Transcript Chapter 4 - Spoofing

CIS 450 – Network
Security
Chapter 4 - Spoofing
 Definition - To fool. In networking, the term is used to
describe a variety of ways in which hardware and
software can be fooled.
 Types




IP Spoofing – An attacker uses an IP address of
another computer to acquire information or gain access
Email Spoofing – Involves spoofing from the address of
an email
Web Spoofing
Non-technical Spoofing – Concentrate on
compromising the human element of a company
(social engineering)
IP Spoofing
 Flying blind or a one-way attack – Packets are sent to
a victim but the attacker does not receive any
packets back
 Basic address change




Most basic form is to into network configuration and
change the IP address
All packets going out have the IP address the attacker
wants to spoof
Low tech since all replies go back to the address
attacker is spoofing
Is effective for DOS attacks
IP Spoofing
 Basic address change – Protection Against





Can protect your machines from being used to launch a
spoofing attack, but there is little you can do to prevent an
attacker from spoofing your address
Limit who has access & can make changes to configuration
information on a machine
Ingress Filtering: Apply built-in spoofing filters on routers –
do not allow any packets to enter your network from the
outside to have a source address from your internal network
Egress Filtering: Prevents someone from using a company’s
computers to launch an attack. Router examines any packet
leaving network to make sure that the source address is an
address from your local network.
Software packages: arpwatch
(http://www.securityfocus.com/tools/142 )
Source Routing
 Lets you specify the path a packet will take through
the Internet
 Loose source routing (LSR) – Sender specifies a list
of IP addresses the traffic or packet must go through
(can go through other addresses as well). Not
interested in exact path as long as it goes through the
addresses.
 Strict source routing (SSR) – Sender specifies the
exact path that the packet must take. If exact path
can not be taken packet is dropped & an ICMP
message is returned to the sender.
Source Routing
 Protection Against

Best way is to disable source routing at your
routers
Exploitation of a Trust Relationship on
UNIX Machines
 Trust relationship is set up so user does not
have to log on to all systems they have
access to
 User only has to authenticate on initial log on
 Attacker spoofs the address of machine that
has the trust. Attacker is flying blind.
 Protection against



Don’t use trust relationships
If used, limit who has them
If used, limit to internal use not via the Internet
Email Spoofing
 Done for:



Hide their identity (can use an anonymous
remailer)
Wants to impersonate someone or get
someone else in trouble
As a form of social engineering
Email Spoofing
 Similar email addresses
Attacker registers an email address with a user name that
looks similar to the person that they want to spoof
 In the Alias Field the attacker puts the name of the
impersonated person
 Sends an email message from the spoofed address
 Protection against Similar email addresses
 Users have to be educated
 Configure mail clients so that they always show the full email
address and not the alias
 Set up email so that it can be accessed remotely and via the
Internet
 Make policy of no external email addresses for work-related
activities
 Public key encryption

Email Spoofing
 Modifying a mail client

In some mail clients attacker can specify what
he wants to appear in the from line
 Protection against Modifying a mail client



Have policy against and enforce it
Logging is performed on all systems
Look at the full email header
Email Spoofing
 Telnet to Port 25




Port 25 is used for Simple Mail Transfer
Protocol (SMTP)
Attacker finds out the IP address of a mail
server or runs a port scan against several
systems to see which ones have port 25 open
Opens a telnet session to port 25 on that
machine
Message is sent with a spoofed From address
Email Spoofing
 Protection Against Telneting to Port 25
If not being used shut it down
 Have all the latest patches installed on mail server and make
sure all spoofing and relay filters are properly configured
 Mail relaying
 Attacker tries to use a mail server to send mail to someone
else on a different domain or relay his mail off another server
 Protection against Mail relaying
 Validate that the recipient’s domain is the same domain as
the mail server
 Validate that the sender’s domain is valid
 Validate that for any remote connection to the mail server
that the To and From addresses are from the same domain
as the mail server

Web Spoofing
 Web spoofing allows an attacker to create a "shadow
copy" of the entire World Wide Web. Accesses to the
shadow Web are funneled through the attacker's
machine, allowing the attacker to monitor all of the
victim's activities including any passwords or account
numbers the victim enters. The attacker can also
cause false or misleading data to be sent to Web
servers in the victim's name, or to the victim in the
name of any Web server. In short, the attacker
observes and controls everything the victim does on
the Web. (Web Spoofing: An Internet Con Game”
Felten, Balfanz, Dean, and Wallach, Technical Report
540-96, Department of Computer Science, Princeton
University, revised February 1997
http://www.cs.princeton.edu/sip/pub/spoofing.html)
Web Spoofing
 Basic Web Spoofing


Domain is set up with a similar name
After collecting information sends a cookie to
user that will forward the user to real site the
next time the user comes back
 Protection against Basic Web Spoofing


Sites should use server-side certificate
Configuring web browsers to always display
the URL
Web Spoofing
 Man-in-the-Middle Attacks
 Attacker has to position himself so that all traffic
coming and going to the victim goes through him
 Requires that all information coming in and out of your
organization pass through a single router
 Attack can be passive or active
 Protection against Man-in-the-Middle Attacks
 Encryption
 Strong perimeter security
Web Spoofing
 URL Rewriting


An attacker is redirecting web traffic to another
site that is controlled by the attacker
The attacker has to rewrite all of the links on a
web page
 Protection against URL Rewriting


Browsers should always be configured to
display the destination URL and users should
be trained to look at it
Examine HTML source code
Web Spoofing
 Tracking State – the ability of a site to track the state of the
connection and what a user does over time
 Cookies





Pieces of information that the server passes to the browser and
the browser stores for the server
Passed back to the server by the browser when the user
reconnects
Persistent cookie – stored on the hard drive in a text file format.
An attacker that has local access can easily access the cooker
Non-persistent cookie – stored in memory and goes away when
machine is turned off or rebooted
Protection against Cookies


Client side -Good physical security (log off when not in use,
password screen savers)
Server side – Make your session ID as long and random as
possible
Web Spoofing
 URL session tracking

If attacker can guess the session ID he can
take over user’s identity and take over their
active session
 Protection against URL session tracking


Make your session ID as long and random as
possible
Defensive measures have to be done on Web
server side
Web Spoofing
 Hidden form elements – information on form that the
browser keeps but is not displayed to the user
 Protection against hidden form elements


Have hard-to-guess session IDs that are as random as
possible
Recommendations
 At least a 15-character session ID that is composed of
uppercase, lowercase, numbers, and special
characters that are randomized
 Times should be set depending on type of application
 Set expiration time as soon as user logs off
Web Spoofing
 General Web Spoofing Protection





Disable JavaScript, ActiveX, or any other
scripting languages that execute locally or in
your browser
Make sure you validate your application and
that you are properly tracking users
Make sure users cannot customize their
browser to display important information
Education is important
Session IDs should be long and random
Non-Technical Spoofing
 Social Engineering – Tries to convince someone that
they are someone else
 Reverse Social Engineering – The attacker gets the
user to call him for help
 Non-Technical Spoofing Protection







Educate your users
Post messages on computers
Training
Proper policies
Have authentication when calling help desk
Limit public information
Run periodic checks against help desk and users