Spoofing: Difference between revisions

From
Jump to navigation Jump to search
No edit summary
m (corrected "firewalls", "of the communication", "between")
 
(2 intermediate revisions by one other user not shown)
Line 6: Line 6:
IP-Spoofing relies on the forgery of the sender-address in ip-headers. Although a quite simple attack, it can be very effective. This attack overwhelms all security defenses, which are using the sender-address to authenticate certain actions. There are for example some firewalls that allow packets with certain sender-addresses to pass.
IP-Spoofing relies on the forgery of the sender-address in ip-headers. Although a quite simple attack, it can be very effective. This attack overwhelms all security defenses, which are using the sender-address to authenticate certain actions. There are for example some firewalls that allow packets with certain sender-addresses to pass.
Further examples for vulnerable protocols/services are the r* services. Although quite old, this attack is still important as it is often used in conjunction with DOS attacks.
Further examples for vulnerable protocols/services are the r* services. Although quite old, this attack is still important as it is often used in conjunction with DOS attacks.
*'''Defense''' against ip-spoofing can best be done by firefalls, that can prevent forged packets from entering the local net. Services and authentication should not rely on the sender-address nevertheless. ISP's should also drop forged packets originating from their own net. This would dramatically decrease the number of attacks driven by ip-spoofing.
*'''Defense''' against ip-spoofing can best be done by firewalls, that can prevent forged packets from entering the local net. Services and authentication should not rely on the sender-address nevertheless. ISP's should also drop forged packets originating from their own net. This would dramatically decrease the number of attacks driven by ip-spoofing.


== ARP-Spoofing ==
== ARP-Spoofing ==
ARP-Spoofing (also known as ARP-Poisoning) is a spoofing technique that can be performed in a local area network. To understand this approach, we'll have to look at the Address Resolution Protocol itself.
ARP-Spoofing (also known as ARP-Poisoning) is a spoofing technique that can be performed in a local area network. To understand this approach, we'll have to look at the Address Resolution Protocol itself.
Like DNS is used to resolve an alphanumeric domain address to an ip-address, ARP is used to resolve an ip-address to a mac-address. These are used in the underlaying network architecture, a mac-address consists of 6 bytes. To retrieve some other local hosts MAC address a host broadcasts an ARP-Request including the target IP address and receives the ARP reply containing the target MAC address. To speed up communication, a cache for these requests is used. But ARP has a big problem: it is '''stateless'''. That means it accepts replies without request. So everyone can send "forged" ARP-Replies and '''poison''' the ARP-Cache.
Like DNS is used to resolve an alphanumeric domain address to an ip-address, ARP is used to resolve an ip-address to a mac-address. These are used in the underlaying network architecture. A mac-address consists of 6 bytes. To retrieve some other local host's MAC address a host broadcasts an ARP-Request including the target IP address and receives the ARP reply containing the target MAC address. To speed up communication, a cache for these requests is used. But ARP has a big problem: it is '''stateless'''. That means it accepts replies without request. So everyone can send "forged" ARP-Replies and '''poison''' the ARP-Cache.


An attacker simply sends an ARP reply to the victim host, proclaiming he is another host the victim might want to communicate with, a gateway for example. The victim accepts this reply and puts the retrieved address in his cache. From now on, the victim host will send its future packets to the attacker, thinking he is the real target. The attacker can now analyse the data and forward it to the real target to not disturb the connection and attract attention. To intercept the replies, the attacker does the same to the other side ot the communication (the host the victim wants to communicate). The attacker is then in the '''middle''' of the communication and can intercept, add, alter, append or remove information that is sent betwen both hosts. The easiness and effectiveness of '''ARP Poisoning''' makes it a very dangerous and popular '''Man in the Middle''' attack.
An attacker simply sends an ARP reply to the victim host, proclaiming he is another host the victim might want to communicate with, a gateway for example. The victim accepts this reply and puts the retrieved address in his cache. From now on, the victim host will send its future packets to the attacker, thinking he is the real target. The attacker can now analyse the data and forward it to the real target to not disturb the connection and attract attention. To intercept the replies, the attacker does the same to the other side of the communication (the host the victim wants to communicate). The attacker is then in the '''middle''' of the communication and can intercept, add, alter, append or remove information that is sent between both hosts. The easiness and effectiveness of '''ARP Poisoning''' makes it a very dangerous and popular '''Man in the Middle''' attack.


