system identity spoofing

11
7/17/2019 System Identity Spoofing http://slidepdf.com/reader/full/system-identity-spoofing 1/11 Network Security System Identity Spoofing  Alexander Meynard Dethan Junior Mahendra Raldhy Dhe Vega Rifaldi Noviansyah

Upload: alejandro-de-la-vega

Post on 07-Jan-2016

223 views

Category:

Documents


0 download

DESCRIPTION

tugas

TRANSCRIPT

7/17/2019 System Identity Spoofing

http://slidepdf.com/reader/full/system-identity-spoofing 1/11

Network Security

System Identity Spoofing

 Alexander Meynard Dethan

Junior Mahendra

Raldhy Dhe Vega

Rifaldi Noviansyah

7/17/2019 System Identity Spoofing

http://slidepdf.com/reader/full/system-identity-spoofing 2/11

System Identity Spoofing

In the context of network security, a spoofing attack is a situation

in which one person or progra successfully as!uerades as another"y falsifying data and there"y gaining an illegitiate advantage# $he

other way to say it, spoofing is when attackers authenticate one achine

to another "y forging packets fro a trusted host#

Many of the protocols in the $%&'I& suite (Internet &rotocol) do not

provide echaniss for authenticating the source or destination of a

essage# $hey are thus vulnera"le to spoofing attacks when extra

precautions are not taken "y applications to verify the identity of the

sending or receiving host# *poofing attacks which take advantage of$%&'I& suite protocols ay "e itigated with the use of firewalls capa"le

of deep packet inspection or "y taking easures to verify the identity of

the sender or recipient of a essage#

+elow is the exaple of how one can spoof the syste

• I& address spoofing

• DN* spoofing

•  AR& spoofing

• %aller ID spoofing

• -.ail address spoofing

• /&* spoofing

7/17/2019 System Identity Spoofing

http://slidepdf.com/reader/full/system-identity-spoofing 3/11

1. IP address spoofing

In coputer networking, IP address spoofing or IP spoofing is

the creation of Internet &rotocol (I&) packets with a forged source I&

address, with the purpose of concealing the identity of the sender oripersonating another coputing syste#

$he "asic protocol for sending data over the Internet network and

any other coputer networks is the Internet &rotocol (0I&0)# $he

header of each I& packet contains, aong other things, the nuerical

source and destination address of the send a response "ack to the

forged source address, which eans that this techni!ue is ainly used

when the attacker does not care a"out the response or the attacker has

soe way of guessing the response#packet# $he source address isnorally the address that the packet was sent fro# +y forging the

header so it contains a different address, an attacker can ake it appear 

that the packet was sent "y a different achine# $he achine that

receives spoofed packets will

In certain cases, it ight "e possi"le for the attacker to see or

redirect the response to his own achine# $he ost usual case is when

the attacker is spoofing an address on the sae 1AN or 2AN#

I& spoofing can "e used "y network intruders to defeat network

security easures, such as authentication "ased on I& addresses# $his

ethod of attack on a reote syste can "e extreely difficult, as it

involves odifying thousands of packets at a tie# $his type of attack is

ost effective where trust relationships exist "etween achines# 3or

exaple, it is coon on soe corporate networks to have internal

systes trust each other, so that users can log in without a usernae or

password provided they are connecting fro another achine on the

internal network (and so ust already "e logged in)# +y spoofing aconnection fro a trusted achine, an attacker ay "e a"le to access

the target achine without an authentication#

4ow to prevent I& address spoofing

• %onfiguring 1ocal Area Network to re5ect packets for the Net that

clai to originate fro local address# $his is done at the router '

firewall level

%losely onitoring Network

7/17/2019 System Identity Spoofing

http://slidepdf.com/reader/full/system-identity-spoofing 4/11

• -liinate all host."ased authentication

2. DNS spoofing

DNS spoofing (or DNS cache poisoning) is a coputer

hacking attack, where"y data is introduced into a Doain Nae*yste (DN*) nae server 6s cache data"ase, causing the nae server

to return an incorrect I& address, diverting traffic to another coputer

(often the attacker6s)#

 A doain nae syste server  translates a huan reada"le doain

nae (such as exaple#co) into a nuerical I& address that is used

to route counications "etween nodes# Norally if the server doesn6t

know a re!uested translation it will ask another server, and the process

continues recursively# $o increase perforance, a server will typicallyree"er (cache) these translations for a certain aount of tie, so

that, if it receives another re!uest for the sae translation, it can reply

without having to ask the other server again#

2hen a DN* server has received a false translation and caches it for

perforance optii7ation, it is considered poisoned , and it supplies the

false data to clients# If a DN* server is poisoned, it ay return an

incorrect I& address, diverting traffic to another coputer (often an

attacker6s)# 

Caching poisoning attack

Norally, a networked coputer uses a DN* server provided "y

the coputer user6s organi7ation or an Internet service provider  (I*&)#

DN* servers are generally deployed in an organi7ation6s network to

iprove resolution response perforance "y caching previously

o"tained !uery results# &oisoning attacks on a single DN* server can

affect the users serviced directly "y the coproised server or indirectly"y its downstrea server(s) if applica"le#

