A common tactic for bad actors to get a foothold into the network is to leverage IP spoofing to either:
- Gain access to a network using a valid IP address
- To man-in-the-middle a known service, allowing them to eavesdrop/intercept traffic
Regardless of the intention, IP spoofing can be a hard problem to track down if you don’t have proper monitoring in place. Today I will go over how this tactic can easily be detected and alarmed on using Scrutinizer and Beacon. This solution provides full endpoint device profiling as well as network traffic monitoring.
IP spoofing 101
IP spoofing really is as simple as finding a valid IP address on the network and making the attacker PC this IP address. It works even better if you can DDoS the endpoint so that there isn’t any ARP confusion or duplicate IP conflicts.
Sometimes bad actors will take this a step further and spoof the endpoint’s MAC address—more on this later. Once the traffic and bad actor have gained a foothold, it becomes very hard to detect and track. Most switch platforms have implemented some form of sticky MACs, but this is rare in production deployments.
Detection and visibility
There are a few ways to detect this behavior by using metadata exported from network equipment. One way is to simply check and see if we have multiple IPs being tagged to a single MAC address. This can sometimes be difficult if the exporting devices don’t have support for this, but using the exports from Plixer FlowPro can help shed light into the blind spots.
Coupling the metadata exports with Plixer Beacon, which provides endpoint profiling, quickly narrows focus to the problematic hosts through alarm mechanisms that let you know IP:MAC pairings have changed.
Below you can see an IP address (192.168.1.103 – DNS Server) that has quite a bit of HTTPS traffic. This is anomalous for this server since its primary use is as a DNS server.
The image below verifies what we saw with the metadata. For the events where we want a more dynamic report on this type of behavior, we can use Plixer Beacon.
Plixer Beacon gives us similar event data, but also gives us very granular timeframe details, which will be accounted for historically. This type of data can help with audits and peace of mind during security incidents.
Beyond getting MAC/IP pairings, Beacon will also profile endpoint devices to give you an understanding of what types of devices (as well as how many) are currently present on the network.
As you can see, coupling device and endpoint profiling with metadata quickly provides root cause analysis in real time. If you would like to see how we can help track IP spoofing on your network, feel free to contact us!