Spoofing - Revision history

Roehnsch: corrected "firewalls", "of the communication", "between"

2004-12-13T19:41:02Z

corrected "firewalls", "of the communication", "between"

← Older revision		Revision as of 19:41, 13 December 2004
Line 6:		Line 6:
	IP-Spoofing relies on the forgery of the sender-address in ip-headers. Although a quite simple attack, it can be very effective. This attack overwhelms all security defenses, which are using the sender-address to authenticate certain actions. There are for example some firewalls that allow packets with certain sender-addresses to pass.		IP-Spoofing relies on the forgery of the sender-address in ip-headers. Although a quite simple attack, it can be very effective. This attack overwhelms all security defenses, which are using the sender-address to authenticate certain actions. There are for example some firewalls that allow packets with certain sender-addresses to pass.
	Further examples for vulnerable protocols/services are the r* services. Although quite old, this attack is still important as it is often used in conjunction with DOS attacks.		Further examples for vulnerable protocols/services are the r* services. Although quite old, this attack is still important as it is often used in conjunction with DOS attacks.
	*'''Defense''' against ip-spoofing can best be done by ~~firefalls~~, that can prevent forged packets from entering the local net. Services and authentication should not rely on the sender-address nevertheless. ISP's should also drop forged packets originating from their own net. This would dramatically decrease the number of attacks driven by ip-spoofing.		*'''Defense''' against ip-spoofing can best be done by firewalls, that can prevent forged packets from entering the local net. Services and authentication should not rely on the sender-address nevertheless. ISP's should also drop forged packets originating from their own net. This would dramatically decrease the number of attacks driven by ip-spoofing.

	== ARP-Spoofing ==		== ARP-Spoofing ==
	ARP-Spoofing (also known as ARP-Poisoning) is a spoofing technique that can be performed in a local area network. To understand this approach, we'll have to look at the Address Resolution Protocol itself.		ARP-Spoofing (also known as ARP-Poisoning) is a spoofing technique that can be performed in a local area network. To understand this approach, we'll have to look at the Address Resolution Protocol itself.
	Like DNS is used to resolve an alphanumeric domain address to an ip-address, ARP is used to resolve an ip-address to a mac-address. These are used in the underlaying network architecture, a mac-address consists of 6 bytes. To retrieve some other local ~~hosts~~ MAC address a host broadcasts an ARP-Request including the target IP address and receives the ARP reply containing the target MAC address. To speed up communication, a cache for these requests is used. But ARP has a big problem: it is '''stateless'''. That means it accepts replies without request. So everyone can send "forged" ARP-Replies and '''poison''' the ARP-Cache.		Like DNS is used to resolve an alphanumeric domain address to an ip-address, ARP is used to resolve an ip-address to a mac-address. These are used in the underlaying network architecture. A mac-address consists of 6 bytes. To retrieve some other local host's MAC address a host broadcasts an ARP-Request including the target IP address and receives the ARP reply containing the target MAC address. To speed up communication, a cache for these requests is used. But ARP has a big problem: it is '''stateless'''. That means it accepts replies without request. So everyone can send "forged" ARP-Replies and '''poison''' the ARP-Cache.

	An attacker simply sends an ARP reply to the victim host, proclaiming he is another host the victim might want to communicate with, a gateway for example. The victim accepts this reply and puts the retrieved address in his cache. From now on, the victim host will send its future packets to the attacker, thinking he is the real target. The attacker can now analyse the data and forward it to the real target to not disturb the connection and attract attention. To intercept the replies, the attacker does the same to the other side ot the communication (the host the victim wants to communicate). The attacker is then in the '''middle''' of the communication and can intercept, add, alter, append or remove information that is sent ~~betwen~~ both hosts. The easiness and effectiveness of '''ARP Poisoning''' makes it a very dangerous and popular '''Man in the Middle''' attack.		An attacker simply sends an ARP reply to the victim host, proclaiming he is another host the victim might want to communicate with, a gateway for example. The victim accepts this reply and puts the retrieved address in his cache. From now on, the victim host will send its future packets to the attacker, thinking he is the real target. The attacker can now analyse the data and forward it to the real target to not disturb the connection and attract attention. To intercept the replies, the attacker does the same to the other side of the communication (the host the victim wants to communicate). The attacker is then in the '''middle''' of the communication and can intercept, add, alter, append or remove information that is sent between both hosts. The easiness and effectiveness of '''ARP Poisoning''' makes it a very dangerous and popular '''Man in the Middle''' attack.

