spoofing1

Spoofing Attacks

1/8

This material was developed with funding from the National Science Foundation under Grant # DUE 1601612

Restart

Back

Spoofing attacks are a broad class of attacks in which an attacker successfully masquerades as another by falsifying data to gain an illegitimate advantage. They can result in stealing data, spreading malware or bypassing access controls.

DNS Server Spoofing Attack

2/8

MAC Address Spoofing Attack

Click on each type of spoofing attack for more information.

ARP Spoofing Attack

IP Address Spoofing Attack

1/7

In our everyday life we recognize people via one or many of their unique identifiers, such as their face.

In the TCP/IP world of the Internet, we often use IP addresses, MAC address and the like to identify computers from the crowd. IP addresses are like faces because they are how networks identify computers.

2/7

Now, imagine you are attending a costume party. At the party are many people you know and many you do not know. The people you know, you usually can identify by their face, their voice, and mannerisms. However, because everyone is in costumes and is pretending to be someone else, it is difficult if not impossible to recognize them and they can easily lie about their name.

3/7

When an uninvited guest arrives at a party they are usually turned away at the door as being unwelcome. But when a guest arrives in disguise at a costume party and uses someone else's image and likeness to get in to the party, they are using a technique like an ARP spoof.

4/7

Address Resolution Protocol (ARP) Messages a protocol for mapping an Internet Protocol address (IP address) to a physical machine address (MAC address) that is recognized in the local network.

5/7

ARP spoofing is a type of attack in which an attacker sends falsified Address Resolution Protocol (ARP) messages over a local area network. This results in the linking of an attacker’s MAC address with the IP address of a legitimate computer or server on the network. Once the attacker’s MAC address is connected to an authentic IP address, the attacker will begin receiving any data that is intended for that IP address.

Main Menu

To detect, prevent and protect against ARP spoofing attacks:avoid trust relationships that rely on IP addresses for authenticationuse packet filtering to block packets with conflicting source address informationuse ARP spoofing detection software to inspect and certify data before it is transmitted and block data that appears to be spoofeduse secure communications protocols to encrypt data prior to transmission and authenticate data when it is received

Packet Filtering the process of passing or blocking packets at a network interface based on source and destination addresses, ports, or protocols.

Trust Relationships allow users in one domain to access resources in another domain. Trusts work by having one domain trust the authority of the other domain to authenticate its user accounts.

7/7

User ID: Password:

ARP spoofing can enable malicious parties to intercept, modify or even stop data in-transit. ARP spoofing attacks can only occur on local area networks that utilize the Address Resolution Protocol. In their most basic application, ARP spoofing attacks are used to steal sensitive information. Beyond this, ARP spoofing attacks are often used to facilitate other attacks such as Denial-of-service (DoS) attacks, session hijacking, and Man-in-the-middle attacks. ARP spoofing attacks result in ARP poisoning of the local area network ARP table.

6/7

ARP Table usually called the ARP cache, is used to maintain a correlation between each computer’s MAC address and its corresponding IP address.

Man-In-The-Middle Attacks an attack where the perpetrator secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.

Session Hijacking the exploitation of a valid computer session to gain unauthorized access to information or services in a computer system.

Denial-of-Service (DoS) Attacks an attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services connected to the Internet.

ARP Poisoning an attack in which a perpetrator changes the Media Access Control (MAC) address and attacks an Ethernet LAN by changing the target computer's ARP cache with a forged ARP request and reply packets.

In our everyday life we recognize people via one or many of their unique identifiers, such as their face. For example at a party, we may seek out the host by asking for herwhereabouts and then locate her face in the crowd.

A guest at the party begins thanking who he thinks is the host based on the fact that he is dressed as a pirate and is found near the bar. But then the host takes off his mask and the guest realizes this is NOT the host of the party. The trusted source was incorrect. In the digital world the trusted source is the Domain Name System (DNS) which is responsible for associating domain names with IP addresses. Like when the person admitting people to the party identifies the wrong person as the host, in a DNS server spoofing attack (also referred to as DNS cache poisoning) a malicious party modifies the DNS server which results in it directing a specific domain name to the incorrect IP address.

Domain Name System (DNS) the way that internet domain names are located and translated into internet protocol (IP) addresses.

Normally, a networked computer uses a DNS server provided by an Internet service provider (ISP) or the computer user's organization. DNS servers are used to improve resolution response performance by caching previously obtained query results. To perform a cache poisoning attack, the attacker exploits flaws in the DNS software. A server should correctly validate DNS responses to ensure that they are from an authoritative source; otherwise the server might end up caching the incorrect entries locally and serve them to other users that make the same request. This attack can be used to redirect users from a website to another site of the attacker's choosing.

The real reason DNS cache poisoning is such a problem is because there’s no real way of determining whether DNS responses are actually legitimate or whether they’ve been manipulated. Many cache poisoning attacks against DNS servers can be prevented by being less trusting of the information passed to them by other DNS servers, and ignoring any DNS records passed back which are not directly relevant to the query. The long-term solution to DNS cache poisoning is DNS Security Extensions (DNSSEC). DNSSEC will allow organizations to sign their DNS records using public-key cryptography, ensuring that your computer will know whether a DNS record should be trusted or whether it’s been poisoned and redirects to an incorrect location.

