ttist25
asked on
Detecting MAC address spoofing
Hello,
We're considering moving to a co-working space and I had a conversation about network security with the person that manages the network.
We were discussing different options and he made a statement that seemed odd to me. I had asked about MAC spoofing as a potential way to circumvent a solution he had proposed (can't remember exactly what it was but I don't think it matters). His response was something like "...no, our routers are able to detect MAC spoofing." They are using a Meraki MX-84.
When I asked him how the router was able to detect MAC spoofing, he wasn't able to answer. I know that doesn't mean the router isn't capable of it, but it piqued my interest enough to post here and see what you all had to say.
Is this something that the router is able to detect? If so, what is the mechanism it uses to identify it (i.e., how the heck does it know)? :D
Thanks in advance for any help.
We're considering moving to a co-working space and I had a conversation about network security with the person that manages the network.
We were discussing different options and he made a statement that seemed odd to me. I had asked about MAC spoofing as a potential way to circumvent a solution he had proposed (can't remember exactly what it was but I don't think it matters). His response was something like "...no, our routers are able to detect MAC spoofing." They are using a Meraki MX-84.
When I asked him how the router was able to detect MAC spoofing, he wasn't able to answer. I know that doesn't mean the router isn't capable of it, but it piqued my interest enough to post here and see what you all had to say.
Is this something that the router is able to detect? If so, what is the mechanism it uses to identify it (i.e., how the heck does it know)? :D
Thanks in advance for any help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Meraki has algorithms to detect spoofing, but it's not foolproof. He doesn't know because he can't control it. Meraki does it for you and sends a notification as well as blocks a spoofed MAC. A dedicated attacker can likely still work around this.
https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/IP_Source_Address_Spoofing_Protection
https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/IP_Source_Address_Spoofing_Protection
I looked up my MAC address and it says it is situated in US Mid West. No.
@serialband the link provided only accounts for ip address spoofing and not MAC address spoofing. MAC doesn't even appear on that page
Access point protection will detect MAC AND SSID spoofing. https://documentation.meraki.com/MR/Monitoring_and_Reporting/Mitigating_a_Spoofed_AP and it is not automatic you have to turn off your AP and then search using a tool like insidder to try and find the rogue AP
Access point protection will detect MAC AND SSID spoofing. https://documentation.meraki.com/MR/Monitoring_and_Reporting/Mitigating_a_Spoofed_AP and it is not automatic you have to turn off your AP and then search using a tool like insidder to try and find the rogue AP
Rogue AP is quite something different from detecting client spoofing addresses.
a Rogue AP detectable if the AP's are talking amongst each other (preferably over wires).
a Rogue AP detectable if the AP's are talking amongst each other (preferably over wires).
There really is no good way to detect a spoofed MAC address. The section of noci's comment discussing 802.1X and certificates is going to be by far your best bet. That way you're essentially establishing which devices are trusted.
You need to read through the theory document I posted above. It is a statistical analysis approach and no guaranty of find a spoofed MAC address.
ASKER
Thanks for all of the input guys.
John, that article on random forests is really interesting. Thanks for that.
You have all confirmed my suspicions and pointed out where the misinterpretation may be (i.e., detecting MAC spoofing of a rogue AP vs. a client endpoint).
Thanks for the help!
John, that article on random forests is really interesting. Thanks for that.
You have all confirmed my suspicions and pointed out where the misinterpretation may be (i.e., detecting MAC spoofing of a rogue AP vs. a client endpoint).
Thanks for the help!
You are very welcome and I was happy to provide that for you.
I did start reading through it. And let's also bear in mind that it is a three year old paper that proposes an idea. Not calling it good or bad, but something that isn't implemented as of today (assuming that it were reliable). Not going to help the author at this point.
They did implement it. It's in @David Johnson's link, the one I thought I copied and pasted. It's limited to APs and WiFi MAC spoofing. There isn't any way to definitively detect MAC spoofing otherwise.
(effectivly tying a specific client MAC address to a switch port).
Then again they will pass all packets if the right MAC address is used. So not a way to prevent spoofing, just a way to delay it....
Another approach is (also switches based): use 802.1x protocol to authenticate systems using some certificate... then only the right system can connect to the network (on any port..., regardless of MAC address). This will requires some radius server to do the authenticating.
Again not exactly a spoofing disabler, it does require a system to prove it is allowed/known on the network.
BTW, MAC addresses cannot be considered a security authenticator. As the fact it CAN be spoofed already shows, besides it has a different definde function being an address. Like a username is an address, and not an authenticator. For authentication users are required to show 1 or 2 or even more "factors" of authentication aka password, pincode, token, ....
There is no usable system that only uses a username as security token. (Other forms of Usernames equivalences: Face images, Fingerprints, and other hard to change items, it's hard to get a facetransplant once the authenticator get compromised. )