8/12/2019 Spoofing Seminar
1/21
Spoofing Introduction
1. INTRODUCTION
What Is Spoofing?
Spoofing means pretending to be something you are not. In Internet terms it means
pretending to be a different Internet address from the one you really have in order to gain
something. Web spoofing allows an attacker to create a "shadow copy" of the entire World
Wide Web.
Web Spoofing is a security attack that allows an adversary to observe and modify all web
pages sent to the victim's machine, and observe all information entered into forms by the
victim. Web Spoofing works on both of the maor browsers and is not prevented by
"secure" connections. !he attacker can observe and modify all web pages and form
submissions, even when the browser's "secure connection" indicator is lit. !he user sees no
indication that anything is wrong.
Spoofing Attacks
In aspoofing attack, the attacker creates misleading contet in order to trick the victim into
making an inappropriate security#relevant decision. $ spoofing attack is like a con game%
the attacker sets up a false but convincing world around the victim. !he victim does
something that would be appropriate if the false world were real. &nfortunately, activities
that seem reasonable in the false world may have disastrous effects in the real world.
Spoofing attacks are possible in the physical world as well as the electronic one.
Security-relevant Decisions
y "security#relevant decision," we mean any decision a person makes that might lead to
undesirable results such as a breach of privacy or unauthori(ed tampering with data.)eciding to divulge sensitive information, for eample by typing in a password or account
number, is one eample of a security#relevant decision. *hoosing to accept a downloaded
document is a security#relevant decision, since in many cases a downloaded document is
capable of containing malicious elements that harm the person receiving the document.
+I! aipur Page 1
8/12/2019 Spoofing Seminar
2/21
Spoofing Introduction
Examples of spoofing:
man#in#the#middle
packet sniffs on link between the two end points, and can therefore pretend to be one end
of the connection
routing redirect
redirects routing information from the original host to the hacker's host -this is another
form of man#in#the#middle attack.
source routing
redirects individual packets by hackers host
blind spoofing
predicts responses from a host, allowing commands to be sent, but can't get immediate
feedback.
flooding
S/0 flood fills up receive 1ueue from random source addresses2 smurf3fraggle spoofs
victims address, causing everyone respond to the victim.
Types Of Spoofing
I4 Spoof
5#mail Spoof
Web Spoofing
0on !echnical Spoof
+I! aipur 2
8/12/2019 Spoofing Seminar
3/21
Spoofing Introduction
. !e" Spoofing
Web Spoofing
Web spoofing is a kind of electronic con game in which the attacker creates a convincing
but false copy of the entire World Wide Web. !he false Web looks ust like the real one% it
has all the same pages and links. 6owever, the attacker controls the false Web, so that all
network traffic between the victim's browser and the Web goes through the attacker.
4retending to be a legitimate site
$ttacker creates convincing but false copy of the site
Stealing personal information such as login I), password, credit card, bank account,and much more. aka 4hishing attack
7alse Web looks and feels like the real one
$ttacker controls the false web by surveillance
8odifying integrity of the data from the victims
+I! aipur 3
8/12/2019 Spoofing Seminar
4/21
Spoofing Introduction
#$a%ple Of !e" Spoofing
+I! aipur 4
8/12/2019 Spoofing Seminar
5/21
Spoofing Introduction
*onse1uences##
Surveillance& !he attacker can passively watch the traffic, recording which pages the
victim visits and the contents of those pages. When the victim fills out a form, the entered
data is transmitted to a Web server, so the attacker can record that too, along with the
response sent back by the server.
Ta%pering& !he attacker is also free to modify any of the data traveling in either direction
between the victim and the Web. !he attacker can modify form data submitted by the
victim. 7or eample, if the victim is ordering a product on#line, the attacker can change the
product number, the 1uantity, or the ship#to address.
Spoofing t'e !'ole !e"/ou may think it is difficult for the attacker to spoof the entire World Wide Web, but it is
not. !he attacker need not store the entire contents of the Web. !he whole Web is available
on#line2 the attacker's server can ust fetch a page from the real Web when it needs to
provide a copy of the page on the false Web.
