system identity spoofing
DESCRIPTION
tugasTRANSCRIPT
7/17/2019 System Identity Spoofing
http://slidepdf.com/reader/full/system-identity-spoofing 1/11
Network Security
System Identity Spoofing
Alexander Meynard Dethan
Junior Mahendra
Raldhy Dhe Vega
Rifaldi Noviansyah
7/17/2019 System Identity Spoofing
http://slidepdf.com/reader/full/system-identity-spoofing 2/11
System Identity Spoofing
In the context of network security, a spoofing attack is a situation
in which one person or progra successfully as!uerades as another"y falsifying data and there"y gaining an illegitiate advantage# $he
other way to say it, spoofing is when attackers authenticate one achine
to another "y forging packets fro a trusted host#
Many of the protocols in the $%&'I& suite (Internet &rotocol) do not
provide echaniss for authenticating the source or destination of a
essage# $hey are thus vulnera"le to spoofing attacks when extra
precautions are not taken "y applications to verify the identity of the
sending or receiving host# *poofing attacks which take advantage of$%&'I& suite protocols ay "e itigated with the use of firewalls capa"le
of deep packet inspection or "y taking easures to verify the identity of
the sender or recipient of a essage#
+elow is the exaple of how one can spoof the syste
• I& address spoofing
• DN* spoofing
• AR& spoofing
• %aller ID spoofing
• -.ail address spoofing
• /&* spoofing
7/17/2019 System Identity Spoofing
http://slidepdf.com/reader/full/system-identity-spoofing 3/11
1. IP address spoofing
In coputer networking, IP address spoofing or IP spoofing is
the creation of Internet &rotocol (I&) packets with a forged source I&
address, with the purpose of concealing the identity of the sender oripersonating another coputing syste#
$he "asic protocol for sending data over the Internet network and
any other coputer networks is the Internet &rotocol (0I&0)# $he
header of each I& packet contains, aong other things, the nuerical
source and destination address of the send a response "ack to the
forged source address, which eans that this techni!ue is ainly used
when the attacker does not care a"out the response or the attacker has
soe way of guessing the response#packet# $he source address isnorally the address that the packet was sent fro# +y forging the
header so it contains a different address, an attacker can ake it appear
that the packet was sent "y a different achine# $he achine that
receives spoofed packets will
In certain cases, it ight "e possi"le for the attacker to see or
redirect the response to his own achine# $he ost usual case is when
the attacker is spoofing an address on the sae 1AN or 2AN#
I& spoofing can "e used "y network intruders to defeat network
security easures, such as authentication "ased on I& addresses# $his
ethod of attack on a reote syste can "e extreely difficult, as it
involves odifying thousands of packets at a tie# $his type of attack is
ost effective where trust relationships exist "etween achines# 3or
exaple, it is coon on soe corporate networks to have internal
systes trust each other, so that users can log in without a usernae or
password provided they are connecting fro another achine on the
internal network (and so ust already "e logged in)# +y spoofing aconnection fro a trusted achine, an attacker ay "e a"le to access
the target achine without an authentication#
4ow to prevent I& address spoofing
• %onfiguring 1ocal Area Network to re5ect packets for the Net that
clai to originate fro local address# $his is done at the router '
firewall level
•
%losely onitoring Network
7/17/2019 System Identity Spoofing
http://slidepdf.com/reader/full/system-identity-spoofing 4/11
• -liinate all host."ased authentication
2. DNS spoofing
DNS spoofing (or DNS cache poisoning) is a coputer
hacking attack, where"y data is introduced into a Doain Nae*yste (DN*) nae server 6s cache data"ase, causing the nae server
to return an incorrect I& address, diverting traffic to another coputer
(often the attacker6s)#
A doain nae syste server translates a huan reada"le doain
nae (such as exaple#co) into a nuerical I& address that is used
to route counications "etween nodes# Norally if the server doesn6t
know a re!uested translation it will ask another server, and the process
continues recursively# $o increase perforance, a server will typicallyree"er (cache) these translations for a certain aount of tie, so
that, if it receives another re!uest for the sae translation, it can reply
without having to ask the other server again#
2hen a DN* server has received a false translation and caches it for
perforance optii7ation, it is considered poisoned , and it supplies the
false data to clients# If a DN* server is poisoned, it ay return an
incorrect I& address, diverting traffic to another coputer (often an
attacker6s)#
Caching poisoning attack
Norally, a networked coputer uses a DN* server provided "y
the coputer user6s organi7ation or an Internet service provider (I*&)#
DN* servers are generally deployed in an organi7ation6s network to
iprove resolution response perforance "y caching previously
o"tained !uery results# &oisoning attacks on a single DN* server can
affect the users serviced directly "y the coproised server or indirectly"y its downstrea server(s) if applica"le#
$o perfor a cache poisoning attack, the attacker exploits a flaw in
the DN* software# If the server does not correctly validate DN*
responses to ensure that they are fro an authoritative source (for
exaple "y using DN**-%) the server will end up caching the incorrect
entries locally and serve the to other users that ake the sae
re!uest#
7/17/2019 System Identity Spoofing
http://slidepdf.com/reader/full/system-identity-spoofing 5/11
$his techni!ue can "e used to direct users of a we"site to anothersite of the attacker6s choosing# 3or exaple, an attacker spoofs the I&
address DN* entries for a target we"site on a given DN* server,
replacing the with the I& address of a server he controls# 4e then
creates files on the server he controls with naes atching those on the
target server# $hese files could contain alicious content, such as
a coputer wor or a coputer virus# A user whose coputer has
referenced the poisoned DN* server could "e tricked into accepting
content coing fro a non.authentic server and unknowingly download
alicious content#
Exampe appication!