These forged ARP replies are not completely hidden to the victim host nor any other hosts in the local net. The traffic generated by this attack is quite typical and are called '''arp-storms'''. There are multiple tools, that detects these '''arp-storms''' one of the most simple ones is arpwatch.
These forged ARP replies are not completely hidden to the victim host nor any other hosts in the local net. The traffic generated by this attack is quite typical and are called '''arp-storms'''. There are multiple tools, that detect these '''arp-storms''' one of the most simple ones is arpwatch.
Countermeasures against arp-spoofing can be performed using static arp-entries. The entries in the cache can be marked '''static''', such entries are never overwritten and are therefore prone to '''arp-spoofing'''.
Countermeasures against arp-spoofing can be performed using static arp-entries. The entries in the cache can be marked '''static''', such entries are never overwritten and are therefore prone to '''arp-spoofing'''.
In Unix compatible operating systems this is performed by the ''arp -s'' command. Windows operating systems also know the ''arp -s'' command with the fatal result that created static entries are only as static as Windows will never again ask for a new MAC address to the specified IP address. Incoming fake ARP replies will still overwrite the entry, which will never be questioned or updated by Windows again, unless the attacker is nice enough to reset it when leaving.
In Unix compatible operating systems this is performed by the ''arp -s'' command. Windows operating systems also know the ''arp -s'' command with the fatal result that created static entries are only as static as Windows will never again ask for a new MAC address to the specified IP address. Incoming fake ARP replies will still overwrite the entry, which will never be questioned or updated by Windows again, unless the attacker is nice enough to reset it when leaving.


== DNS-Spoofing ==
== DNS-Spoofing ==
DNS is used to resolve alphanumeric addresses to ip-addresses. This is done in a very similar manner like ARP. A Request is send to an DNS-Server, and the DNS-Server sends a reply. The DNS-Database is distributed around the world. If a server can't answer a request, it tries to ask retrieve the information from other servers. The replies from these servers are cached. These cache can be poisened as well. If a client asks for an ip-address of a specific domain-name. The server will lookup the entry in its poisened cache and return the forged ip-address.
The client will likely connect to the wrong host. The modern implementations (bind-9) are no more vulnerable to this attack.
There is nevertheless another possibility to perform DNS-Spoofing. An attacker can also answer "faster" than the original server and sending a forged DNS-Reply (sender ip has to been spoofed of course). To be "faster" an attacker can be "faster by nature" (like beeing in the same local net), or he can assure that he is faster by launching a DOS attack at the DNS-Server. There is nevertheless still a problem, because it is necessary for the attacker to realize that the victim has send an DNS-Query.


== Web/URL-Spoofing ==
== Web/URL-Spoofing ==
A Web Spoofing attack lures the victim (by using DNS-Spoofing for example) to a forged Web-Server. This server is nearly identical to the orginal server, so the victim won't notice the difference. Every information that is entered by the user are therefore compromised. It is nevertheless for the attacker a nontrival task to guess the right ''context''. Lets say the attacker wants to spoof a banking-website. The victim is lured to the site and enters its account information. The victim wants to see its current account balance - the attacker has a problem now - the victim has context information (he knows his account balance to a certain degree) the attacker has not. An easy but quite effective approach for the attacker is to ''forward'' the information provided by the victim to the ''real'' server and forward the answer of the server to the client. The ''context'' is now correct and the victim will trust the site.
But the attacker can intercept, alter, add and delete information that is flowing betwen the victim and the bank. This is a very powerful position and is called a '''Man in the Middle Attack''' or short '''MITM'''.

Latest revision as of 19:41, 13 December 2004

The attacks that can be subsumed by the the term "spoofing", are based on the forgery of identities.

Some of these attacks are presented here, but there are of course multiple others.

IP-Spoofing

IP-Spoofing relies on the forgery of the sender-address in ip-headers. Although a quite simple attack, it can be very effective. This attack overwhelms all security defenses, which are using the sender-address to authenticate certain actions. There are for example some firewalls that allow packets with certain sender-addresses to pass. Further examples for vulnerable protocols/services are the r* services. Although quite old, this attack is still important as it is often used in conjunction with DOS attacks.