$o perfor a cache poisoning attack, the attacker exploits a flaw in

the DN* software# If the server does not correctly validate DN*

responses to ensure that they are fro an authoritative source (for

exaple "y using DN**-%) the server will end up caching the incorrect

entries locally and serve the to other users that ake the sae

re!uest#

7/17/2019 System Identity Spoofing

http://slidepdf.com/reader/full/system-identity-spoofing 5/11

$his techni!ue can "e used to direct users of a we"site to anothersite of the attacker6s choosing# 3or exaple, an attacker  spoofs the I&

address DN* entries for a target we"site on a given DN* server,

replacing the with the I& address of a server he controls# 4e then

creates files on the server he controls with naes atching those on the

target server# $hese files could contain alicious content, such as

a coputer wor or a coputer virus# A user whose coputer has

referenced the poisoned DN* server could "e tricked into accepting

content coing fro a non.authentic server and unknowingly download

alicious content#

Exampe appication!

 As an exaple, suppose the user re!uests the I& address of

ail#yahoo#co, which is supposed to "e 88#88#88#88# +ut the

attacker would respond to the DN* !uery "efore the actual response

arrives with a spoofed address of 99#99#99#99# $he user:s syste will

ake a connection re!uest to 99#99#99#99, thinking that

ail#yahoo#co is located at that I& address# *o effectively, the user is

routed to a copletely different site fro the one which user originally

intended to visit#

Noral DN* counication occurs when the syste re!uests the

I& of a particular we"site and the DN* server responds "ack with the

actual I& address of that we"site# $he syste then connects to the

we"site through the I& address it received as a response# 2ith DN*

spoofing, the attacker intercepts the DN* re!uest and sends out a

response that doesn:t contain the actual I& actual, "ut a spoofed I&

address#

"ow to pre#ent DNS spoofing!

• Deploy ID*'I&* intrusion detection systes and intrusion

prevention systes are capa"le of handling DN* spoofing attacks, sothey need to "e deployed inside the network as well as on the perieterof the network#

• DN**-% DN**-% is a very secure technology that can "e used

to allow only digitally signed DN* records to "e pu"lished on DN*

7/17/2019 System Identity Spoofing

http://slidepdf.com/reader/full/system-identity-spoofing 6/11

servers# $hrough DN**-%, we can also prevent DN* servers frogetting infected theselves#

$. %&P spoofing

%ddress &esoution Protoco is a telecounication protocol

used for resolution of network layer  addresses into link layer  addresses#

 AR& is used to convert an I& address to a physical address such

as an -thernet address#

%&P spoofing is a techni!ue where"y an attacker sends fake

(0spoofed0) Address Resolution &rotocol (AR&)essages onto a 1ocal

 Area Network# /enerally, the ai is to associate the attacker6s MA%

address with the I& address of another host (such as the default

gateway), causing any traffic eant for that I& address to "e sent to the

attacker instead#

 AR& spoofing ay allow an attacker to intercept data fraes on a

1AN, odify the traffic, or stop the traffic altogether#

$he attack can only "e used on networks that ake use of

the Address Resolution &rotocol (AR&), and is liited to local network

segents# 

$he Address Resolution &rotocol (AR&) is a widely

used protocol for resolving network layer  addresses into link

layer  addresses#

2hen an Internet &rotocol (I&) datagra is sent fro one host toanother on a local area network, the destination I& address ust "e

converted into a MA% address for transission via the data link layer #;<= 2hen another host6s I& address is known, and its MA% address is

needed, a "roadcast packet is sent out on the local network# $his packet

is known as an ARP request # $he destination achine with the I& in the

 AR& re!uest then responds with an ARP reply , which contains the MA%

address for that I&#

7/17/2019 System Identity Spoofing

http://slidepdf.com/reader/full/system-identity-spoofing 7/11

 AR& is a stateless protocol# Network hosts will

autoatically cache any AR& replies they receive, regardless of whether 

or not they re!uested the# -ven AR& entries which have not yet

expired will "e overwritten when a new AR& reply packet is received#

$here is no ethod in the AR& protocol "y which a hostcan authenticate the peer fro which the packet originated# $his

"ehavior is the vulnera"ility which allows AR& spoofing to occur#

$he "asic principle "ehind AR& spoofing is to exploit the a"ove

entioned vulnera"ilities in the AR& protocol "y sending spoofed AR&

essages onto the 1AN# AR& spoofing attacks can "e run fro a

coproised host on the 1AN, or fro an attacker6s achine that is

connected directly to the target 1AN#

/enerally, the goal of the attack is to associate the attacker6sMA%

address with the I& address of a target host, so that any traffic eant for

the target host will "e sent to the attacker6s MA% instead# $he attacker

could then choose to

># Inspect the packets, and forward the traffic to the actual default

gateway (interception)

?# Modify the data "efore forwarding it (an.in.the.iddle attack)#

<# 1aunch a denial.of.service attack "y causing soe or all of the

packets on the network to "e dropped

"ow to pre#ent %&P spoofing!