As an exaple, suppose the user re!uests the I& address of
ail#yahoo#co, which is supposed to "e 88#88#88#88# +ut the
attacker would respond to the DN* !uery "efore the actual response
arrives with a spoofed address of 99#99#99#99# $he user:s syste will
ake a connection re!uest to 99#99#99#99, thinking that
ail#yahoo#co is located at that I& address# *o effectively, the user is
routed to a copletely different site fro the one which user originally
intended to visit#
Noral DN* counication occurs when the syste re!uests the
I& of a particular we"site and the DN* server responds "ack with the
actual I& address of that we"site# $he syste then connects to the
we"site through the I& address it received as a response# 2ith DN*
spoofing, the attacker intercepts the DN* re!uest and sends out a
response that doesn:t contain the actual I& actual, "ut a spoofed I&
address#
"ow to pre#ent DNS spoofing!
• Deploy ID*'I&* intrusion detection systes and intrusion
prevention systes are capa"le of handling DN* spoofing attacks, sothey need to "e deployed inside the network as well as on the perieterof the network#
• DN**-% DN**-% is a very secure technology that can "e used
to allow only digitally signed DN* records to "e pu"lished on DN*
7/17/2019 System Identity Spoofing
http://slidepdf.com/reader/full/system-identity-spoofing 6/11
servers# $hrough DN**-%, we can also prevent DN* servers frogetting infected theselves#
$. %&P spoofing
%ddress &esoution Protoco is a telecounication protocol
used for resolution of network layer addresses into link layer addresses#
AR& is used to convert an I& address to a physical address such
as an -thernet address#
%&P spoofing is a techni!ue where"y an attacker sends fake
(0spoofed0) Address Resolution &rotocol (AR&)essages onto a 1ocal
Area Network# /enerally, the ai is to associate the attacker6s MA%
address with the I& address of another host (such as the default
gateway), causing any traffic eant for that I& address to "e sent to the
attacker instead#
AR& spoofing ay allow an attacker to intercept data fraes on a
1AN, odify the traffic, or stop the traffic altogether#
$he attack can only "e used on networks that ake use of
the Address Resolution &rotocol (AR&), and is liited to local network
segents#
$he Address Resolution &rotocol (AR&) is a widely
used protocol for resolving network layer addresses into link
layer addresses#
2hen an Internet &rotocol (I&) datagra is sent fro one host toanother on a local area network, the destination I& address ust "e
converted into a MA% address for transission via the data link layer #;<= 2hen another host6s I& address is known, and its MA% address is
needed, a "roadcast packet is sent out on the local network# $his packet
is known as an ARP request # $he destination achine with the I& in the
AR& re!uest then responds with an ARP reply , which contains the MA%
address for that I&#
7/17/2019 System Identity Spoofing
http://slidepdf.com/reader/full/system-identity-spoofing 7/11
AR& is a stateless protocol# Network hosts will
autoatically cache any AR& replies they receive, regardless of whether
or not they re!uested the# -ven AR& entries which have not yet
expired will "e overwritten when a new AR& reply packet is received#
$here is no ethod in the AR& protocol "y which a hostcan authenticate the peer fro which the packet originated# $his
"ehavior is the vulnera"ility which allows AR& spoofing to occur#
$he "asic principle "ehind AR& spoofing is to exploit the a"ove
entioned vulnera"ilities in the AR& protocol "y sending spoofed AR&
essages onto the 1AN# AR& spoofing attacks can "e run fro a
coproised host on the 1AN, or fro an attacker6s achine that is
connected directly to the target 1AN#
/enerally, the goal of the attack is to associate the attacker6sMA%
address with the I& address of a target host, so that any traffic eant for
the target host will "e sent to the attacker6s MA% instead# $he attacker
could then choose to
># Inspect the packets, and forward the traffic to the actual default
gateway (interception)
?# Modify the data "efore forwarding it (an.in.the.iddle attack)#
<# 1aunch a denial.of.service attack "y causing soe or all of the
packets on the network to "e dropped
"ow to pre#ent %&P spoofing!
