A common tactic for bad actors to get a foothold into the network is to leverage IP spoofing to either:

  1. Gain access to a network using a valid IP address
  2. To man-in-the-middle a known service, allowing them to eavesdrop/intercept traffic

Regardless of the intention, IP spoofing can be a hard problem to track down if you don’t have proper monitoring in place. Today I will go over how this tactic can easily be detected and alarmed on using Scrutinizer and Beacon. This solution provides full endpoint device profiling as well as network traffic monitoring.

IP spoofing 101

IP spoofing really is as simple as finding a valid IP address on the network and making the attacker PC this IP address. It works even better if you can DDoS the endpoint so that there isn’t any ARP confusion or duplicate IP conflicts.

Sometimes bad actors will take this a step further and spoof the endpoint’s MAC address—more on this later. Once the traffic and bad actor have gained a foothold, it becomes very hard to detect and track. Most switch platforms have implemented some form of sticky MACs, but this is rare in production deployments.

Detection and visibility

There are a few ways to detect this behavior by using metadata exported from network equipment. One way is to simply check and see if we have multiple IPs being tagged to a single MAC address. This can sometimes be difficult if the exporting devices don’t have support for this, but using the exports from Plixer FlowPro can help shed light into the blind spots.

Coupling the metadata exports with Plixer Beacon, which provides endpoint profiling, quickly narrows focus to the problematic hosts through alarm mechanisms that let you know IP:MAC pairings have changed.

Real-world example

Below you can see an IP address (192.168.1.103 – DNS Server) that has quite a bit of HTTPS traffic. This is anomalous for this server since its primary use is as a DNS server.

HTTPS traffic coming from a DNS server
Lots of HTTPS traffic coming from a DNS server—not expected.
Report showing new MAC address for the host
Further investigation shows a period where a new MAC address was seen for this host. This should only occur when the device is physically replaced on the network or perhaps has a NIC swap.

The image below verifies what we saw with the metadata. For the events where we want a more dynamic report on this type of behavior, we can use Plixer Beacon.

Plixer Beacon report

Plixer Beacon gives us similar event data, but also gives us very granular timeframe details, which will be accounted for historically. This type of data can help with audits and peace of mind during security incidents.

Beyond getting MAC/IP pairings, Beacon will also profile endpoint devices to give you an understanding of what types of devices (as well as how many) are currently present on the network.

Conclusion

As you can see, coupling device and endpoint profiling with metadata quickly provides root cause analysis in real time. If you would like to see how we can help track IP spoofing on your network, feel free to contact us!

Jake

Jake

Jake Bergeron is currently one of Plixer's Sr. Solutions Engineers - He is currently responsible for providing customers with onsite training and configurations to make sure that Scrutinizer is setup to their need. Previously he was responsible for teaching Plixer's Advanced NetFlow Training / Malware Response Training. When he's not learning more about NetFlow and Malware detection he also enjoys Fishing and Hiking.

Related