	These forged ARP replies are not completely hidden to the victim host nor any other hosts in the local net. The traffic generated by this attack is quite typical and are called '''arp-storms'''. There are multiple tools, that ~~detects~~ these '''arp-storms''' one of the most simple ones is arpwatch.		These forged ARP replies are not completely hidden to the victim host nor any other hosts in the local net. The traffic generated by this attack is quite typical and are called '''arp-storms'''. There are multiple tools, that detect these '''arp-storms''' one of the most simple ones is arpwatch.
	Countermeasures against arp-spoofing can be performed using static arp-entries. The entries in the cache can be marked '''static''', such entries are never overwritten and are therefore prone to '''arp-spoofing'''.		Countermeasures against arp-spoofing can be performed using static arp-entries. The entries in the cache can be marked '''static''', such entries are never overwritten and are therefore prone to '''arp-spoofing'''.
	In Unix compatible operating systems this is performed by the ''arp -s'' command. Windows operating systems also know the ''arp -s'' command with the fatal result that created static entries are only as static as Windows will never again ask for a new MAC address to the specified IP address. Incoming fake ARP replies will still overwrite the entry, which will never be questioned or updated by Windows again, unless the attacker is nice enough to reset it when leaving.		In Unix compatible operating systems this is performed by the ''arp -s'' command. Windows operating systems also know the ''arp -s'' command with the fatal result that created static entries are only as static as Windows will never again ask for a new MAC address to the specified IP address. Incoming fake ARP replies will still overwrite the entry, which will never be questioned or updated by Windows again, unless the attacker is nice enough to reset it when leaving.

Kermit: /* Web/URL-Spoofing */

2004-12-06T13:27:08Z

Web/URL-Spoofing

← Older revision		Revision as of 13:27, 6 December 2004
Line 24:		Line 24:

	== Web/URL-Spoofing ==		== Web/URL-Spoofing ==
			A Web Spoofing attack lures the victim (by using DNS-Spoofing for example) to a forged Web-Server. This server is nearly identical to the orginal server, so the victim won't notice the difference. Every information that is entered by the user are therefore compromised. It is nevertheless for the attacker a nontrival task to guess the right ''context''. Lets say the attacker wants to spoof a banking-website. The victim is lured to the site and enters its account information. The victim wants to see its current account balance - the attacker has a problem now - the victim has context information (he knows his account balance to a certain degree) the attacker has not. An easy but quite effective approach for the attacker is to ''forward'' the information provided by the victim to the ''real'' server and forward the answer of the server to the client. The ''context'' is now correct and the victim will trust the site.
			But the attacker can intercept, alter, add and delete information that is flowing betwen the victim and the bank. This is a very powerful position and is called a '''Man in the Middle Attack''' or short '''MITM'''.

Kermit: /* DNS-Spoofing */

2004-12-06T12:53:59Z

DNS-Spoofing

← Older revision		Revision as of 12:53, 6 December 2004
Line 19:		Line 19:

	== DNS-Spoofing ==		== DNS-Spoofing ==
			DNS is used to resolve alphanumeric addresses to ip-addresses. This is done in a very similar manner like ARP. A Request is send to an DNS-Server, and the DNS-Server sends a reply. The DNS-Database is distributed around the world. If a server can't answer a request, it tries to ask retrieve the information from other servers. The replies from these servers are cached. These cache can be poisened as well. If a client asks for an ip-address of a specific domain-name. The server will lookup the entry in its poisened cache and return the forged ip-address.
			The client will likely connect to the wrong host. The modern implementations (bind-9) are no more vulnerable to this attack.
			There is nevertheless another possibility to perform DNS-Spoofing. An attacker can also answer "faster" than the original server and sending a forged DNS-Reply (sender ip has to been spoofed of course). To be "faster" an attacker can be "faster by nature" (like beeing in the same local net), or he can assure that he is faster by launching a DOS attack at the DNS-Server. There is nevertheless still a problem, because it is necessary for the attacker to realize that the victim has send an DNS-Query.

	== Web/URL-Spoofing ==		== Web/URL-Spoofing ==

Kermit at 11:43, 6 December 2004

2004-12-06T11:43:07Z

← Older revision		Revision as of 11:43, 6 December 2004
Line 6:		Line 6:
	IP-Spoofing relies on the forgery of the sender-address in ip-headers. Although a quite simple attack, it can be very effective. This attack overwhelms all security defenses, which are using the sender-address to authenticate certain actions. There are for example some firewalls that allow packets with certain sender-addresses to pass.		IP-Spoofing relies on the forgery of the sender-address in ip-headers. Although a quite simple attack, it can be very effective. This attack overwhelms all security defenses, which are using the sender-address to authenticate certain actions. There are for example some firewalls that allow packets with certain sender-addresses to pass.
	Further examples for vulnerable protocols/services are the r* services. Although quite old, this attack is still important as it is often used in conjunction with DOS attacks.		Further examples for vulnerable protocols/services are the r* services. Although quite old, this attack is still important as it is often used in conjunction with DOS attacks.
	*'''Defense''' against ip-spoofing can best be done by firefalls, that can prevent forged packets from entering the local net. Services and authentication should not rely on the sender-address nevertheless. ISP's should also		*'''Defense''' against ip-spoofing can best be done by firefalls, that can prevent forged packets from entering the local net. Services and authentication should not rely on the sender-address nevertheless. ISP's should also drop forged packets originating from their own net. This would dramatically decrease the number of attacks driven by ip-spoofing.
	drop forged packets originating from their own net. This would dramatically decrease the number of attacks driven by ip-spoofing.

