Community discussions

User avatar
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Tue Dec 15, 2015 5:15 pm

IP spoofing

Tue Jun 04, 2019 11:11 am

Allow IP spoofing in internal network

 In our MikroTik network we installed a security appliance called Darktrace. It observes the network using promiscous mode. One of the features of it is that it is able to break TCP connections that it classifies as malicious by sending RST packets with spoofed source and destination IP. And For that it uses a separate interface.

From the perspective of hosts talking to each other it looks as if the other side initiated a reset. That effectively breaks the connection.

However in our network spoofed packets are discarded before reaching it’s destination.

We experimented with setting ip rp-filter to none but that did not change anything. Spoofed RST packets are still not reaching targets.

We are able to easily identify RST packets that are coming from Darktrace, since they have a specific string in the payload.

After containing the endpoint in such a way, that every connection should be a subject of a reset, the only RST packets that reach it are RST packets sent when the endpoint tries to access … Darktrace :) Because it’s the only moment where there is no source IP spoofing. The Darktrace effectively works in it's own name. No source IP cheating. And that is the only moment where the host is effectively blocked, seeing "reset by peer" upon connecting. All the other connections look like being blocked for a few seconds but then in the end they are allowed and working fine. 

We observed that using packet capture on the endpoint.

Long story short - how to fully enable IP spoofing on Mikrotik network? Preferrably enable it only for a specific list of IPs.
Forum Veteran
Forum Veteran
Posts: 884
Joined: Sun Oct 01, 2006 11:44 pm

Re: IP spoofing

Fri Jun 07, 2019 5:12 pm

The device running in promiscuous mode won't see all the TCP traffic flows, it will only see broadcast packets on a switched network. Only traffic directed to it will be noticed, which is as your experiment describes. You need to either re-architect your network so that all your traffic flows through the device, or use port mirroring or a similar feature to send all traffic to its switch port.

Who is online

Users browsing this forum: No registered users and 50 guests