 在linux中,platform是一个虚拟总线,与真实的“spi/s…
免责声明:本站发布的图片视频文字,以转载和分享为主,文章观点不代表本站立场,本站不承担相关法律责任;如果涉及侵权请联系邮箱:360163164@qq.com举报,并提供相关证据,经查实将立刻删除涉嫌侵权内容。
微信扫一扫 