(o) t'e Attack !orks
!he key to this attack is for the attacker9s Web server to sit between the victim and the restof the Web. !his kind of arrangement is called a :man in the middle attack; in the security
literature.
&
8/12/2019 Spoofing Seminar
6/21
Spoofing Introduction
7igure >% $n eample Web transaction during a Web spoofing attack.
T'e victi% re*uests a !e" page. T'e follo)ing steps occur&
!he victim9s browser re1uests the page from the attacker9s server
!he attacker9s server re1uests the page from the real server
!he real server provides the page to the attacker9s server
!he attacker9s server rewrites the page
!he attacker9s server provides the rewritten version to the victim.
+Secure, connections ont 'elp
ne distressing property of this attack is that it works even when the victim re1uests a page
via a :secure; connection. If the victim does a :secure; Web access - a Web access using
the Secure Sockets =ayer in a false Web, everything will appear normal% the page will be
delivered, and the secure connection indicator -usually an image of a lock or key will be
turned on.
Starting t'e Attack
!o start an attack, the attacker must somehow lure the victim into the attacker9s false Web.
!here are several ways to do this. $n attacker could put a link to a false Web onto apopular Web page. If the victim is using Web#enabled email, the attacker could email the
+I! aipur 6
8/12/2019 Spoofing Seminar
7/21
Spoofing Introduction
victim a pointer to a false Web, or even the contents of a page in a false Web. 7inally, the
attacker could trick a Web search engine into indeing part of a false Web.
Co%pleting t'e Illusion
!he attack as described thus far is fairly effective, but it is not perfect. !here is still some
remaining contet that can give the victim clues that the attack is going on. 6owever, it is
possible for the attacker to eliminate virtually all of the remaining clues of the attack9s
eistence.
Such evidence is not too hard to eliminate because browsers are very customi(able. !he
ability of a Web page to control browser behavior is often desirable, but when the page is
hostile it can be dangerous.
T'e Status /ine
!he status line is a single line of tet at the bottom of the browser window that displays
various messages, typically about the status of pending Web transfers.
T'e /ocation /ine
!he browser9s location line displays the &
8/12/2019 Spoofing Seminar
8/21
Spoofing Introduction
that evidence of that location will almost certainly be available after an attack is detected.
&nfortunately, this will not help much in practice because attackers will break into the
machine of some innocent person and launch the attack there. Stolen machines will be used
in these attacks for the same reason most bank robbers make their getaways in stolen cars.
8/12/2019 Spoofing Seminar
9/21
Spoofing Introduction
. I2 Spoofing
!'at is I2 Spoofing
$n I4 -Internet 4rotocol address is the address that reveals the identity of your
Internet service provider and your personal Internet connection. !he address can
be viewed during Internet browsing and in all of your correspondences that you
send.
I4 spoofing hides your I4 address by creating I4 packets that contain bogus I4
addresses in an effort to impersonate other connections and hide your identity
when you send information. I4 spoofing is a common method that is used by
spammers and scammers to mislead others on the origin of the information they
send.
!he creation of I4 packets with a forged source. !he purpose of it is to conceal the
identity of the sender or impersonating another computing system.
Some upper layer protocols provide their own defense against I4 spoofing.
7or eample, !*4 uses se1uence numbers negotiate with the remote machine to
ensure that the arriving packets are part of an established connection. Since the
attacker normally cant see any reply packets, he has to guess the se1uence number
in order to hiack the connection.
(o) I2 Spoofing !orks
!he Internet 4rotocol or I4 is used for sending and receiving data over the Internet and
computers that are connected to a network. 5ach packet of information that is sent is
identified by the I4 address which reveals the source of the information.