DNS Security Extensions (DNSSEC) a suite of specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality. 

IP Address Spoofing Attack

In the TCP/IP world of the Internet, we often use IP addresses, MAC address and the like to identify computers from the crowd. The protocols (rules) on which the computers may operate on the Internet, specifically TCP/IP, state that each IP packet must have a header which contains, among other things, the IP address of the sender of the packet, also known as the source IP address. The source IP address, for example, is like the face of the computer.

In our everyday life we recognize people we know in a crowd by identifying their face, their voice, and mannerisms. We use their unique features to identify them.

Now, imagine you are attending a masquerade ball. At the ball are many people you know and many you do not know. The people you know, you usually can identify by their face, their voice, and mannerisms. However, because everyone is in masks and is pretending to be someone else, it is difficult if not impossible to recognize them.

IP address spoofing is most effective where trust relationships exist between machines. This type of attack involves the use of a trusted IP address and can therefore be used by intruders to overcome network security measures, such as authentication based on IP addresses. IP spoofing may be used to leverage man-in-the-middle attacks or denial of service attacks against hosts on a computer network.

Attacker real IP: 1.1.1.1 source (spoofed): 3.3.3.3 destination: 2.2.2.2

Authentication the process or action of verifying the identity of a user or process.

Trusted Host IP: 3.3.3.3 (might be target of DoS-attack)

Internet-Router source: 3.3.3.3 destination: 2.2.2.2

Victim IP: 2.2.2.2 (possible security breach)

source: 2.2.2.2 destination: 3.3.3.3

The source IP address normally identifies the computer the packet was sent from. But the sender's IP address in the header can be altered, so that to the recipient it appears that the packet came from another computer. In computer networking, IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a false source IP address for the purpose of hiding the identity of the sender or impersonating another computing system. This is much like the attacker computer wearing a mask and thereby pretending to be another computer.

Deep Packet Inspection an advanced method of examining and managing network traffic through packet filtering that locates, identifies, classifies, reroutes or blocks packets with specific data or code payloads that conventional packet filtering cannot detect.

Packet Filtering the process of passing or blocking packets at a network interface based on source and destination addresses, ports, or protocols.

Firewalls a part of a computer system or network that is designed to block unauthorized access while permitting outward communication.

Ingress Filtering a technique used to ensure that incoming packets are actually from the networks from which they claim to originate from.

Packet filtering is one defense against IP spoofing attacks. The gateway to a network usually performs ingress filtering, which is blocking of packets from outside the network with a source address from inside the network. Spoofing attacks which take advantage of TCP/IP suite protocols may be mitigated with the use of firewalls capable of deep packet inspection or by taking measures to verify the identity of the sender or recipient of a message.

In our everyday life we recognize people via one or many of their unique identifiers, such as their name and their face.

When an uninvited guest arrives at a party they are usually turned away at the door as being unwelcome. But when a guest arrives in disguise at a masquerade ball and uses someone else name to get in to the ball, they are using a technique like a MAC spoof.

Network Interface Controller (NIC) a computer hardware component that connects a computer to a network.

Because MAC addresses are unique and hard-coded on network interface controller (NIC) cards, when the client wants to connect a new computer, the Internet Service Provider (ISP) will detect a different MAC address and the ISP might not grant Internet access to those new devices. This can be overcome by MAC spoofing. The client only needs to spoof the new device's MAC address to the MAC address that was previously registered by the ISP. In this case, the client spoofs his or her MAC address to gain Internet access from multiple devices but this technique can be used to allow hackers to gain access to unauthorized services. It is very hard to track hackers utilizing MAC spoofing because the hacker will be hard to identify because the hacker uses the client's identity.

Internet Service Provider (ISP) a company that provides subscribers with access to the Internet.

(doesn’t dance)

To detect, prevent and protect against DNS Server spoofing attacks:keep your resolver private and protected. If you operate your own resolver, its usage should be restricted to users on your network to help prevent its cache being poisoned by hackers outside your organization.configure it to be as secure as possible against cache poisoning. Protections built into DNS software to protect against cache poisoning include adding variability to outgoing requests, to make it harder for a hacker to get a bogus response accepted.manage your DNS servers securely. When it comes to your authoritative servers, you need to decide whether to host them yourself or have them hosted at a service provider or domain registrar.

To detect, prevent and protect against IP Address spoofing attacks:use authentication based on key exchange between the machines on your network; something like IPsec will significantly cut down on the risk of spoofing.use an access control list to deny private IP addresses on your downstream interface.implement filtering of both inbound and outbound traffic.configure your routers and switches if they support such configuration, to reject packets originating from outside your local network that claim to originate from within.enable encryption sessions on your router so that trusted hosts that are outside your network can securely communicate with your local hosts.

To detect, prevent and protect against MAC Address spoofing attacks:use port security to limit the number of MAC addresses that can be learned on ports connected to the end stations.use MAC address authentication against an authentication, authorization and accounting server (AAA Server) and these addresses are subsequently filtered.use security measures to prevent ARP Spoofing or IP Spoofing because in some cases they will provide additional MAC address filtering on unicast packets.implement IEEE 802.1X suites which will allow packet filtering rules to be installed explicitly by an AAA server based on dynamically learned information about clients, including the MAC address.