6

My team is inspecting some MAC Spoofing events that are triggering in our corporate environment. After talking it over with the team, this is the information that we have that is relevant....

  • The events are being triggered by our client-side software firewalls.
  • There are occurrences across the network, seeing that MAC spoofing is limited to layer 2, this leads us away from the idea of intentional malicious activity seeing that we do not have a flat network.
  • We know of issues that our firewall has had in past versions when it comes to picking up MAC spoofing, but there's nothing to indicate that issue with our current implementation.
  • We are currently trying to figure out the OS types for the source & destination systems.
  • There is no documented security exception/reason why any of our machines would be spoofing their MAC addresses
  • These events started occurring recently and have continued to occur (over the last 3-4 days).
  • This is a given by my other points, but we have not successfully be able to recreate the event on machines that we are testing.

Any help figuring out the source of this issue would be appreciated. I'll update if we find any additional helpful information or if we resolve the issue (I've just been brought onto this issue, so I don't have a complete understanding of what we know yet).

P.S. I can't, in sound mind, give any more information as to what products we use for our security systems.

AviD
  • 72,138
  • 22
  • 136
  • 218
Ormis
  • 1,940
  • 13
  • 18
  • @nhnb was able to think of more possibilities than I was. On that note, i was also just informed that the issue is being handed over to a different department, so I no longer am doing any investigation into the matter. If i find anything in the future I'll let you guys know. – Ormis Apr 25 '11 at 18:08
  • Just so you know for the future "in sound mind" does not mean the same thing as "in good conscience". – Mark Beadles Apr 16 '12 at 20:26

1 Answers1

9

Common cases for MAC spoofing alarms are:

  • virtual machines being cloned or reconfigured
  • people pulling the plug to connect notebooks
  • DHCP recycling ip addresses
  • loading different firmware on network cards (especially wireless cards)
  • (rarely) bit flipping in the PROM of the network card.

It would be interesting to know, if those alarms are for miss matching MAC addresses and switch ports or miss matching MAC addresses and IP addresses. Is only one computer effected or many? Are the difference in old and new MAC address only one or two bits? Are MAC multicast addresses involved?

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
  • These are all interesting ideas. For my situation in particular i can say the following: We are seeing these alarms being tripped by host to host communication on the same subnet, and it's not a persistent mac change. Also, I can insure that they are not Virtual machines. A wireless/wired cut-over would be forced to a different network segment and require authentication. The wireless NIC firmware change seems like a valid option, but it still does not line up with the visible cases. – Ormis Apr 25 '11 at 17:48
  • To answer your questions directly... These alarms are host to host (triggered off of IP addressing)...There are multiple cases across different network segments (so >100 cases) but still not enough to suggest a image push is to blame. I'm checking the MACs to see how close they are now. Also, multicast is out of the question. – Ormis Apr 25 '11 at 17:53