The term "spoofing" is generally regarded as slang, but refers to the act of fooling -- that is, presenting a false truth in a credible way. There are several different types of spoofing that occur, but most relevant to networking is the IP spoof. Most types of spoofing have a common theme: a nefarious user transmits packets with an IP address, indicating that the packets are originating from another trusted machine.
The first step in spoofing is determining the IP address of a host the intended target trusts. After that, the attacker can change the headers of packets to make it seem like the transmissions are originating from the trusted machine.
What sorts of attacks are launched through IP spoofing? To name a few:
- Blind spoofing:
In this type of attack, a cracker outside the perimeter of the local
network transmits multiple packets to his intended target to receive a
series of sequence numbers, which are generally used to assemble packets
in the order in which they were intended -- Packet 1 is to be read
first, then Packet 2, 3 and so on. The cracker is blind to how
transmissions take place on this network, so he needs to coax the
machine into responding to his own requests so he can analyze the
sequence numbers.
By taking advantage of knowing the sequence number, the cracker can falsify his identity by injecting data into the stream of packets without having to have authenticated himself when the connection was first established. (Generally, current operating systems employ random sequence number generation, so it's more difficult for crackers to predict the correct sequence number.)
- Nonblind spoofing:
In this type of attack, the cracker resides on the same subnet as his
intended target, so by sniffing the wire for existing transmissions, he
can understand an entire sequence/acknowledge cycle between his target
and other hosts (hence the cracker isn't "blind" to the sequence
numbers). Once the sequence is known, the attacker can hijack
sessions that have already been built by disguising himself as another
machine, bypassing any sort of authentication that was previously
conducted on that connection.
- Denial-of-service attack:
To keep a large-scale attack on a machine or group of machines from
being detected, spoofing is often used by the malefactors responsible
for the event to disguise the source of the attacks and make it
difficult to shut it off. Spoofing takes on a whole new level of
severity when multiple hosts are sending constant streams of packet to
the DoS target. In that case, all the transmissions are generally
spoofed, making it very difficult to track down the sources of the
storm.
- Man-in-the-middle attack:
Imagine two hosts participating in normal transmissions between each
other. In a man-in-the-middle attack, a malicious machine intercepts the
packets sent between these machines, alters the packets and then sends
them on to the intended destination, with the originating and receiving
machines unaware their communications have been tampered with; this is
where the spoofing element enters the equation. Typically, this type
of attack is used to get targets to reveal secure information and
continue such transmissions for a period of time, all the while unaware
that the machine in the middle of the transmission is eavesdropping the
whole time.
Spoofing, while mostly negative, has some more or less legitimate applications. Satellite Internet access is one. Packets going to orbit and coming back have a relatively long latency, and there are a lot of protocols in common use that don't take well to this delay.
Satellite providers may spoof these protocols, including IP, so that each end of a packet flow receives acknowledgment packets without much delay.
Also, since VPN applications are particularly prone to problems with latency, special software from these providers generally performs more "accepted" spoofing.
But the bad kind of spoofing can be controlled. There are five things, among others, that you can do to help prevent IP spoofing and its related attacks from affecting your network:
- Use authentication based on key exchange between
the machines on your network; something like IPsec will significantly
cut down on the risk of spoofing.
- Use an access control list to deny private IP addresses on your downstream interface.
- Implement filtering of both inbound and outbound traffic.
- Configure
your routers and switches if they support such configuration, to reject
packets originating from outside your local network that claim to
originate from within.
- Enable encryption sessions on your router so that trusted hosts that are outside your network can securely communicate with your local hosts.
0 comments:
Post a Comment