We have released a new book “Content Marketing in in social networks: How to get into your subscribers’ heads and make them fall in love with your brand.”

Spoofing is a type of network attack in which an attacker impersonates another person. The fraudster seeks to deceive the network or a specific user in order to convince him of the reliability of the source of information.

More videos on our channel - learn internet marketing with SEMANTICA

Sources of spoofing attacks mislead the user about the authenticity of the sender. In the established trust relationship, they correct the victim’s behavior, for example, gaining access to personal information.

How it works

The process of spoofing involves falsifying the source address in order to convince the remote system that it is receiving packets from a source other than the real one.

Classifications of spoofing attacks

Depending on the network protocol to which the attack vector is directed, several types of spoofing are distinguished: IP, DNS, ARP, MAC and GPS spoofing.

IP spoofing

It is a renumbering of IP addresses in packets sent to the attacked server. The sent packet indicates the address that the recipient trusts. As a result, the victim receives the data the hacker needs.

This mechanism is usually implemented in the TCP and UDP protocols. You can minimize the likelihood of such an attack using network filters. They will not allow packets from known malicious interfaces to pass through. IP spoofing can be completely eliminated by comparing the MAC and IP addresses of the sender.

This type of spoofing can be useful. For example, to test resource performance, hundreds of virtual users are created with false IP addresses.

DNS spoofing

The DNS spoofing mechanism is similar to the previous one, but the substitution occurs at the DNS protocol level.

ARP spoofing

ARP spoofing is the interception of traffic due to the vulnerability of ARP protocols. Due to the lack of authentication checks on requests and responses, ARP protocols allow outgoing traffic to the attacker's server. As a result, the hacker receives secret information: logins, passwords, credit card numbers, etc.). The popularity of this method is due to the large number of free spoofing programs that carry out the attack.

MAC spoofing

During MAC spoofing, a false or hidden MAC address on the network is sent to the router input. It is used both to distribute malware and for peaceful purposes, for example, to test server performance.

GPS spoofing

The purpose of GPS spoofing is to deceive the GPS receiver by transmitting a signal that is an order of magnitude stronger than that transmitted by the satellite itself. The main area of ​​application is the disorientation of military vehicles.

Depending on the method of implementation, the following types of spoofing are distinguished.

Spoofing is not blind

Possible if the attacker is on the same subnet as the victim. In this case, the attacker receives all the necessary sequence numbers and confirmations. The session is hijacked due to corruption of the data stream on the current connection. It is subsequently restored using the existing sequence of numbers and confirmations. This approach allows you to overcome any authentication.

Spoofing blindly

Being on a different subnet, the attacker does not have access to sequence numbers and confirmations. It interrupts the normal numbering order by sending several packets one after another to the victim's server. As a result, the violated numbers are sent to the target server. The required data is embedded into the victim's new account, giving the hacker the necessary access.

Attack Man in middle

An attacker intercepts communications between two friendly servers. By controlling the received flow, the attacker can dispose of the received information in any way: delete, change, redirect.

Areas of use

Spoofing attacks are used for the following purposes:

• Referral source spoofing. There are a number of closed resources (paid sites, pornographic pages) that provide access only to certain users. The ownership of these pages is determined by the HTTP referer header. During a spoofing attack, this header can be changed, thus opening access to hidden materials.
• Littering file-sharing pages. Copyright holders resort to this attack to change their content on file hosting services. This way they prevent downloads from these sources.
• Spoofing of outgoing calls. The mechanism of this attack forms the basis of technologies that distort the identifier of an outgoing call. As a result, the deceived subscriber sees false names and numbers. This kind of deception is often resorted to by telephone scammers who use fake IDs when making calls. In the current situation, Caller ID information is losing its former relevance, and the possibility of legal control of telephone calls is significantly more difficult.
• Spoofing voicemail. The technology allows you to pass off a voicemail call number as something other than the real one. It is usually used for unscrupulous purposes.
• Mail spoofing. Substitution of sender information email is popular among numerous spammers and causes the problem of bounced emails.
• Receiving a denial of service (DoS). It is implemented by flooding the victim’s server with a huge number of packets in a minimum period of time. As a result, the target server cannot cope with the load, resulting in a denial of service.