When I4 spoofing is used the information that is revealed on the source of the data is not thereal source of the information. Instead the source contains a bogus I4 address that makes the
+I! aipur 9
8/12/2019 Spoofing Seminar
10/21
Spoofing Introduction
information packet look like it was sent by the person with that I4 address. If you try to
respond to the information, it will be sent to a bogus I4 address unless the hacker decides to
redirect the information to a real I4 address.
!'y I2 Spoofing is Use
I4 spoofing is used to commit criminal activity online and to breach network security.
6ackers use I4 spoofing so they do not get caught spamming and to perpetrate denial of
service attacks. !hese are attacks that involve massive amounts of information being sent to
computers over a network in an effort to crash the entire network. !he hacker does not get
caught because the origin of the messages cannot be determined due to the bogus I4
address.
I4 spoofing is also used by hackers to breach network security measures by using a bogus
I4 address that mirrors one of the addresses on the network. !his eliminates the need for the
hacker to provide a user name and password to log onto the network.
3rief (istory of I2 Spoofing
!he concept of I4 spoofing was initially discussed in academic circles in the >BCD's.
In the $pril >BCB article entitled% :Security 4roblems in the !*434rotocol Suite;, author S.
8 ellovin of $! E ! ell labs was among the first to identify I4 spoofing as a real risk to
computer networks. ellovin describes how
8/12/2019 Spoofing Seminar
11/21
Spoofing Introduction
misdirected, meaning you cannot create a normal network connection. 6owever, I4
spoofing is an integral part of many network attacks that do not need to see responses -blind
spoofing.
#$a%ple of I2 spoofing--
+I! aipur 11
8/12/2019 Spoofing Seminar
12/21
Spoofing Introduction
Applications of I2 spoofing
8any other attacks rely on I4 spoofing mechanism to launch an attack, for eample
S8&
8/12/2019 Spoofing Seminar
13/21
Spoofing Introduction
!here are a few variations on the types of attacks that successfully employ I4 spoofing.
$lthough some are relatively dated, others are very pertinent to current security concerns.
Non-3lin Spoofing
!his type of attack takes place when the attacker is on the same subnet as the victim. !he
se1uence and acknowledgement numbers can be sniffed, eliminating the potential difficulty
of calculating them accurately. !he biggest threat of spoofing in this instance would be
session hiacking. !his is accomplished by corrupting the data stream of an established
connection, then re#establishing it based on correct se1uence and acknowledgement
numbers with the attack machine. &sing this techni1ue, an attacker could effectively bypass
any authentication measures taken place to build the connection.
3lin Spoofing
!his is a more sophisticated attack, because the se1uence and acknowledgement numbers
are unreachable. In order to circumvent this, several packets are sent to the target machine
in order to sample se1uence numbers. While not the case today, machines in the past used
basic techni1ues for generating se1uence numbers. It was relatively easy to discover the
eact formula by studying packets and !*4 sessions. !oday, most Ss implement random
se1uence number generation, making it difficult to predict them accurately. If, however, the
se1uence number was compromised, data could be sent to the target. Several years ago,
many machines used host#based authentication services -i.e.
8/12/2019 Spoofing Seminar
14/21
Spoofing Introduction
I4 spoofing is almost always used in what is currently one of the most difficult attacks to
defend against G denial of service attacks, or )oS. Since crackers are concerned only with
consuming bandwidth and resources, they need not worry about properly completing
handshakes and transactions.
8/12/2019 Spoofing Seminar
15/21
AD0ANTA5#S
4ultiple Servers &
Sometimes you want to change where packets heading into your network will go.7re1uently this is because you have only one I4 address, but you want people to be able
to get into the boes behind the one with the Hreal' I4 address.
Transparent 2ro$ying &
Sometimes you want to pretend that each packet which passes through your =inu bo is
destined for a program on the =inu bo itself. !his is used to make transparent proies%
a proy is a program which stands between your network and the outside world,
shuffling communication between the two. !he transparent part is because your network
won't even know it's talking to a proy, unless of course, the proy doesn't work.