	== ARP-Spoofing ==		== ARP-Spoofing ==
Line 18:		Line 17:
	Countermeasures against arp-spoofing can be performed using static arp-entries. The entries in the cache can be marked '''static''', such entries are never overwritten and are therefore prone to '''arp-spoofing'''.		Countermeasures against arp-spoofing can be performed using static arp-entries. The entries in the cache can be marked '''static''', such entries are never overwritten and are therefore prone to '''arp-spoofing'''.
	In Unix compatible operating systems this is performed by the ''arp -s'' command. Windows operating systems also know the ''arp -s'' command with the fatal result that created static entries are only as static as Windows will never again ask for a new MAC address to the specified IP address. Incoming fake ARP replies will still overwrite the entry, which will never be questioned or updated by Windows again, unless the attacker is nice enough to reset it when leaving.		In Unix compatible operating systems this is performed by the ''arp -s'' command. Windows operating systems also know the ''arp -s'' command with the fatal result that created static entries are only as static as Windows will never again ask for a new MAC address to the specified IP address. Incoming fake ARP replies will still overwrite the entry, which will never be questioned or updated by Windows again, unless the attacker is nice enough to reset it when leaving.
	----

	~~'''~~DNS-Spoofing~~'''~~		== DNS-Spoofing ==

		⚫	== Web/URL-Spoofing ==
	----

⚫	~~'''~~Web/URL-Spoofing~~'''~~

Kermit at 11:39, 6 December 2004

2004-12-06T11:39:56Z

← Older revision		Revision as of 11:39, 6 December 2004
Line 3:		Line 3:
	Some of these attacks are presented here, but there are of course multiple others.		Some of these attacks are presented here, but there are of course multiple others.

		⚫	== IP-Spoofing ==
	----
		⚫	IP-Spoofing relies on the forgery of the sender-address in ip-headers. Although a quite simple attack, it can be very effective. This attack overwhelms all security defenses, which are using the sender-address to authenticate certain actions. There are for example some firewalls that allow packets with certain sender-addresses to pass.
		⚫	Further examples for vulnerable protocols/services are the r* services. Although quite old, this attack is still important as it is often used in conjunction with DOS attacks.
		⚫	*'''Defense''' against ip-spoofing can best be done by firefalls, that can prevent forged packets from entering the local net. Services and authentication should not rely on the sender-address nevertheless. ISP's should also
			drop forged packets originating from their own net. This would dramatically decrease the number of attacks driven by ip-spoofing.

			== ARP-Spoofing ==
⚫	~~'''~~IP-Spoofing~~'''~~ relies on the forgery of the sender-address in ip-headers. Although a quite simple attack, it can be very effective. This attack overwhelms all security defenses, which are using the sender-address to authenticate certain actions. There are for example some firewalls that allow packets with certain sender-addresses to pass.
			ARP-Spoofing (also known as ARP-Poisoning) is a spoofing technique that can be performed in a local area network. To understand this approach, we'll have to look at the Address Resolution Protocol itself.
⚫	Further examples for vulnerable protocols/services are the r* services. Although quite old, this attack is still important as it is often in conjunction with DOS attacks.
			Like DNS is used to resolve an alphanumeric domain address to an ip-address, ARP is used to resolve an ip-address to a mac-address. These are used in the underlaying network architecture, a mac-address consists of 6 bytes. To retrieve some other local hosts MAC address a host broadcasts an ARP-Request including the target IP address and receives the ARP reply containing the target MAC address. To speed up communication, a cache for these requests is used. But ARP has a big problem: it is '''stateless'''. That means it accepts replies without request. So everyone can send "forged" ARP-Replies and '''poison''' the ARP-Cache.
⚫	*'''Defense''' against ip-spoofing can best be done by firefalls, that can prevent forged packets from entering the local net. Services and authentication should not rely on the sender-address nevertheless.