How to fight spoofing

The main measures that minimize the possibility of such attacks include router filtering, encryption and authentication. Taking these precautions can significantly reduce the likelihood of spoofing and provide protection against spoofing.

IP spoofing occurs when a hacker, inside or outside a corporation, impersonates an authorized user. This can be done in two ways: the hacker can use either an IP address that is within the range of authorized IP addresses, or an authorized external address that is allowed access to certain network resources. IP spoofing attacks are often the starting point for other attacks. A classic example is a DoS attack, which starts from someone else's address, hiding the hacker's true identity.

Typically, IP spoofing is limited to inserting false information or malicious commands into the normal flow of data transmitted between a client and server application or over a communication channel between peer devices. For two-way communication, the hacker must change all the routing tables to direct traffic to the false IP address. Some hackers, however, don't even try to get a response from the applications - if the main goal is to get an important file from the system, then the application responses don't matter.

If a hacker manages to change the routing tables and direct traffic to a false IP address, he will receive all packets and will be able to respond to them as if he were an authorized user.

The threat of spoofing can be mitigated (but not eliminated) by using the following measures.

• * Access control. The easiest way to prevent IP spoofing is to properly configure access controls. To reduce the effectiveness of IP spoofing, configure access control to reject any traffic coming from an external network with a source address that should be located inside your network. True, this helps combat IP spoofing, when only internal addresses are authorized; If some external network addresses are also authorized, this method becomes ineffective.
• * RFC 2827 filtering. You can stop users on your network from spoofing other people's networks (and become a good online citizen). To do this, you must reject any outgoing traffic whose source address is not one of your organization's IP addresses. This type of filtering, known as RFC 2827, can also be performed by your Internet Service Provider (ISP). As a result, all traffic that does not have a source address expected on a particular interface is rejected. For example, if the ISP provides a connection to the IP address 15.1.1.0/24, it can configure the filter so that of this interface Only traffic coming from the address 15.1.1.0/24 was allowed into the ISP router. Note that until all providers implement this type of filtering, its effectiveness will be much lower than possible. Additionally, the further away you are from the devices being filtered, the more difficult it is to perform accurate filtration. For example, RFC 2827 filtering at the access router level requires passing all traffic from the main network address (10.0.0.0/8), while at the distribution level (in this architecture) it is possible to restrict traffic more precisely (address -- 10.1.5.0/24) .

Most effective method combating IP spoofing is the same as in the case of packet sniffing: it is necessary to make the attack completely ineffective. IP spoofing can only work if authentication is based on IP addresses. Therefore, the introduction of additional authentication methods makes such attacks useless. The best type of additional authentication is cryptographic. If this is not possible, two-factor authentication using one-time passwords can give good results.

Encyclopedic YouTube

1 / 3

Teknik IP Spoofing dalam Membajak Website

2. Wireless networks. Tcp/ip stack core.

Subtitles

Description

For an attacker, the basic principle of the attack is to falsify their own IP packets, in which, among other things, the source IP address is changed. An IP spoofing attack is often called “Blind Spoofing”. This is because responses to spoofed packets cannot reach the cracker machine because the originating address has been changed. However, there are still two methods of obtaining answers:

1. Source Routing (): The IP protocol has a source routing feature that allows you to specify a route for response packets. This route is a set of IP addresses of the routers through which the packet must travel. For a cracker, it is enough to provide a route for packets to a router controlled by it. Nowadays, most TCP/IP stack implementations discard source-routed packets;
2. Re-routing: If a router uses RIP, its tables can be changed by sending it RIP packets with new routing information. Using this, the cracker achieves the direction of packets to a router under its control.

Using an attack

1. the client sends a TCP packet with the SYN flag set, and it also selects ISNc (Client's Initial Sequence Number, Sequence Number).
2. the server increases ISNc by one and sends it back along with its ISNs (Initial Sequence Number of the server, Acknowledgment Number), as well as the SYN+ACK flags.
3. the client responds with an ACK packet containing ISNs incremented by one.

