CIS 450

1
CIS 450 Network Security

• Chapter 4 - Spoofing

2

• Definition - To fool. In networking, the term is
  used to describe a variety of ways in which
  hardware and software can be fooled.
• Types
• IP Spoofing An attacker uses an IP address of
  another computer to acquire information or gain
  access
• Email Spoofing Involves spoofing from the
  address of an email
• Web Spoofing
• Non-technical Spoofing Concentrate on
  compromising the human element of a company
  (social engineering)

3
IP Spoofing

• Flying blind or a one-way attack Packets are
  sent to a victim but the attacker does not
  receive any packets back
• Basic address change
• Most basic form is to into network configuration
  and change the IP address
• All packets going out have the IP address the
  attacker wants to spoof
• Low tech since all replies go back to the address
  attacker is spoofing
• Is effective for DOS attacks

4
IP Spoofing

• Basic address change Protection Against
• Can protect your machines from being used to
  launch a spoofing attack, but there is little you
  can do to prevent an attacker from spoofing your
  address
• Limit who has access can make changes to
  configuration information on a machine
• Ingress Filtering Apply built-in spoofing
  filters on routers do not allow any packets to
  enter your network from the outside to have a
  source address from your internal network
• Egress Filtering Prevents someone from using a
  companys computers to launch an attack. Router
  examines any packet leaving network to make sure
  that the source address is an address from your
  local network.
• Software packages arpwatch (http//www.securityfo
  cus.com/tools/142 )

5
Source Routing

• Lets you specify the path a packet will take
  through the Internet
• Loose source routing (LSR) Sender specifies a
  list of IP addresses the traffic or packet must
  go through (can go through other addresses as
  well). Not interested in exact path as long as
  it goes through the addresses.
• Strict source routing (SSR) Sender specifies
  the exact path that the packet must take. If
  exact path can not be taken packet is dropped
  an ICMP message is returned to the sender.

6
Source Routing

• Protection Against
• Best way is to disable source routing at your
  routers

7
Exploitation of a Trust Relationship on UNIX
Machines

• Trust relationship is set up so user does not
  have to log on to all systems they have access to
• User only has to authenticate on initial log on
• Attacker spoofs the address of machine that has
  the trust. Attacker is flying blind.
• Protection against
• Dont use trust relationships
• If used, limit who has them
• If used, limit to internal use not via the
  Internet

8
Email Spoofing

• Done for
• Hide their identity (can use an anonymous
  remailer)
• Wants to impersonate someone or get someone else
  in trouble
• As a form of social engineering

9
Email Spoofing

• Similar email addresses
• Attacker registers an email address with a user
  name that looks similar to the person that they
  want to spoof
• In the Alias Field the attacker puts the name of
  the impersonated person
• Sends an email message from the spoofed address
• Protection against Similar email addresses
• Users have to be educated
• Configure mail clients so that they always show
  the full email address and not the alias
• Set up email so that it can be accessed remotely
  and via the Internet
• Make policy of no external email addresses for
  work-related activities
• Public key encryption

10
Email Spoofing

• Modifying a mail client
• In some mail clients attacker can specify what he
  wants to appear in the from line
• Protection against Modifying a mail client
• Have policy against and enforce it
• Logging is performed on all systems
• Look at the full email header

11
Email Spoofing

• Telnet to Port 25
• Port 25 is used for Simple Mail Transfer Protocol
  (SMTP)
• Attacker finds out the IP address of a mail
  server or runs a port scan against several
  systems to see which ones have port 25 open
• Opens a telnet session to port 25 on that machine
• Message is sent with a spoofed From address

12
Email Spoofing

• Protection Against Telneting to Port 25
• If not being used shut it down
• Have all the latest patches installed on mail
  server and make sure all spoofing and relay
  filters are properly configured
• Mail relaying
• Attacker tries to use a mail server to send mail
  to someone else on a different domain or relay
  his mail off another server
• Protection against Mail relaying
• Validate that the recipients domain is the same
  domain as the mail server
• Validate that the senders domain is valid
• Validate that for any remote connection to the
  mail server that the To and From addresses are
  from the same domain as the mail server

13
Web Spoofing

• Web spoofing allows an attacker to create a
  "shadow copy" of the entire World Wide Web.
  Accesses to the shadow Web are funneled through
  the attacker's machine, allowing the attacker to
  monitor all of the victim's activities including
  any passwords or account numbers the victim
  enters. The attacker can also cause false or
  misleading data to be sent to Web servers in the
  victim's name, or to the victim in the name of
  any Web server. In short, the attacker observes
  and controls everything the victim does on the
  Web. (Web Spoofing An Internet Con Game Felten,
  Balfanz, Dean, and Wallach, Technical Report
  540-96, Department of Computer Science, Princeton
  University, revised February 1997
  http//www.cs.princeton.edu/sip/pub/spoofing.html)
  

14
Web Spoofing

• Basic Web Spoofing
• Domain is set up with a similar name
• After collecting information sends a cookie to
  user that will forward the user to real site the
  next time the user comes back
• Protection against Basic Web Spoofing
• Sites should use server-side certificate
• Configuring web browsers to always display the URL

15
Web Spoofing

• Man-in-the-Middle Attacks
• Attacker has to position himself so that all
  traffic coming and going to the victim goes
  through him
• Requires that all information coming in and out
  of your organization pass through a single router
• Attack can be passive or active
• Protection against Man-in-the-Middle Attacks
• Encryption
• Strong perimeter security

16
Web Spoofing

• URL Rewriting
• An attacker is redirecting web traffic to another
  site that is controlled by the attacker
• The attacker has to rewrite all of the links on a
  web page
• Protection against URL Rewriting
• Browsers should always be configured to display
  the destination URL and users should be trained
  to look at it
• Examine HTML source code

17
Web Spoofing

• Tracking State the ability of a site to track
  the state of the connection and what a user does
  over time
• Cookies
• Pieces of information that the server passes to
  the browser and the browser stores for the server
• Passed back to the server by the browser when the
  user reconnects
• Persistent cookie stored on the hard drive in a
  text file format. An attacker that has local
  access can easily access the cooker
• Non-persistent cookie stored in memory and goes
  away when machine is turned off or rebooted
• Protection against Cookies
• Client side -Good physical security (log off when
  not in use, password screen savers)
• Server side Make your session ID as long and
  random as possible

18
Web Spoofing

• URL session tracking
• If attacker can guess the session ID he can take
  over users identity and take over their active
  session
• Protection against URL session tracking
• Make your session ID as long and random as
  possible
• Defensive measures have to be done on Web server
  side

19
Web Spoofing

• Hidden form elements information on form that
  the browser keeps but is not displayed to the
  user
• Protection against hidden form elements
• Have hard-to-guess session IDs that are as random
  as possible
• Recommendations
• At least a 15-character session ID that is
  composed of uppercase, lowercase, numbers, and
  special characters that are randomized
• Times should be set depending on type of
  application
• Set expiration time as soon as user logs off

20
Web Spoofing

• General Web Spoofing Protection
• Disable JavaScript, ActiveX, or any other
  scripting languages that execute locally or in
  your browser
• Make sure you validate your application and that
  you are properly tracking users
• Make sure users cannot customize their browser to
  display important information
• Education is important
• Session IDs should be long and random

21
Non-Technical Spoofing

• Social Engineering Tries to convince someone
  that they are someone else
• Reverse Social Engineering The attacker gets
  the user to call him for help
• Non-Technical Spoofing Protection
• Educate your users
• Post messages on computers
• Training
• Proper policies
• Have authentication when calling help desk
• Limit public information
• Run periodic checks against help desk and users