Data Link layer diagnosis events

The table below describes the diagnosis events on data link layer.

Event

Description

Severity

Possible causes

Solutions

Invalid ARP Format

Unable to operate correctly on the Ethernet, and violates the frame format defined by RFC. For example, source MAC address is a multicast address, or the address information in the ARP header does not match that in the Ethernet MAC header.

Security

The address information in ARP header is falsified or forged for attack.

Check if there is an ARP attack.

ARP Request Storm

In a predetermined sampling duration, the number of ARP request packets per second is higher than the threshold.

Security

  1. Check if the source host sends a lot of ARP requests.
  2. The host is infecting with a virus that is automatically performing the ARP scan.
  3. A scan application is performing the ARP scan.
  4. The port for capturing traffic is not mirrored or the machine with the program is not connected with the mirrored port.
  1. Use antivirus software to scan the host which sends a lot of ARP requests.
  2. Close the application that performs the ARP scan.
  3. Mirror the port which is for capturing traffic and install the program on the machine which is connected with the mirrored port.

ARP Scan

In a predetermined sampling duration, the percentage of unresponsive ARP request packets is equal to or higher than the threshold.

Security

  1. The source host sending ARP packets has a program performing scan.
  2. There is monitor application on the network.
  3. The host is infecting with a virus that is automatically performing the ARP scan.
  4. A scan application is performing the ARP scan.
  1. Check if the source host has a program performing scan.
  2. End the monitor process.
  3. Use antivirus software to scan the host which performs the ARP scan.
  4. Close the scan application.

ARP Too Many Unrequested Responses

In a predetermined sampling duration, the number of unrequested ARP response packets of a host is equal to or higher than the threshold.

Security

  1. There is ARP spoofing on the network.
  2. The program is installed on a central switching device and ARP request packets are isolated.

Check if there is ARP spoofing on the host which sends a lot of ARP response packets.
Back