Using IP spoofing, the cracker will not be able to see the ISNs, since it will not receive a response from the server. He needs ISNs in the third step, when he will have to increase it by 1 and send it. To establish a connection on behalf of someone else's IP, the attacker must guess the ISNs. In older operating systems (OS), it was very easy to guess the ISN - it increased by one with each connection. Modern OSs use a mechanism that prevents ISN guessing. Modern services use a username and password for authentication and transmit data in encrypted form.

SYN flood

A type of DoS attack. The attacker sends SYN requests to the remote server, spoofing the sender's address. The response SYN+ACK is sent to a non-existent address, as a result, so-called half-open connections appear in the connection queue, awaiting confirmation from the client. After a certain timeout, these connections are dropped. The attack is based on the operating system resource limiting vulnerability for half-open connections, described in 1996 by the CERT group, according to which the queue for such connections was very short (for example, in Solaris, no more than eight connections were allowed), and the connection timeout was quite long (according to RFC 1122 - 3 minutes).

DNS boost

Another type of DoS attack. The attacking computer sends requests to the DNS server, indicating the IP of the attacked computer as the sender address. The DNS server response exceeds the request size by several tens of times, which increases the likelihood of a successful DoS attack.

TCP hijacking

The only identifiers by which the end host can distinguish between TCP subscribers and TCP connections are the Sequence Number and Acknowledge Number fields. Knowing these fields and using the substitution of the IP address of the source of the packet with the IP address of one of the subscribers, the attacker can insert any data that will lead to a disconnection, an error condition, or will perform some function for the benefit of the attacker. The victim may not even notice these manipulations.

IP Address Based Authentication

This type of attack is most effective where there are trusting relationship between cars. For example, on some corporate networks, internal systems trust each other and users can log in without a username or password, provided the user's machine is on the same local network. By spoofing a connection from a trusted machine, an attacker can gain access to the target machine without authentication. A famous example of a successful attack is

Cherkasov Denis Yurievich / Cherkasov Denis Yurievich
student
Ivanov Vadim Vadimovich / Ivanov Vadim Vadimovich
student
Department of Computer and Information Security,
Institute of Cybernetics,
Moscow Institute of Radio Engineering, Electronics and Automation,
Federal state budget educational
institution of higher education
Moscow Technological University,
Moscow

IP spoofing

Criminals have long used tactics to disguise their identity, from hiding aliases to blocking caller ID. It is not surprising that criminals who carry out their nefarious activities on networks and computers use such methods. IP spoofing is one of the most common forms of online camouflage. In IP spoofing, an attacker gains unauthorized access to a computer or network by “spoofing” that computer's IP address, indicating that the malicious message came from a trusted computer. In this article, we'll look at the concepts of IP spoofing: why it's possible, how it works, what it's used for, and how to protect against it.

Story

The concept of IP spoofing was originally discussed in academic circles in the 1980s. At the time, this was a theoretical debate until Robert Morris, whose son wrote the first computer worm, discovered a security weakness in the TCP protocol. Stephen Bellovin took an in-depth look at the issue of security vulnerabilities in the TCP/IP protocol suite. Kevin Mitnick's infamous attack on Tsutomu Shimomura's machine used IP spoofing techniques and predicted TCP sequences. Although the popularity of such attacks has decreased, spoofing is still actively used.

Technical discussion

To fully understand how these attacks are carried out, it is necessary to study the structure of the TCP/IP protocol suite.

Internet Protocol - IP Address

Internet Protocol (IP) is network protocol, operating at Layer 3 (network) of the OSI model, is connectionless, meaning there is no transaction state information that is used to route packets across the network. Additionally, there is no method to ensure that the package is correctly delivered to its destination.

By examining the IP packet header, we see that the first 12 bytes (or the top 3 header lines) contain various information about the packet. The next 8 bytes (next 2 lines) contain the source and destination IP addresses. Using one of several tools, an attacker can easily change these addresses - in particular, the "source address" field. It is important to note that each datagram is sent independently of all others due to the structure of IP.

