Data link layer events

Capsa can diagnoses data link layer events as below.

Event

Description

Severity

Possible causes

Solutions

Invalid ARP Format

Unable to operate correctly on the Ethernet, and violate the frame format defined by RFC. For example, source MAC address is multicast address, or the address information in ARP header does not match that in Ethernet MAC header.

Security

The address information in ARP header is falsified or forged for attack.

Check if there is ARP attack.

ARP Request Storm

In a predetermined sampling duration, the number of ARP request packets per second is higher than the threshold.

Security

  1. Check if the source host sends a lot of ARP requests.
  2. The host infects virus which is automatically performing ARP scan.
  3. A scan application is performing ARP scan.
  4. The port for capturing traffic is not mirrored or the machine with the program is not connected with the mirrored port.
  1. Use antivirus software to scan the host which sends a lot of ARP requests.
  2. Close the application which performs ARP scan.
  3. Mirror the port which is for capturing traffic and install the program on the machine which is connected with the mirrored port.

ARP Scan

In a predetermined sampling duration, the percentage of unresponsive ARP request packets is equal to or higher than the threshold.

Security

  1. The source host sending ARP packets has a program performing scan.
  2. There is monitor application on the network.
  3. The host infects virus which is automatically performing ARP scan.
  4. A scan application is performing ARP scan.
  1. Check if the source host has a program performing scan.
  2. End the monitor process.
  3. Use antivirus software to scan the host which performs ARP scan.
  4. Close the scan application.

ARP Too Many Unrequested Responses

In a predetermined sampling duration, the number of unrequested ARP response packets of a host is equal to or higher than the threshold.

Security

  1. There is ARP spoofing on the network.
  2. The program is installed on a central switching device and ARP request packets are isolated.

Check if there is ARP spoofing on the host which sends a lot of ARP response packets.

Back