Spoofing Seminar

8/12/2019 Spoofing Seminar

1/21

Spoofing Introduction

1. INTRODUCTION

What Is Spoofing?

Spoofing means pretending to be something you are not. In Internet terms it means

pretending to be a different Internet address from the one you really have in order to gain

something. Web spoofing allows an attacker to create a "shadow copy" of the entire World

Wide Web.

Web Spoofing is a security attack that allows an adversary to observe and modify all web

pages sent to the victim's machine, and observe all information entered into forms by the

victim. Web Spoofing works on both of the maor browsers and is not prevented by

"secure" connections. !he attacker can observe and modify all web pages and form

submissions, even when the browser's "secure connection" indicator is lit. !he user sees no

indication that anything is wrong.

Spoofing Attacks

In aspoofing attack, the attacker creates misleading contet in order to trick the victim into

making an inappropriate security#relevant decision. $ spoofing attack is like a con game%

the attacker sets up a false but convincing world around the victim. !he victim does

something that would be appropriate if the false world were real. &nfortunately, activities

that seem reasonable in the false world may have disastrous effects in the real world.

Spoofing attacks are possible in the physical world as well as the electronic one.

Security-relevant Decisions

y "security#relevant decision," we mean any decision a person makes that might lead to

undesirable results such as a breach of privacy or unauthori(ed tampering with data.)eciding to divulge sensitive information, for eample by typing in a password or account

number, is one eample of a security#relevant decision. *hoosing to accept a downloaded

document is a security#relevant decision, since in many cases a downloaded document is

capable of containing malicious elements that harm the person receiving the document.

+I! aipur Page 1


2/21


Examples of spoofing:

man#in#the#middle

packet sniffs on link between the two end points, and can therefore pretend to be one end

of the connection

routing redirect

redirects routing information from the original host to the hacker's host -this is another

form of man#in#the#middle attack.

source routing

redirects individual packets by hackers host

blind spoofing

predicts responses from a host, allowing commands to be sent, but can't get immediate

feedback.

flooding

S/0 flood fills up receive 1ueue from random source addresses2 smurf3fraggle spoofs

victims address, causing everyone respond to the victim.

Types Of Spoofing

I4 Spoof

5#mail Spoof

Web Spoofing

0on !echnical Spoof

+I! aipur 2


3/21


. !e" Spoofing

Web Spoofing

Web spoofing is a kind of electronic con game in which the attacker creates a convincing

but false copy of the entire World Wide Web. !he false Web looks ust like the real one% it

has all the same pages and links. 6owever, the attacker controls the false Web, so that all

network traffic between the victim's browser and the Web goes through the attacker.

4retending to be a legitimate site

$ttacker creates convincing but false copy of the site

Stealing personal information such as login I), password, credit card, bank account,and much more. aka 4hishing attack

7alse Web looks and feels like the real one

$ttacker controls the false web by surveillance

8odifying integrity of the data from the victims

+I! aipur 3


4/21


#$a%ple Of !e" Spoofing

+I! aipur 4


5/21


*onse1uences##

Surveillance& !he attacker can passively watch the traffic, recording which pages the

victim visits and the contents of those pages. When the victim fills out a form, the entered

data is transmitted to a Web server, so the attacker can record that too, along with the

response sent back by the server.

Ta%pering& !he attacker is also free to modify any of the data traveling in either direction

between the victim and the Web. !he attacker can modify form data submitted by the

victim. 7or eample, if the victim is ordering a product on#line, the attacker can change the

product number, the 1uantity, or the ship#to address.

Spoofing t'e !'ole !e"/ou may think it is difficult for the attacker to spoof the entire World Wide Web, but it is

not. !he attacker need not store the entire contents of the Web. !he whole Web is available

on#line2 the attacker's server can ust fetch a page from the real Web when it needs to

provide a copy of the page on the false Web.

(o) t'e Attack !orks

!he key to this attack is for the attacker9s Web server to sit between the victim and the restof the Web. !his kind of arrangement is called a :man in the middle attack; in the security

literature.

&


6/21


7igure >% $n eample Web transaction during a Web spoofing attack.

T'e victi% re*uests a !e" page. T'e follo)ing steps occur&

!he victim9s browser re1uests the page from the attacker9s server

!he attacker9s server re1uests the page from the real server

!he real server provides the page to the attacker9s server

!he attacker9s server rewrites the page

!he attacker9s server provides the rewritten version to the victim.

+Secure, connections ont 'elp

ne distressing property of this attack is that it works even when the victim re1uests a page

via a :secure; connection. If the victim does a :secure; Web access - a Web access using

the Secure Sockets =ayer in a false Web, everything will appear normal% the page will be

delivered, and the secure connection indicator -usually an image of a lock or key will be

turned on.

Starting t'e Attack

!o start an attack, the attacker must somehow lure the victim into the attacker9s false Web.