Transmission Control Protocol - TCP

IP can be thought of as a routing wrapper for Layer 4 (transport) that contains the Transmission Control Protocol (TCP). Unlike IP, TCP is connection oriented. This means that participants in a TCP session must first establish a connection using a three-way handshake (SYN-SYN/ACK-ACK), then update each other through sequences and acknowledgments. This “conversation” ensures reliable data transmission, the sender receives confirmation from the recipient after each packet exchange.

The TCP header is very different from the IP header. We are dealing with the first 12 bytes of a TCP packet, which contain port and sequence information. Like an IP datagram, TCP packets can be controlled using software. The source and destination ports typically depend on the network application being used (for example, HTTP on port 80). To understand spoofing, it is important to pay attention to the sequence and acknowledgment numbers. The data contained in these fields ensures that packets are delivered reliably by determining whether the packet needs to be resent. The sequence number is the number of the first byte in the current packet that is relevant to the data stream. The acknowledgment number, in turn, contains the value of the next expected sequence number in the stream. This ratio confirms that the correct packets have been received. This protocol is completely different from IP in that the state of the transaction is carefully controlled.

TCP/IP Design Implications

We've got an overview of TCP/IP formats, let's look at the implications. Obviously, it is very easy to mask the source address by manipulating the IP header. This technique is used for obvious reasons and is used in several of the attacks described below. Another TCP-specific consequence is number sequence prediction, which can lead to session hijacking. This method is based on IP spoofing because a session is created, albeit a false one.

Spoofing attacks

There are several attack variants that successfully use IP spoofing. While some of them are relatively old, others are very relevant to current security issues.

Spoofing “not blindly”

This type of attack occurs when the attacker is on the same subnet as the victim. Sequence and confirmation numbers can be obtained, eliminating the potential complexity of their calculation. Session hijacking is achieved by corrupting the data stream of an established connection and then reconstructing it based on the correct sequence and acknowledgment numbers from the attacking machine. Using this technique, an attacker can effectively bypass any authentication measures taken to construct the connection.

Spoofing "blindly"

This is a more complex attack because sequence numbers and confirmations are not available. Several packets are sent to the target machine to iterate over the sequence numbers. Today, most operating systems implement the generation of random sequence numbers, which makes them difficult to accurately predict. However, if the sequence number has been compromised, data may be sent to the target device. A few years ago, many machines used host-based authentication services. A well-crafted attack can blindly insert the required data into the system (new user account), providing full access an attacker who pretended to be a trusted host.

"Man In The Middle" Attack

Also known as a man-in-the-middle (MITM) attack. In these attacks, a hostile party intercepts communications between two friendly parties. The malicious host then controls the flow of communication and can eliminate or modify information sent by one of the original participants without knowing either the original sender or recipient. In this way, the attacker can trick the victim into revealing confidential information by “spoofing” the identity of the original sender, who is supposedly trusted by the recipient.

Denial of service attack

IP spoofing is used in one of the most sophisticated attacks to defend against - denial of service, or DoS. Since hackers only deal with consuming bandwidth and resources, they don't have to worry about completing transactions correctly. Rather, they want to flood the victim with as many packages as possible in a short period of time. When an attack involves multiple compromised hosts receiving all the fake traffic sent, it is almost impossible to quickly block it.

Misconceptions About IP Spoofing

While some of the attacks described above are a bit outdated, such as session hijacking for host-based authentication services, IP spoofing is still common in network scanning as well as denial of service floods. However, this method does not provide anonymous Internet access, which is a common misconception for those unfamiliar with this practice. Any such nudging beyond simple floods is relatively advanced and is used in very specific cases such as evasion and capturing connections.

Anti-spoofing

There are several precautions you can take to limit the risks of IP spoofing on your network, such as router filtering, encryption, and authentication. Implementing encryption and authentication will reduce the likelihood of spoofing. Understanding how and why spoofing attacks are used, combined with a few simple prevention techniques, can help protect your network from these malicious methods cloning and hacking.