Static %&P entries
I&.to.MA% appings in the local AR& cache can "e statically
defined, and then hosts can "e directed to ignore all AR& reply
packets# 2hile static entries provide perfect security against spoofing if
the operating systes handles the correctly, they result in !uadratic
aintenance efforts as I&.MA% appings of all achines in the network
have to "e distri"uted to all other achines#
%&P spoofing detection software
7/17/2019 System Identity Spoofing
http://slidepdf.com/reader/full/system-identity-spoofing 8/11
*oftware that detects AR& spoofing generally relies on soe for of
certification or cross.checking of AR& responses# @ncertified AR&
responses are then "locked# $hese techni!ues ay "e integrated with
the D4%& server so that "oth dynaic and static I& addresses are
certified# $his capa"ility ay "e ipleented in individual hosts or ay"e integrated into -thernet switches or other network e!uipent# $he
existence of ultiple I& addresses associated with a single MA%
address ay indicate an AR& spoof attack, although there are legitiate
uses of such a configuration# In a ore passive approach a device
listens for AR& replies on a network, and sends a notification
via eail when an AR& entry changes#
'. Caer ID spoofing
&u"lic telephone networks often provide %aller ID inforation,
which includes the caller6s nae and nu"er, with each call# 4owever,
soe technologies (especially inVoice over I& (VoI&) networks) allow
callers to forge %aller ID inforation and present false naes and
nu"ers# /ateways "etween networks that allow such spoofing and
other pu"lic networks then forward that false inforation# *ince spoofed
calls can originate fro other countries, the laws in the receiver6s countryay not apply to the caller# $his liit6s laws6 effectiveness against the
use of spoofed %aller ID inforation to further a sca#
(. E)mai address spoofing
$he sender inforation shown in e.ails (the 03ro0 field) can "e
spoofed easily# $his techni!ue is coonly used "y spaers to hide
the origin of their e.ails and leads to pro"les such as
isdirected "ounces (i#e# e.ail spa "ackscatter )#
-.ail address spoofing is done in !uite the sae way as writing a
forged return address using snail ail# As long as the letter fits the
protocol, (i#e# stap, postal code) the *M$& protocol will send the
essage# It can "e done using a ail server with telnet#
*. +PS spoofing
A /&* spoofing attack attepts to deceive a /&* receiver "y
"roadcasting counterfeit /&* signals, structured to rese"le a set of
noral /&* signals, or "y re"roadcasting genuine signals capturedelsewhere or at a different tie# $hese spoofed signals ay "e odified
7/17/2019 System Identity Spoofing
http://slidepdf.com/reader/full/system-identity-spoofing 9/11
in such a way as to cause the receiver to estiate its position to "e
soewhere other than where it actually is, or to "e located where it is
"ut at a different tie, as deterined "y the attacker#
Ea#esdropping
A condition when soeone listens in on a conversation that they
are not recogni7ed as a part fro "oth or any sides# 3or instance,
progras such as %arnivore and NarusInsight have "een used "y
the 3+I and N*A to eavesdrop on the systes of internet service
providers# -ven achines that operate as a closed syste (i#e#, with no
contact to the outside world) can "e eavesdropped upon via onitoring
the faint electro.agnetic transissions generated "y the hardwaresuch as $-M&-*$#
$he attack could "e done using tools called network sniffers# $hese toolscollect packets on the network and, depending on the !uality of the tool,analy7e the collected data like protocol decoders or streareasse"ling#
Depending on the network context, for the sniffing to "e the effective,
soe conditions ust "e et
, -%N en#ironment with "/s
$his is the ideal case "ecause the hu" is a network repeater thatduplicates every network frae received to all ports, so the attack is verysiple to ipleent "ecause no other condition ust "e et#
, -%N en#ironment with switches
$o "e effective for eavesdropping, a preliinary condition ust "e et#+ecause a switch "y default only transits a frae to the port, a
7/17/2019 System Identity Spoofing
http://slidepdf.com/reader/full/system-identity-spoofing 10/11
echanis that will duplicate or will redirect the network packets to anevil syste is necessary# 3or exaple, to duplicate traffic fro one portto another port, a special configuration on the switch is necessary# $oredirect the traffic fro one port to another, there ust "e a preliinary
exploitation like the arp spoof attack# In this attack, the evil syste actslike a router "etween the victi:s counication, aking it possi"le tosniff the exchanged packets#
, 0%N en#ironment
In this case, to ake a network sniff it6s necessary that the evil syste"ecoes a router "etween the client server counications# ne wayto ipleent this exploit is with a DN* spoof attack to the client syste#
Network -avesdropping is a passive attack which is very difficult todiscover# It could "e identified "y the effect of the preliinary conditionor, in soe cases, "y inducing the evil syste to respond a fake re!uestdirected to the evil syste I& "ut with the MA% address of a differentsyste#
heft
Any alicious action to the physical coputer and network
infrastructure#
"ow to pre#ent theft!
• /uards