2.3.3 Spoofing Attacks

A spoof is the hiding of one’s identity. This is similar to the old criminal trick of gaining access to a victim by obtaining a truck and outfitting it to look like it belongs to the gas company, or a delivery firm. Under this guise, the vehicle can park without raising suspicion, and the driver can roam at will, because they look authentic. Once inside the perimeter, the “workers” suddenly assume their true identity as assailants and commence an attack, usually devastating.

E-mail is especially subject to spoofing, as anybody who has suffered from too much spam in an inbox can attest. A spoofer can assign a bogus source address so that replies to the sender are useless.

The basic method behind spoofing attacks is to create packets that appear to come from somewhere else. The technique of relaying attacks across multiple hosts is common and time-tested. Scanning ranges of IP addresses in order to identify vulnerable home and business users is too. Hackers regularly launch programs that scan for vulnerable systems. When one is found, these programs burrow into the target server to attempt to attain root-level access. Such software is called a root kit.

Such attacks are technically satisfying to the hacker, but they carry an element of risk of detection. It is far safer to launch such attacks from slaved computers that have been compromised already, or failing that, to create attack packets with modified return addresses. This prevents an attack from being detected or allowing the user to be traced. In a way, it is like stealing a set of license plates so someone else gets the ticket if you are caught by a photo radar.

As mentioned, the goal of such attacks is generally to get root-level access so that the target computer can be damaged or compromised to do the attacker’s dirty work.

Spoofing Defense

It is common to spoof with an address from a host in the victim’s internal network. This way it looks as if the attacker is within the victim’s premises. Much valuable time can be wasted launching an internal investigation when an Internet chase is actually what is warranted. More importantly, the address is valid as far as the network’s switchers and routers are concerned, and the packet may pass more easily through the victim network.

A firewall or address filter can unravel a spoofing attack. The firewall will likely be set to reject packets from external addresses it does not know. Further, any packet that comes from outside the local network, but has an internal source address, must be fraudulent. Similarly, if an internal machine is compromised and starts issuing packets with outside source addresses, it is guaranteed that those packets are suspect.

A more important spoof, and one that may be more devastating to a network, is to attack the routers that control which way traffic flows through the network. Routers constantly send and receive updates to the routing tables that guide them in forwarding packets. If a network problem were to occur, the network is self-healing to an extent, in that the network routers would sense the missing devices and hosts, delete them from the routing tables, and possibly determine new routes to network destinations.

If an attacker were to spoof these routers in such a way as to convince them that significant portions of the network traffic had to be sent by new routes, it could cause havoc. Anti-spoofing filters prevent external users from sending forged packets that act as if they come from your internal network. Many security controls use a packet's source IP address to allow or deny access. By sending spoofed packets that look as if they originated on your internal network, attackers can manipulate or bypass these security controls.