1

The paper that has been published here: https://dl.acm.org/citation.cfm?id=3282283 proposes a consensus algorithm based on distributed voting process in which it claims that it would be possible to detect (and not prevent) MAC address change using Cisco Port Security in a decentralized network.

Do you think it is practicable to detect MAC address change in a decentralized network and without relying on a trusted entity?

Among all techniques proposed to detect MAC spoofing, is there a reliable approach such that we can detect this type of attack strongly?

Some of proposed approaches are as follows:

https://www.cs.dartmouth.edu/~campbell/papers/spoofing.pdf

https://pdfs.semanticscholar.org/d5ef/30919b4f28b82d6fb637e17a5a992f82ecaa.pdf

https://ieeexplore.ieee.org/abstract/document/5723112/

And more approaches: https://scholar.google.com/scholar?hl=en&as_sdt=0%2C5&q=mac++spoofing+detection&btnG=

We hear too much that MAC spoofing is very simple. Does it mean that non of those approaches for detecting MAC spoofing does not work? And in general, does it mean that there is no way to detect MAC spoofing?

Is "fingerprinting a node" can be considered as a solution to identify a node? (https://www.npmjs.com/package/node-fingerprint) or (https://pdfs.semanticscholar.org/d5ef/30919b4f28b82d6fb637e17a5a992f82ecaa.pdf)

P.S.: MAC address change detection using Cisco Port Security is described here: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4000/8-2glx/configuration/guide/sec_port.pdf and here: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_portsec.pdf

Questioner
  • 111
  • 4
  • This question is not about professional IT so it doesn't belong here. You may be able to get help on our sister site [bitcoin.se]. But I think you'll find that the approach outlined in this paper isn't workable, precisely because the MAC address isn't a unique reliable identifier. – Michael Hampton Nov 11 '18 at 18:58
  • Thank you, exactly it's my question: How to identify a machine/host in a network, such that if user changes this identity, then the network can **detect** it? If MAC address spoofing is not **detectable**, so is there other alternative and detectable approaches instead of using MAC addresses? For example, how about IP address? Thanks – Questioner Nov 11 '18 at 19:05

1 Answers1

3

it is practicable to detect MAC address changes in a network of course, and there are tools available, e.g.: https://github.com/craig/ge.mine.nu/tree/master/arpcheck

Best practice would be to only allow whitelisted MACs to be routed on your gateway, a better solution preventing an attacker from messing with devices on Layer 2 would be to enforce whitelisting directly on the switch with port security.

I'm not sure what you're aiming for and hope this helps.

Craig
  • 560
  • 3
  • 13
  • Thank you, the purpose is to detect MAC spoofing a a network like Bitcoin or Ethereum network, where my computer is connected to this network remotely, where my MAC address is not presented in another side of the network and so I am able to spoof MAC easily ! So, I am looking for an approach to detect MAC spoofing for a "decentralized network" without relying on a trusted entity (like a network administrator), So, do you think it is possible to detect (and not prevent) MAC spoof in a decentralized system/network? Thanks – Questioner Nov 11 '18 at 12:29
  • MAC address spoofing is only relevant for layer 2 networks and not for the use-case you described. – Craig Nov 11 '18 at 14:04
  • Do you mean there is no way to **detect** MAC spoofing in a decentralized network? Thanks – Questioner Nov 11 '18 at 14:15
  • 2
    Yes. It could work if every layer 3 component was running some kind of mac spoofing detection, but you won't succeed in making everyone do that. Basically, this is something you cannot fix. – Craig Nov 11 '18 at 14:42
  • Thank you, just two questions: (1) in your previous comment, you mentioned that MAC spoofing is only relevant for layer 2, however, here you mentioned layer 3. (2) Do you mean if everyone who is connected to network (such as Bitcoin) runs MAC spoofing component in layer 2 (or 3 ?), then it'll be **detectable** in a decentralized manner? if so, it would be perfect, could ypu please explain a bit more. Thanks – Questioner Nov 11 '18 at 15:17
  • 1
    Port security does not cross layer 2 domains. You can lock down the MAC of your LAN's firewall and WAN gateway, but you don't see the layer 2 of other routed networks. Rather, select an application protocol with authentication, ideally with good crypto. – John Mahowald Nov 11 '18 at 16:33
  • Thank you, in general do you think is it possible to **detect** MAC spoofing in a **decentralized** manner? Thanks – Questioner Nov 11 '18 at 18:48
  • I'm not going to make any general claims on possibility. Read more of the literature and look into products. Note that network access control designs have more to them than just MAC addresses. – John Mahowald Nov 13 '18 at 05:58