			An attacker simply sends an ARP reply to the victim host, proclaiming he is another host the victim might want to communicate with, a gateway for example. The victim accepts this reply and puts the retrieved address in his cache. From now on, the victim host will send its future packets to the attacker, thinking he is the real target. The attacker can now analyse the data and forward it to the real target to not disturb the connection and attract attention. To intercept the replies, the attacker does the same to the other side ot the communication (the host the victim wants to communicate). The attacker is then in the '''middle''' of the communication and can intercept, add, alter, append or remove information that is sent betwen both hosts. The easiness and effectiveness of '''ARP Poisoning''' makes it a very dangerous and popular '''Man in the Middle''' attack.
	----

⚫	~~'''ARP~~-Spoofing~~'''~~

			These forged ARP replies are not completely hidden to the victim host nor any other hosts in the local net. The traffic generated by this attack is quite typical and are called '''arp-storms'''. There are multiple tools, that detects these '''arp-storms''' one of the most simple ones is arpwatch.
			Countermeasures against arp-spoofing can be performed using static arp-entries. The entries in the cache can be marked '''static''', such entries are never overwritten and are therefore prone to '''arp-spoofing'''.
			In Unix compatible operating systems this is performed by the ''arp -s'' command. Windows operating systems also know the ''arp -s'' command with the fatal result that created static entries are only as static as Windows will never again ask for a new MAC address to the specified IP address. Incoming fake ARP replies will still overwrite the entry, which will never be questioned or updated by Windows again, unless the attacker is nice enough to reset it when leaving.
	----		----

217.232.42.215 at 20:42, 5 December 2004

2004-12-05T20:42:36Z

← Older revision		Revision as of 20:42, 5 December 2004
Line 6:		Line 6:

	'''IP-Spoofing''' relies on the forgery of the sender-address in ip-headers. Although a quite simple attack, it can be very effective. This attack overwhelms all security defenses, which are using the sender-address to authenticate certain actions. There are for example some firewalls that allow packets with certain sender-addresses to pass.		'''IP-Spoofing''' relies on the forgery of the sender-address in ip-headers. Although a quite simple attack, it can be very effective. This attack overwhelms all security defenses, which are using the sender-address to authenticate certain actions. There are for example some firewalls that allow packets with certain sender-addresses to pass.
	Further examples for vulnerable protocols/services are the r* services. Although quite old, is this attack still important as it is often in conjunction with DOS attacks.		Further examples for vulnerable protocols/services are the r* services. Although quite old, this attack is still important as it is often in conjunction with DOS attacks.
	*'''Defense''' against ip-spoofing can best be done by firefalls, that can prevent forged packets from entering the local net. Services and authentication should not rely on the sender-address nevertheless.		*'''Defense''' against ip-spoofing can best be done by firefalls, that can prevent forged packets from entering the local net. Services and authentication should not rely on the sender-address nevertheless.

217.232.42.215 at 20:41, 5 December 2004

2004-12-05T20:41:49Z

← Older revision		Revision as of 20:41, 5 December 2004
Line 6:		Line 6:

	'''IP-Spoofing''' relies on the forgery of the sender-address in ip-headers. Although a quite simple attack, it can be very effective. This attack overwhelms all security defenses, which are using the sender-address to authenticate certain actions. There are for example some firewalls that allow packets with certain sender-addresses to pass.		'''IP-Spoofing''' relies on the forgery of the sender-address in ip-headers. Although a quite simple attack, it can be very effective. This attack overwhelms all security defenses, which are using the sender-address to authenticate certain actions. There are for example some firewalls that allow packets with certain sender-addresses to pass.
	Further examples for vulnerable protocols/services are the r* services.		Further examples for vulnerable protocols/services are the r* services. Although quite old, is this attack still important as it is often in conjunction with DOS attacks.
	*'''Defense''' against ip-spoofing can best be done by firefalls, that can prevent forged packets from entering the local net. Services and authentication should not rely on the sender-address nevertheless.		*'''Defense''' against ip-spoofing can best be done by firefalls, that can prevent forged packets from entering the local net. Services and authentication should not rely on the sender-address nevertheless.

217.232.42.215 at 20:39, 5 December 2004

2004-12-05T20:39:33Z

New page

The attacks that can be subsumed by the the term "spoofing", are based on the forgery of identities.

Some of these attacks are presented here, but there are of course multiple others.

----

'''IP-Spoofing''' relies on the forgery of the sender-address in ip-headers. Although a quite simple attack, it can be very effective. This attack overwhelms all security defenses, which are using the sender-address to authenticate certain actions. There are for example some firewalls that allow packets with certain sender-addresses to pass.
Further examples for vulnerable protocols/services are the r* services.
*'''Defense''' against ip-spoofing can best be done by firefalls, that can prevent forged packets from entering the local net. Services and authentication should not rely on the sender-address nevertheless.

----

'''ARP-Spoofing'''

----

'''DNS-Spoofing'''

----

'''Web/URL-Spoofing'''