Security Laboratory

Security Laboratory

Security Laboratory: Networking

This networking series will help the computer security manager understand the basics of an Internet Protocol network and give them the tools to help them manage those networks effectively.

Other Related Articles in Security Laboratory: Networking

Management Application of MAC Addresses

By Stephen Northcutt

Consider the following story from
At 12:48AM EST on the 14th of May 2003, the IP netblock was announced to the Internet via BGP through the service provider Verio’s network from a small Florida ISP located in Boca Raton (1). This was peculiar because the block in question was registered to Northrop Grumman, a large US military contractor. Northrop Grumman has a very large IP network and its own autonomous system connected to the Sprint network. Therefore, anyone paying attention at the time might have concluded that something was amiss. Unfortunately for Northrop Grumman, no one was paying attention—at least not until the spammers who had hijacked their IP block began using it to send email. As a consequence the IP block was listed in the SpamHaus (2) and SPEWS (3) spam blacklists. The hijacking and spam continued until complaints to Northrop Grumman alerted them to the hijack; they then took steps to reclaim ownership of their block and some two months after the start of the incident, the announcements were blocked.

A compromised system within your network

The story illustrates that people will make efforts to use your address space against you primarily to either send SPAM or to conduct DDOS attacks. Suppose one of your systems is compromised and used to send SPAM or DDOS packets. Suppose they spoof the source IP address to make it harder to locate the compromised system. In that case, we have a packet that will be received as a source address to a given interface somewhere on the Internet, but the original source address is not return reachable from that interface. How is this possible? Suppose your network is addressed as net However, the spoofed source address is a different family altogether, say To get out to the Internet, the packet has to pass through a Network Address Translation (NAT) device. If the NAT or another device on the perimeter is not configured to drop non-assigned non-routable addresses, the spoofed address will get translated by a NAT device into a routable address at the network exit point. So, the interface on the system receiving the DDOS or SPAM does not see the spoofed address, they see your organization's public address space. Every organization should perform ingress and egress filtering to prevent this type of activity.

A system connected to your network without permission
In addition, if someone connects to your internal network without permission, such as a contractor plugging into your local network, they may show up in your firewall, switch, or DHCP logs as a "Martian Source". According to Webopedia, a Martian address is "An IP address that is invalid because it has been spoofed or is not routable because it has been assigned an address by a misconfigured system. Routing software will reject a martian address."[2] In both cases to find the troublesome system, it may be necessary to locate the closest router and examine the Address Resolution Protocol (ARP) table. The ARP table, or "ARP cache, is used to maintain a correlation between each MAC address and its corresponding IP address. ARP provides the protocol rules for making this correlation and providing address conversion in both directions."[3] To prevent people from plugging into your network without permission, it is recommended to use switch port lockout, when possible, to reduce the chance of this happening. Switch ports should be configured to only allow the MAC address of one computer, assigned to that port, to access the network.

Rogue Wireless Access Points

Since wireless access points have MAC addresses, and part of the MAC address, the Organizationally Unique Identifiers (OUI), identifies the manufacturer, we can scan the ARP tables to see if a MAC address from a known wireless vendor is present. This can be used to detect access points where a non-sophisticated user goes to Best Buy, and just plugs it in on your organization's LAN. A more sophisticated user can evade such detection easily, as we see from a paper by Josh Wright:

The phrase “MAC address spoofing” in this context relates to an attacker altering the manufacturer-assigned MAC address to any other value. This is conceptually different than traditional IP address spoofing where an attacker sends data from an arbitrary source address and does not expect to see a response to their actual source IP address. MAC address spoofing might be more accurately described as MAC address “impersonating” or “masquerading” since the attacker is not crafting data with a different source than is their transmitting address. When an attacker changes their MAC address they continue to utilize the wireless card for its intended layer 2 transport purpose, transmitting and receiving from the same source MAC. Nearly all 802.11 cards in use permit their MAC addresses to be altered, often with full support and drivers from the manufacturer. Using Linux open-source drivers, a user can change their MAC address with the ifconfig tool, or with a short C program calling the ioctl() function with the SIOCSIFHWADDR flag. Windows users are commonly permitted to change their MAC address by selecting the properties of their network card drivers in the network control panel applet.[4]

ARP attacks

Anytime you have the word dynamic, you have the potential for attackers to take advantage of the operation. It is possible to answer a query for an ARP (Who has) with a spoofed (Is at) address. It is also possible to confuse the bridge component of a switch by giving it more than one MAC address in its ARP table to allow an attacker to sniff traffic on a switch. The switch forwards traffic for the server that is being sniffed to the server's port AND also forwards the traffic to the sniffer's port. The rule of thumb for ARP security is that all ARP attacks must take place on the collision domain being attacked. You cannot attack from afar, so ARP attacks tend to be either an insider problem or require compromising a system on the inside of your network.

Hunting them down
So, as we have said, ARP, Address Resolution Protocol, is used to create the dynamic correspondence between the MAC address and the IP address. If you know the MAC address and need the IP address, you send an Ethernet broadcast called a "Who has". The system with the needed IP address will then answer with an "Is at". So, if you needed to communicate with, you would broadcast your MAC address and ask who has, and it should answer with its MAC address is at However, only the closest switch or router to the host we are trying to find would have the ARP table entry that actually corresponds with the host we are trying to find. Each router puts its own MAC address in the frame as it forwards it to the next hop. So, it sometimes requires consulting the ARP tables on multiple routers to find the one you are looking for.

The bottom line:

Computer security managers should ask their network engineers if they are collecting logs related to MAC addresses such as the ARP tables. In addition, engineers should understand the dynamic MAC to IP relation and how it impacts security. It should never be possible to connect a system to your organization's network without permission. In addition, organizations should perform both ingress and egress filtering. These activities all contribute to a Threat Vector Analysis architectural approach to Defense in Depth.[5]