!here are several ways to do this. $n attacker could put a link to a false Web onto apopular Web page. If the victim is using Web#enabled email, the attacker could email the

+I! aipur 6


7/21


victim a pointer to a false Web, or even the contents of a page in a false Web. 7inally, the

attacker could trick a Web search engine into indeing part of a false Web.

Co%pleting t'e Illusion

!he attack as described thus far is fairly effective, but it is not perfect. !here is still some

remaining contet that can give the victim clues that the attack is going on. 6owever, it is

possible for the attacker to eliminate virtually all of the remaining clues of the attack9s

eistence.

Such evidence is not too hard to eliminate because browsers are very customi(able. !he

ability of a Web page to control browser behavior is often desirable, but when the page is

hostile it can be dangerous.

T'e Status /ine

!he status line is a single line of tet at the bottom of the browser window that displays

various messages, typically about the status of pending Web transfers.

T'e /ocation /ine

!he browser9s location line displays the &


8/21


that evidence of that location will almost certainly be available after an attack is detected.

&nfortunately, this will not help much in practice because attackers will break into the

machine of some innocent person and launch the attack there. Stolen machines will be used

in these attacks for the same reason most bank robbers make their getaways in stolen cars.


9/21


. I2 Spoofing

!'at is I2 Spoofing

$n I4 -Internet 4rotocol address is the address that reveals the identity of your

Internet service provider and your personal Internet connection. !he address can

be viewed during Internet browsing and in all of your correspondences that you

send.

I4 spoofing hides your I4 address by creating I4 packets that contain bogus I4

addresses in an effort to impersonate other connections and hide your identity

when you send information. I4 spoofing is a common method that is used by

spammers and scammers to mislead others on the origin of the information they

send.

!he creation of I4 packets with a forged source. !he purpose of it is to conceal the

identity of the sender or impersonating another computing system.

Some upper layer protocols provide their own defense against I4 spoofing.

7or eample, !*4 uses se1uence numbers negotiate with the remote machine to

ensure that the arriving packets are part of an established connection. Since the

attacker normally cant see any reply packets, he has to guess the se1uence number

in order to hiack the connection.

(o) I2 Spoofing !orks

!he Internet 4rotocol or I4 is used for sending and receiving data over the Internet and

computers that are connected to a network. 5ach packet of information that is sent is

identified by the I4 address which reveals the source of the information.

When I4 spoofing is used the information that is revealed on the source of the data is not thereal source of the information. Instead the source contains a bogus I4 address that makes the

+I! aipur 9


10/21


information packet look like it was sent by the person with that I4 address. If you try to

respond to the information, it will be sent to a bogus I4 address unless the hacker decides to

redirect the information to a real I4 address.

!'y I2 Spoofing is Use

I4 spoofing is used to commit criminal activity online and to breach network security.

6ackers use I4 spoofing so they do not get caught spamming and to perpetrate denial of

service attacks. !hese are attacks that involve massive amounts of information being sent to

computers over a network in an effort to crash the entire network. !he hacker does not get

caught because the origin of the messages cannot be determined due to the bogus I4

address.

I4 spoofing is also used by hackers to breach network security measures by using a bogus

I4 address that mirrors one of the addresses on the network. !his eliminates the need for the

hacker to provide a user name and password to log onto the network.

3rief (istory of I2 Spoofing

!he concept of I4 spoofing was initially discussed in academic circles in the >BCD's.

In the $pril >BCB article entitled% :Security 4roblems in the !*434rotocol Suite;, author S.

8 ellovin of $! E ! ell labs was among the first to identify I4 spoofing as a real risk to

computer networks. ellovin describes how


11/21


misdirected, meaning you cannot create a normal network connection. 6owever, I4

spoofing is an integral part of many network attacks that do not need to see responses -blind

spoofing.

#$a%ple of I2 spoofing--

+I! aipur 11


12/21


Applications of I2 spoofing

8any other attacks rely on I4 spoofing mechanism to launch an attack, for eample

S8&


13/21


!here are a few variations on the types of attacks that successfully employ I4 spoofing.

$lthough some are relatively dated, others are very pertinent to current security concerns.

Non-3lin Spoofing

!his type of attack takes place when the attacker is on the same subnet as the victim. !he

se1uence and acknowledgement numbers can be sniffed, eliminating the potential difficulty

of calculating them accurately. !he biggest threat of spoofing in this instance would be

session hiacking. !his is accomplished by corrupting the data stream of an established

connection, then re#establishing it based on correct se1uence and acknowledgement

numbers with the attack machine. &sing this techni1ue, an attacker could effectively bypass

any authentication measures taken place to build the connection.

