Use Agents to Detect Spoofing

By using an agent based on the NFPM Side Unknown template, you can detect hosts that may be spoofing on your network. Spoofing attacks send packets that appear to be from a trusted source, but actually contain falsified source and/or destination addresses. The traffic can then gain access to hosts or services that are supposed to be secure.

Two agents based on the NFPM Side Unknown template are created for you automatically: Spoofing - Server and Spoofing - Client. Using these agents, the adaptive response feature will alert you when at least one host has exceeded the new flows per minute threshold. The standard alert is a red indicator on the info tab (PacketWise) or configuration tab (PolicyCenter). In addition, you can have an email, SNMP trap, or syslog message sent when a host is in violation; this method requires that you create an action file — a text file of PacketWise commands. The action file can include any CLI command that can run without additional user input. See Action File Overviews for more information.

In order to use this feature, the adaptive response feature must be enabled and the Spoofing - Client and Spoofing - Server agents must be turned on.

These agents, as well as most of the other agents in the host category, have two host lists associated with them: exception and violating. In the exception host list, you can add the IP addresses of the hosts you don't want to trigger the agent (such as servers). The violating host list contains the IP addresses of the hosts that exceed the threshold set for the agent; adaptive response automatically adds hosts to this list when they are in violation.

Create an Exception Host List

In order to prevent your servers and other valid hosts from triggering false alarms, you will want to create an exception host list for your Spoofing agents. If you want a single exception host list to apply to all host agents, you can add exception hosts to the default host list that is automatically created for you: exceptionHosts. If you want different host lists for different agents, you will need to create hosts lists with unique names.

1. Access the command-line interface.

2. Type hl show to see the host list names.

3. To create a new host list, use the hl new command. For example:

hl new spoofException

4. To add hosts to an existing host list, use the hl add command. You can add multiple addresses by separating each with a space. For example:

hl add exceptionHosts 192.21.18.162 192.21.18.165 192.21.18.169

5. When modifying the agent (below), make sure to specify this host list name for the ExceptionHosts parameter.

Modify the Agent Settings

By default, the Spoofing agents check every minute to see if a host has exceeded 100,000 new flows per minute. You'll want to set the number of new flows per minute threshold to a value that makes sense for your network. You may also want to change the evaluation interval (for instance, to every 10 minutes).

Note: In order for the Spoofing agents to work properly, you must set the SideThreshold to a value that is appropriate for your network traffic patterns.

1. On the setup tab, click the Adaptive Response Settings link.
   
   
2. Make sure the checkbox in the Agent On column is selected for the Spoofing - Client or Spoofing - Server agent.
   
   
3. Click edit next to the Spoofing agent you want to modify. The Edit Agent Entry window will open.
   
   
4. If desired, change the evaluation interval, in minutes (how often the agent should measure its target.)
   
   
5. If desired, modify the threshold values:
   
   SideThreshold — Number of new flows per minute that might indicate a host is spoofing.
   
   ViolatingHosts — Name of violating host list; adaptive response will automatically create a violating host list using the name supplied here. Any hosts that exceed the agent's SideThreshold will be added to this host list. See Restrict Bandwidth for Violating Hosts for further information.
   
   ExceptionHosts — Name of exception host list; this should be the name you used in Create an Exception Host List above.
   
   RedThreshold — The value at which the status of the agent turns red, and a red action file is triggered, if present. For a Spoofing agent, this number represents an unacceptable number of violating hosts; a host is in violation if it exceeds the defined SideThreshold. For instance, if the RedThreshold is set to 1, the agent's status will change to red when at least one host had new flows per minute greater than the defined SideThreshold.
   
   GreenThreshold — An acceptable number of violating hosts (usually 0).
   
   
6. Click OK to save your changes.

After creating the agent, you will want to monitor it to see whether any hosts have been in violation.

Check the Agent Status

To check the status of the Spoofing agents:

1. Click the info tab. The PacketShaper’s info tab shows an icon for each agent category, and a colored status indicator for each. The Spoofing agents are in the Hosts category.
   
   
2. To see the status of each individual agent in the Hosts category, hover your mouse over the Hosts colored status indicator, as shown below.
   
