Spoofing

From
Revision as of 11:39, 6 December 2004 by Kermit (talk | contribs)
Jump to navigation Jump to search

The attacks that can be subsumed by the the term "spoofing", are based on the forgery of identities.

Some of these attacks are presented here, but there are of course multiple others.

IP-Spoofing

IP-Spoofing relies on the forgery of the sender-address in ip-headers. Although a quite simple attack, it can be very effective. This attack overwhelms all security defenses, which are using the sender-address to authenticate certain actions. There are for example some firewalls that allow packets with certain sender-addresses to pass. Further examples for vulnerable protocols/services are the r* services. Although quite old, this attack is still important as it is often used in conjunction with DOS attacks.

  • Defense against ip-spoofing can best be done by firefalls, that can prevent forged packets from entering the local net. Services and authentication should not rely on the sender-address nevertheless. ISP's should also

drop forged packets originating from their own net. This would dramatically decrease the number of attacks driven by ip-spoofing.

ARP-Spoofing

ARP-Spoofing (also known as ARP-Poisoning) is a spoofing technique that can be performed in a local area network. To understand this approach, we'll have to look at the Address Resolution Protocol itself. Like DNS is used to resolve an alphanumeric domain address to an ip-address, ARP is used to resolve an ip-address to a mac-address. These are used in the underlaying network architecture, a mac-address consists of 6 bytes. To retrieve some other local hosts MAC address a host broadcasts an ARP-Request including the target IP address and receives the ARP reply containing the target MAC address. To speed up communication, a cache for these requests is used. But ARP has a big problem: it is stateless. That means it accepts replies without request. So everyone can send "forged" ARP-Replies and poison the ARP-Cache.

An attacker simply sends an ARP reply to the victim host, proclaiming he is another host the victim might want to communicate with, a gateway for example. The victim accepts this reply and puts the retrieved address in his cache. From now on, the victim host will send its future packets to the attacker, thinking he is the real target. The attacker can now analyse the data and forward it to the real target to not disturb the connection and attract attention. To intercept the replies, the attacker does the same to the other side ot the communication (the host the victim wants to communicate). The attacker is then in the middle of the communication and can intercept, add, alter, append or remove information that is sent betwen both hosts. The easiness and effectiveness of ARP Poisoning makes it a very dangerous and popular Man in the Middle attack.

These forged ARP replies are not completely hidden to the victim host nor any other hosts in the local net. The traffic generated by this attack is quite typical and are called arp-storms. There are multiple tools, that detects these arp-storms one of the most simple ones is arpwatch. Countermeasures against arp-spoofing can be performed using static arp-entries. The entries in the cache can be marked static, such entries are never overwritten and are therefore prone to arp-spoofing. In Unix compatible operating systems this is performed by the arp -s command. Windows operating systems also know the arp -s command with the fatal result that created static entries are only as static as Windows will never again ask for a new MAC address to the specified IP address. Incoming fake ARP replies will still overwrite the entry, which will never be questioned or updated by Windows again, unless the attacker is nice enough to reset it when leaving.


DNS-Spoofing


Web/URL-Spoofing