Invalid address. It is used to hide the attacker’s true address, to cause a response packet to the desired address, and for other purposes.

The TCP transport (4) layer protocol has a built-in mechanism to prevent spoofing - the so-called sequence number, acknowledgment number. The UDP protocol does not have such a mechanism, therefore applications built on it are more vulnerable to spoofing. A guaranteed method of protection against IP address spoofing is to match the MAC address (Ethernet frame) and the IP address (IP protocol header) of the sender.

IP spoofing– this is the substitution of the sender's address, one of the fields of the IP header, by writing a different value. The difficulty is that the machine, having received a header with such an address, will send a response to this address, and not to the address of the cracker. In the case of a TCP connection, it is necessary to receive a response from the recipient in order to establish a connection with it. When establishing a TCP connection, the so-called ISN (Initial Sequence Number) is important - the initial sequence number. When establishing a connection between machines, the client's sequence number, designated as ISNc, is transmitted, and the server's ISN is also transmitted, referred to as ISNs. Let's look at setting up a connection:

1. the client sends a TCP packet with the SYN flag set, and it also selects ISNc.
2. the server increments ISNc by one and sends it back along with its ISNs.
3. the client responds with an ACK packet containing ISNs incremented by one.

When the cracker tries to establish a TCP connection with a spoofed IP address, the server sends Computer A a SYN-ACK packet containing its ISN. Since Computer A did not send a SYN packet to the server, it will respond with an RST packet to terminate the unknown connection. The hacker just has to wait until computer A is turned off or rebooted. The cracker will not be able to see the ISN sent from one machine to another. He needs this ISN in the third step, when he will have to increase it by 1 and send it. The attacker must guess the ISN. In old operating systems(OS) it was very easy to guess the ISN - it increased by one with each connection. Modern OSs use a mechanism that prevents ISN guessing. Modern services use a username and password for authentication and transmit data in encrypted form, so in our time there is no need for IP spoofing.

Wikimedia Foundation.

2010.

See what “IP spoofing” is in other dictionaries: Noun, number of synonyms: 2 cyber attack (2) hoax (6) ASIS synonym dictionary. V.N. Trishin. 2013…

Synonym dictionary Spoofing - (spoofing): imitating another user or network resource by using their identifiers ( Account , IP address)... Source: GOST R ISO/IEC 18028 1 2008. National standard. Russian Federation … Information technology

Official terminology spoofing - 3.43 spoofing: Imitating another user or network resource by using their identifiers (account, IP address). Source …

Dictionary-reference book of terms of normative and technical documentation

- (from the English spoof hoax) is a method of changing the MAC address of a network device. This method allows you to bypass the access control list to servers, routers, and hide your computer, which can disrupt the functionality of the network. Contents... ...Wikipedia

- (from the English spoof hoax) a method of changing the MAC address of a network device, which allows you to bypass the access control list to servers, routers, or hide a computer, which can disrupt the operation of the network. Contents 1... ...Wikipedia

Predator reconnaissance and strike UAV US Air Force Unmanned aerial vehicle (UAV, also sometimes abbreviated as UAV; in common parlance the name "drone" is sometimes used, from English ... Wikipedia

TCP Reset attack, “fake TCP Reset”, “TCP resets”, “TCP reset packet spoofing” is a way to manipulate Internet connections. In some cases, this is done by attackers, in others by legitimate users. Contents 1 Technical ... ... Wikipedia

In the narrow sense of the word, the phrase currently means “Attempt on a security system,” and tends rather to the meaning of the following term, Cracker attack. This happened due to a distortion of the meaning of the word “hacker” itself. Hacker... ...Wikipedia

Security in wireless dynamic networks is the state of security of the information environment of wireless dynamic networks. Contents 1 Features of wireless dynamic networks ... Wikipedia

Books

• Internet for Dummies, John R. Levine, Margaret Levine-Young. Nowadays, the Internet has become firmly established in everyday life and has already surpassed television in popularity. Even TV shows can now be watched on the Internet. This book will help you connect to...