3lin Spoofing

!his is a more sophisticated attack, because the se1uence and acknowledgement numbers

are unreachable. In order to circumvent this, several packets are sent to the target machine

in order to sample se1uence numbers. While not the case today, machines in the past used

basic techni1ues for generating se1uence numbers. It was relatively easy to discover the

eact formula by studying packets and !*4 sessions. !oday, most Ss implement random

se1uence number generation, making it difficult to predict them accurately. If, however, the

se1uence number was compromised, data could be sent to the target. Several years ago,

many machines used host#based authentication services -i.e.


14/21


I4 spoofing is almost always used in what is currently one of the most difficult attacks to

defend against G denial of service attacks, or )oS. Since crackers are concerned only with

consuming bandwidth and resources, they need not worry about properly completing

handshakes and transactions.


15/21

AD0ANTA5#S

4ultiple Servers &

Sometimes you want to change where packets heading into your network will go.7re1uently this is because you have only one I4 address, but you want people to be able

to get into the boes behind the one with the Hreal' I4 address.

Transparent 2ro$ying &

Sometimes you want to pretend that each packet which passes through your =inu bo is

destined for a program on the =inu bo itself. !his is used to make transparent proies%

a proy is a program which stands between your network and the outside world,

shuffling communication between the two. !he transparent part is because your network

won't even know it's talking to a proy, unless of course, the proy doesn't work.

DISAD0ANTA5#S

3lin to Replies

$ drawback to ip source address spoofing is that reply packet will go back to the

spoofed ip address rather than to the attacker. !his is fine for many type of attack packet.

6owever in the scanning attack as we will see net the attacker may need to see replies

.in such cases, the attacker can not use ip address spoofing.

Serial attack platfor%s &

6owever, the attacker can still maintain anonymity by taking over a chain of attack

hosts. !he attacker attacks the target victim using a point host#the last host in the attack

chain .5ven if authorities learn the point host9s identity .!hey might not be able to track

the attack through the chain of attack hosts all the way back to the attackers base host.

+I! aipur 15


16/21

2revention --

>. &se authentication based on key echange between the machines on your

network2 something like I4sec will significantly cut down on the risk of spoofing.

@. &se an access control list to deny private I4 addresses on your downstream

interface.

A. Implement filtering of both inbound and outbound traffic.

. *onfigure your routers and switches if they support such configuration, to reect

packets originating from outside your local network that claim to originate from

within.

J. 5nable encryption sessions on your router so that trusted hosts that are outside

your network can securely communicate with your local hosts.

+I! aipur 16


17/21

6. # 4ail Spoofing

)efination %

5#mail spoofing is the forgery of an e#mail header so that the message appears to

have originated from someone or somewhere other than the actual source.

#%ail spoofingis the creation of email messages with a forged sender address #

something which is simple to do because the core protocols do

no authentication. Spam and phishing emails typically use such spoofing to mislead

the recipient about the origin of the message.

$ number of measures to address spoofing are available including% S47, Sender

I), )FI8, and )8$A,

KDL of consumer mailboes worldwide use )8$


18/21

7ro%&oe O )oe Poe1doeQeample.comR # the address visible to the recipient2

but again, by default no checks are done that the sending system is authori(ed to

send on behalf of that address.

Reply-to&ane


19/21

#$a%ple of #%ail spoofing--

2revention ---

)on9t click links in emails instead always copy and paste, or even better manually

type the &


20/21

8. Non Tec'nical Spoofing

!hese non#computer based techni1ues are commonly referred to associalengineering. !his can be as simple as the attacker calling someone on the phone

saying that he is a certain person.

#$a%ple Of non tec'nical spoofing--

!'y oes Non-Tec'nical Spoof !orks.--

!he main reason is that it eploits attributes of human behavior% trust is good and people

love to talk. 8ost people assume that if someone is nice and pleasant, he must be honest. If

an attacker can sound sincere and listen, you would be ama(ed at what people will tell him

+I! aipur 20


21/21

9. /a)s An 2unis'%ent

*yber crimes can involve criminal activities that are traditional in nature, such as theft,

fraud, forgery, defamation and mischief, all of which are subect to the Indian 4enal *ode.

!he abuse of computers has also given birth to a gamut of new age crimes that areaddressed by the Information !echnology $ct, @DDD.

We can categori(e *yber crimes in two ways##

T'e Co%puter as a Target%#using a computer to attack other computers.

e.g. 6acking, irus3Worm attacks, )S attack etc.

T'e co%puter as a )eapon%#using a computer to commit real world crimes.

e.g. *yber !errorism, I4< violations, *redit card frauds, 57! frauds, 4ornography etc.

*yber *rime regulated by *yber =aws or Internet =aws.

/a) An 2unis'%ent 7or Spoofing--

&nder Information !echnology -$mendment $ct, @DDC, Section KK#) and Section >T,

>B E KJ of Indian 4enal *ode, >CKD also applicable. Spoofing offence is cogni(able,

bailable, compoundable with permission of the court before which the prosecution of such

offence is pending and triable by any magistrate.

+I! aipur 21

Documents

Spoofing Seminar