Blog :: Security Operations

Detecting IP spoofing with Plixer Scrutinizer and Endpoint Analytics

jake

A common tactic for bad actors to get a foothold into the network is to leverage IP spoofing to either:

  1. Gain access to a network using a valid IP address
  2. To man-in-the-middle a known service, allowing them to eavesdrop/intercept traffic

Regardless of the intention, IP spoofing can be a hard problem to track down if you don’t have proper monitoring in place. Today I will go over how this tactic can easily be detected and alarmed on using Scrutinizer and Endpoint Analytics. This solution provides full endpoint device profiling as well as network traffic monitoring.

IP spoofing 101

IP spoofing really is as simple as finding a valid IP address on the network and making the attacker PC this IP address. It works even better if you can DDoS the endpoint so that there isn’t any ARP confusion or duplicate IP conflicts.

Sometimes bad actors will take this a step further and spoof the endpoint’s MAC address—more on this later. Once the traffic and bad actor have gained a foothold, it becomes very hard to detect and track. Most switch platforms have implemented some form of sticky MACs, but this is rare in production deployments.

Detection and visibility

There are a few ways to detect this behavior by using metadata exported from network equipment. One way is to simply check and see if we have multiple IPs being tagged to a single MAC address. This can sometimes be difficult if the exporting devices don’t have support for this, but using the exports from Plixer FlowPro can help shed light into the blind spots.

Coupling the metadata exports with Endpoint Analytics, which provides endpoint profiling, quickly narrows focus to the problematic hosts through alarm mechanisms that let you know IP:MAC pairings have changed.

Real-world example

Below you can see an IP address (192.168.1.103 – DNS Server) that has quite a bit of HTTPS traffic. This is anomalous for this server since its primary use is as a DNS server.

HTTPS traffic coming from a DNS server
Lots of HTTPS traffic coming from a DNS server—not expected.
Report showing new MAC address for the host
Further investigation shows a period where a new MAC address was seen for this host. This should only occur when the device is physically replaced on the network or perhaps has a NIC swap.

The image below verifies what we saw with the metadata. For the events where we want a more dynamic report on this type of behavior, we can use Endpoint Analytcis.

Plixer Beacon report

Endpoint Analytics gives us similar event data, but also gives us very granular timeframe details, which will be accounted for historically. This type of data can help with audits and peace of mind during security incidents.

Beyond getting MAC/IP pairings, Endpoint Analytics will also profile endpoint devices to give you an understanding of what types of devices (as well as how many) are currently present on the network.

Conclusion

As you can see, coupling device and endpoint profiling with metadata quickly provides root cause analysis in real time. If you would like to see how we can help track IP spoofing on your network, feel free to contact us!