  • Defense against ip-spoofing can best be done by firewalls, that can prevent forged packets from entering the local net. Services and authentication should not rely on the sender-address nevertheless. ISP's should also drop forged packets originating from their own net. This would dramatically decrease the number of attacks driven by ip-spoofing.

ARP-Spoofing

ARP-Spoofing (also known as ARP-Poisoning) is a spoofing technique that can be performed in a local area network. To understand this approach, we'll have to look at the Address Resolution Protocol itself. Like DNS is used to resolve an alphanumeric domain address to an ip-address, ARP is used to resolve an ip-address to a mac-address. These are used in the underlaying network architecture. A mac-address consists of 6 bytes. To retrieve some other local host's MAC address a host broadcasts an ARP-Request including the target IP address and receives the ARP reply containing the target MAC address. To speed up communication, a cache for these requests is used. But ARP has a big problem: it is stateless. That means it accepts replies without request. So everyone can send "forged" ARP-Replies and poison the ARP-Cache.

An attacker simply sends an ARP reply to the victim host, proclaiming he is another host the victim might want to communicate with, a gateway for example. The victim accepts this reply and puts the retrieved address in his cache. From now on, the victim host will send its future packets to the attacker, thinking he is the real target. The attacker can now analyse the data and forward it to the real target to not disturb the connection and attract attention. To intercept the replies, the attacker does the same to the other side of the communication (the host the victim wants to communicate). The attacker is then in the middle of the communication and can intercept, add, alter, append or remove information that is sent between both hosts. The easiness and effectiveness of ARP Poisoning makes it a very dangerous and popular Man in the Middle attack.

These forged ARP replies are not completely hidden to the victim host nor any other hosts in the local net. The traffic generated by this attack is quite typical and are called arp-storms. There are multiple tools, that detect these arp-storms one of the most simple ones is arpwatch. Countermeasures against arp-spoofing can be performed using static arp-entries. The entries in the cache can be marked static, such entries are never overwritten and are therefore prone to arp-spoofing. In Unix compatible operating systems this is performed by the arp -s command. Windows operating systems also know the arp -s command with the fatal result that created static entries are only as static as Windows will never again ask for a new MAC address to the specified IP address. Incoming fake ARP replies will still overwrite the entry, which will never be questioned or updated by Windows again, unless the attacker is nice enough to reset it when leaving.

DNS-Spoofing

DNS is used to resolve alphanumeric addresses to ip-addresses. This is done in a very similar manner like ARP. A Request is send to an DNS-Server, and the DNS-Server sends a reply. The DNS-Database is distributed around the world. If a server can't answer a request, it tries to ask retrieve the information from other servers. The replies from these servers are cached. These cache can be poisened as well. If a client asks for an ip-address of a specific domain-name. The server will lookup the entry in its poisened cache and return the forged ip-address. The client will likely connect to the wrong host. The modern implementations (bind-9) are no more vulnerable to this attack. There is nevertheless another possibility to perform DNS-Spoofing. An attacker can also answer "faster" than the original server and sending a forged DNS-Reply (sender ip has to been spoofed of course). To be "faster" an attacker can be "faster by nature" (like beeing in the same local net), or he can assure that he is faster by launching a DOS attack at the DNS-Server. There is nevertheless still a problem, because it is necessary for the attacker to realize that the victim has send an DNS-Query.

Web/URL-Spoofing

A Web Spoofing attack lures the victim (by using DNS-Spoofing for example) to a forged Web-Server. This server is nearly identical to the orginal server, so the victim won't notice the difference. Every information that is entered by the user are therefore compromised. It is nevertheless for the attacker a nontrival task to guess the right context. Lets say the attacker wants to spoof a banking-website. The victim is lured to the site and enters its account information. The victim wants to see its current account balance - the attacker has a problem now - the victim has context information (he knows his account balance to a certain degree) the attacker has not. An easy but quite effective approach for the attacker is to forward the information provided by the victim to the real server and forward the answer of the server to the client. The context is now correct and the victim will trust the site. But the attacker can intercept, alter, add and delete information that is flowing betwen the victim and the bank. This is a very powerful position and is called a Man in the Middle Attack or short MITM.