DISAD0ANTA5#S
3lin to Replies
$ drawback to ip source address spoofing is that reply packet will go back to the
spoofed ip address rather than to the attacker. !his is fine for many type of attack packet.
6owever in the scanning attack as we will see net the attacker may need to see replies
.in such cases, the attacker can not use ip address spoofing.
Serial attack platfor%s &
6owever, the attacker can still maintain anonymity by taking over a chain of attack
hosts. !he attacker attacks the target victim using a point host#the last host in the attack
chain .5ven if authorities learn the point host9s identity .!hey might not be able to track
the attack through the chain of attack hosts all the way back to the attackers base host.
+I! aipur 15
8/12/2019 Spoofing Seminar
16/21
2revention --
>. &se authentication based on key echange between the machines on your
network2 something like I4sec will significantly cut down on the risk of spoofing.
@. &se an access control list to deny private I4 addresses on your downstream
interface.
A. Implement filtering of both inbound and outbound traffic.
. *onfigure your routers and switches if they support such configuration, to reect
packets originating from outside your local network that claim to originate from
within.
J. 5nable encryption sessions on your router so that trusted hosts that are outside
your network can securely communicate with your local hosts.
+I! aipur 16
8/12/2019 Spoofing Seminar
17/21
6. # 4ail Spoofing
)efination %
5#mail spoofing is the forgery of an e#mail header so that the message appears to
have originated from someone or somewhere other than the actual source.
#%ail spoofingis the creation of email messages with a forged sender address #
something which is simple to do because the core protocols do
no authentication. Spam and phishing emails typically use such spoofing to mislead
the recipient about the origin of the message.
$ number of measures to address spoofing are available including% S47, Sender
I), )FI8, and )8$A,
KDL of consumer mailboes worldwide use )8$
8/12/2019 Spoofing Seminar
18/21
7ro%&oe O )oe Poe1doeQeample.comR # the address visible to the recipient2
but again, by default no checks are done that the sending system is authori(ed to
send on behalf of that address.
Reply-to&ane
8/12/2019 Spoofing Seminar
19/21
#$a%ple of #%ail spoofing--
2revention ---
)on9t click links in emails instead always copy and paste, or even better manually
type the &
8/12/2019 Spoofing Seminar
20/21
8. Non Tec'nical Spoofing
!hese non#computer based techni1ues are commonly referred to associalengineering. !his can be as simple as the attacker calling someone on the phone
saying that he is a certain person.
#$a%ple Of non tec'nical spoofing--
!'y oes Non-Tec'nical Spoof !orks.--
!he main reason is that it eploits attributes of human behavior% trust is good and people
love to talk. 8ost people assume that if someone is nice and pleasant, he must be honest. If
an attacker can sound sincere and listen, you would be ama(ed at what people will tell him
+I! aipur 20
8/12/2019 Spoofing Seminar
21/21
9. /a)s An 2unis'%ent
*yber crimes can involve criminal activities that are traditional in nature, such as theft,
fraud, forgery, defamation and mischief, all of which are subect to the Indian 4enal *ode.
!he abuse of computers has also given birth to a gamut of new age crimes that areaddressed by the Information !echnology $ct, @DDD.
We can categori(e *yber crimes in two ways##
T'e Co%puter as a Target%#using a computer to attack other computers.
e.g. 6acking, irus3Worm attacks, )S attack etc.
T'e co%puter as a )eapon%#using a computer to commit real world crimes.
e.g. *yber !errorism, I4< violations, *redit card frauds, 57! frauds, 4ornography etc.
*yber *rime regulated by *yber =aws or Internet =aws.
/a) An 2unis'%ent 7or Spoofing--
&nder Information !echnology -$mendment $ct, @DDC, Section KK#) and Section >T,
>B E KJ of Indian 4enal *ode, >CKD also applicable. Spoofing offence is cogni(able,
bailable, compoundable with permission of the court before which the prosecution of such
offence is pending and triable by any magistrate.
+I! aipur 21
Top Related