Static %&P entries

I&.to.MA% appings in the local AR& cache can "e statically

defined, and then hosts can "e directed to ignore all AR& reply

packets# 2hile static entries provide perfect security against spoofing if

the operating systes handles the correctly, they result in !uadratic

aintenance efforts as I&.MA% appings of all achines in the network

have to "e distri"uted to all other achines#

%&P spoofing detection software

7/17/2019 System Identity Spoofing

http://slidepdf.com/reader/full/system-identity-spoofing 8/11

*oftware that detects AR& spoofing generally relies on soe for of

certification or cross.checking of AR& responses# @ncertified AR&

responses are then "locked# $hese techni!ues ay "e integrated with

the D4%& server  so that "oth dynaic and static I& addresses are

certified# $his capa"ility ay "e ipleented in individual hosts or ay"e integrated into -thernet switches or other network e!uipent# $he

existence of ultiple I& addresses associated with a single MA%

address ay indicate an AR& spoof attack, although there are legitiate

uses of such a configuration# In a ore passive approach a device

listens for AR& replies on a network, and sends a notification

via eail when an AR& entry changes#

'. Caer ID spoofing 

&u"lic telephone networks often provide %aller ID inforation,

which includes the caller6s nae and nu"er, with each call# 4owever,

soe technologies (especially inVoice over I& (VoI&) networks) allow

callers to forge %aller ID inforation and present false naes and

nu"ers# /ateways "etween networks that allow such spoofing and

other pu"lic networks then forward that false inforation# *ince spoofed

calls can originate fro other countries, the laws in the receiver6s countryay not apply to the caller# $his liit6s laws6 effectiveness against the

use of spoofed %aller ID inforation to further a sca#

(. E)mai address spoofing

$he sender inforation shown in e.ails (the 03ro0 field) can "e

spoofed easily# $his techni!ue is coonly used "y spaers to hide

the origin of their e.ails and leads to pro"les such as

isdirected "ounces (i#e# e.ail spa "ackscatter )#

-.ail address spoofing is done in !uite the sae way as writing a

forged return address using snail ail# As long as the letter fits the

protocol, (i#e# stap, postal code) the *M$& protocol will send the

essage# It can "e done using a ail server with telnet# 

*. +PS spoofing

 A /&* spoofing attack attepts to deceive a /&* receiver "y

"roadcasting counterfeit /&* signals, structured to rese"le a set of

noral /&* signals, or "y re"roadcasting genuine signals capturedelsewhere or at a different tie# $hese spoofed signals ay "e odified

7/17/2019 System Identity Spoofing

http://slidepdf.com/reader/full/system-identity-spoofing 9/11

in such a way as to cause the receiver to estiate its position to "e

soewhere other than where it actually is, or to "e located where it is

"ut at a different tie, as deterined "y the attacker#

Ea#esdropping

 A condition when soeone listens in on a conversation that they

are not recogni7ed as a part fro "oth or any sides# 3or instance,

progras such as %arnivore and NarusInsight have "een used "y

the 3+I and N*A to eavesdrop on the systes of internet service

providers# -ven achines that operate as a closed syste (i#e#, with no

contact to the outside world) can "e eavesdropped upon via onitoring

the faint electro.agnetic transissions generated "y the hardwaresuch as $-M&-*$#

$he attack could "e done using tools called network sniffers# $hese toolscollect packets on the network and, depending on the !uality of the tool,analy7e the collected data like protocol decoders or streareasse"ling#

Depending on the network context, for the sniffing to "e the effective,

soe conditions ust "e et

, -%N en#ironment with "/s

$his is the ideal case "ecause the hu" is a network repeater thatduplicates every network frae received to all ports, so the attack is verysiple to ipleent "ecause no other condition ust "e et#

, -%N en#ironment with switches

$o "e effective for eavesdropping, a preliinary condition ust "e et#+ecause a switch "y default only transits a frae to the port, a

7/17/2019 System Identity Spoofing

http://slidepdf.com/reader/full/system-identity-spoofing 10/11

echanis that will duplicate or will redirect the network packets to anevil syste is necessary# 3or exaple, to duplicate traffic fro one portto another port, a special configuration on the switch is necessary# $oredirect the traffic fro one port to another, there ust "e a preliinary

exploitation like the arp spoof attack# In this attack, the evil syste actslike a router "etween the victi:s counication, aking it possi"le tosniff the exchanged packets#

, 0%N en#ironment

In this case, to ake a network sniff it6s necessary that the evil syste"ecoes a router "etween the client server counications# ne wayto ipleent this exploit is with a DN* spoof attack to the client syste#

Network -avesdropping is a passive attack which is very difficult todiscover# It could "e identified "y the effect of the preliinary conditionor, in soe cases, "y inducing the evil syste to respond a fake re!uestdirected to the evil syste I& "ut with the MA% address of a differentsyste#

 

heft

 Any alicious action to the physical coputer and network

infrastructure#

"ow to pre#ent theft!

• /uards

7/17/2019 System Identity Spoofing

http://slidepdf.com/reader/full/system-identity-spoofing 11/11

• 1ocks

• %%$V

• *ecurity Access cards

• Motion detectors

•  Alar *ystes

• &% &hysical controls