IP/MAC source spoofing

This test checks that customers cannot send packets with spoofed IPv4 or MAC source. To prevent such spoofing, when a packet is received on the access port, it must be verified that the source IPv4 and MAC addresses are both correct, and if they are not the packet must be dropped.

Note: To make sure that an assigned IP address is correct, the switch typically learns what IP address has been assigned to which switch port by intercepting DHCP signaling between the customer host and the DHCP server (called DHCP snooping).

The IP/MAC source spoofing test is applicable to Layer 3 networks, as the customer Test Agent sends an IP address in an ARP request to get the MAC address of the default gateway, a procedure which resembles the behavior of a normal user.

Impact: DoS, Abuse

Test process

  • Malicious sends packet with genuine MAC and IP.
  • Malicious sends packet with Customer's MAC and IP.
  • Malicious sends packet with random MAC and IP.
  • Malicious sends packet with random MAC and genuine IP.

Fail criteria

  • A packet with non-genuine IPv4 or MAC address arrives at ISP or Customer.

Reference

This test conforms to SEC Access Certification ID "SEC-V4-SPOOF-1".

Parameters

General

  • Malicious Customer: A customer interface performing malicious actions.
  • Customer: One or more customers that Malicious customer will affect.
  • ISP: A central node on a trusted port.

Advanced

  • Source UDP port: Source UDP port for traffic sent from Malicious to ISP or Customer. Range: 1 ... 65535. Default: 41234.
  • Destination UDP port: Destination UDP port for traffic sent from Malicious to ISP or Customer. Range: 1 ... 65535. Default: 24567.
Have more questions? Submit a request

Comments

Powered by Zendesk