Monitoring IP Spoofing activity on your network
In my opinion, network traffic analysis and bandwidth monitoring solutions are a must have. You can closely monitor bandwidth and traffic patterns to identify any anomalies that can be addressed before they become threats. The trick is to capture usernames and other metadata as well as the usual IP addresses and flow information, so that you can fully understand what is happening on your network and spot suspicious traffic like IP spoofing.
Last week, I worked on an interesting network issue which involved IP Spoofing. One of our LANGuardian customers reported that they were seeing a lot of network scans from IP addresses that were not part of their local address schemes. Network scans are typically triggered when a single IP addresses attempts to connect to hundreds of other clients in a short time period.
The customer was using 10.0.0.0/8 addressing but the scans were originating from 172.16.0.0/12 addresses. For a 24 hour period, we detected over 5.5 million connection attempts. What was unusual here is the source address range, it is private so it should not be routing in from the Internet.
The customer wanted to know if this was IP Spoofing or if the traffic from this network had somehow made its way into their main corporate network. IP Spoofing involves the creation of IP packets with a false source IP address for the purpose of hiding the identity of the sender or impersonating another computing system.
IP Spoofing is also widely used in DDoS amplification attacks. For most DNS and NTP amplification attacks, the destination IP is spoofed which will flood it with unsolicited responses. DDoS attacks like this can overwhelm networks, a recent attack on the Krebs on Security blog resulted in 665Gbs of traffic.
If you do spot suspicious traffic or IP addresses on your network, you first must work out if it is spoofed or if actual connections were established. Many traffic analysis or IDS systems can trigger alerts when a single source attempts to connect many other devices on a network. In most cases, they are watching out for SYN packets which try to initiate a connection. If the target host responds then a connection may be possible.
Your first priority will be to look at flow reports associated with the source addresses. For the purposes of this demonstration, I am going to use our own product LANGuardian. However, you can use a similar approach with other network traffic monitoring applications. I am also going to focus on the 10.11.0.0/16 network which is the source of the scans in my case.
As can be seen from the image below, we do not detect any flows or connections associated with this subnet. This would suggest that the source device(s) of these packets is spoofing the IP addresses them.
The next step of your investigation would be to determine what are the MAC addresses associated with these addresses. Again I am using the built in inventory reports of LANGuardian to resolve the MAC address of the suspicious IP addresses. In my case, I narrowed the search down to a single Dell system.
My next step would be to check the MAC tables on my switches so that I can find what port the device is connected to and shut it down. Going back to the customer issue I worked on, we traced the problem back to one of their firewalls. It had a known issue where it would send out random IP packets associated with the 172.16.0.0/12 network. An upgrade sorted the issue resulting in the disappearance of the spoofed packets.
For additional information on IP Spoofing; take a moment to watch this short video
NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activity to file activity monitoring, web activity monitoring, network security monitoring,bandwidth monitoring, wire data analytics, network forensics to packet capture.
To see LANGuardian in action – try our interactive demo today!