   
   
   
3. In the pop-up window, locate the Spoofing - Client and Spoofing - Server agents. What color are their status indicators?
   
   Green — During the last evaluation interval, no hosts exceeded the number of new flows per minute you defined for the SideThreshold. (This assumes the GreenThreshold is set to the default value of 0.)
   Red — During the last evaluation interval, at least one host exceeded the SideThreshold. (This assumes the RedThreshold is set to the default value of 1.) If the status indicator is red, you should look at the incident report for details.
   
   If the agent has ever changed status (from green to red or from red to green, a report icon with a link to a detailed report will be available for that agent.
   
   
4. If there is a report for the Spoofing agent, click the report icon. The Spoofing report appears in a separate browser window and lists all the hosts whose new flows per minute were higher than the SideThreshold (during the current interval in addition to previous intervals). These hosts (10.10.10.100 and 10.10.10.101 in the example below) are automatically added to the violatingHosts host list. See Restrict Bandwidth for Violating Hosts for further information about how you can use the violating host list.
   
   
   
   

Create an Action File that Sends an Email Notification

If you would like to be notified by email when hosts may be spoofing, you can create a command file that contains a single line: the send email command. By designating this command file as the red action file, an email will be sent when the red threshold is crossed.

Note: In order to send email notification, you must configure an SMTP server in PacketWise.

To create an action file that sends an email notification:

1. If the info tab is currently displayed, click the Settings link; otherwise, go to the setup tab and click the Adaptive Response Settings link.

2. Click the edit button next to the Spoofing agent.

3. Click the browse files button. The File Browser window opens and shows the contents of the 9.258/agent/cmd directory (where action files need to be stored).

4. Click the new cmd file button. A command file window opens.

5. In the File Name field, enter a unique name for your action file up to eight characters long, including 0-9, a-z, AZ, -,_, and . (period). Spaces are not allowed. Example: spoof

6. In the Contents area, enter the following commands:

#Title: red action file for Spoofing - Client agent
send email <address> "<subject>" ["<body>"]

where <address> is the email address of the recipient. For example:

send email raltman@test.com "Spoofing - Client" "Adaptive response has detected at least one host with excessive new flows per minute. Look at the incident report for a list of violating hosts."

Note: If you want to send an email notification to more than one recipient, repeat the send email command for each email address.

If you like, you can include the defined number of new flows per minute (the $sideThreshold variable) and the number of hosts that were in violation (the $scorevalue variable) in the <subject> or <body>, as the following example shows:

send email raltman@test.com "Spoofing - Client" "Adaptive response has detected $scorevalue host(s) with more than $sideThreshold new flows per minute. Look at the incident report for a list of violating hosts."

When the message is sent, the body of the email message would look something like this:

Adaptive response has detected 2 host(s) with more than 50 new flows per minute. Look at the incident report for a list of violating hosts.

7. Click save.

8. Enter the name of your action file in the Red Action File field (for example, spoof.cmd).

9. Click OK.

An email will be sent if and when the agent's red threshold is crossed during an evaluation interval. If you like, you can create a green action file to notify you when the Spoofing agent returns to a green status.

Restrict Bandwidth for Violating Hosts

Once you know the IP addresses of hosts that might be spoofing, what is your next step? One possibility is to automatically restrict the bandwidth of the violating hosts until you have a chance to research the hosts. To implement this strategy, you create traffic classes that are based on the violating host lists, and then apply appropriate policies and/or partitions to these classes.

1. In Inbound, create a class with a name such as HostViolators.

2. In the Host List drop-down list for Inside, select violatingHosts (or the name you specified for the ViolatingHosts parameter).

3. Repeat step 2 for Outside.

4. Click add class to create the class.

5. Repeat the above steps to create an Outbound class named HostViolators.

6. Apply appropriate policies and/or partitions to restrict the violating hosts' bandwidth. One strategy might be:

• Create a partition with size = 0 Kbps, burstable, and a limit of the maximum bandwidth you'd like to devote to all the violating hosts together. For example, you could limit the aggregate of all your violating hosts to 10 percent of your link size.
  
  
• Define a dynamic subpartition giving each host the restricted amount of bandwidth you consider appropriate. For example, you might cap each host at 64 Kbps.