One of the most essential skills an attacker requires to be able to launch a successful attack is spoofing. Spoofing is using a false source address in an attempt to hide the actual identity of the attacker and possibly blame the attack on the false source. Spoofing is primarily associated with forging the source address in headers of IP packets, but it is a threat in basically any system that uses some form of addressing. Without the ability to spoof a source address, many of the common attacks would not be possible, less effective, or hard to accomplish without being caught. Apart from IP spoofing, the following are also commonly used in today’s popular attacks.
ARP spoofing refers to forging a MAC address in ARP messages. The Address Resolution Protocol (ARP) is a protocol from the TCP/IP suite that is used to discover the MAC address of a destination IP address. An attacker can send false ARP information that contains the MAC address of the attacker’s computer mapped to the IP of a legitimate server. When a client connects to the server’s IP address, it will actually connect to the attacker’s computer. Spoofing MAC addresses allows for several other malicious actions on modern networks. For example, a DHCP server or wireless access point can be configured to service only clients manually listed by an administrator. The administrator would list only the MAC addresses of internal clients. After sniffing the network for a legitimate MAC address, an attacker could spoof the MAC address and impersonate an internal client.
Networks that use DNS can be vulnerable to the same techniques applied higher in the OSI model. Sending unsolicited DNS replies containing false information regarding hostname to IP address mappings, is also considered a form of spoofing. Even though the client hasn’t requested the information, it may store the info in its local cache. The next time the user tries to contact a server or web site which hostname is listed in the cache, it will use the IP address from the DNS cache instead of requesting it from a DNS server. This type of attack allows an attacker to fool a user into unknowingly connecting to the attacker’s system. A similar malicious action can be performed by malware that writes entries to the local HOSTS file. Common targets on today’s spam-polluted Internet are banking and major online auction sites, where a user is asked to updated sensitive information such as credit card info. While the user thinks she is entering the information at the real site, she would actually be giving the information to a spoofed copy of the website.
Because IP spoofing is such an essential part of many attacks, it is equally important to implement countermeasures where possible. The first line of defense against remote spoofing attacks are usually routers or other devices that can filter traffic based on source and destination IP address. For example, a company’s network connected to the Internet should not receive any packets from the Internet that have a source IP address that is part of the private address ranges defined in RFC 1918. If all ISPs would configure the proper ingress and egress filters on their routers the problem of IP spoofing would no longer exist. Routers know which networks and IP ranges are connected to them directly and farther down the line. Ingress filters ensure that only packets with a valid source address from the originating network are allowed to pass. Egress filters ensure that packets with source address of the internal network cannot originate from a remote location. This prevents attackers from using a legitimate internal address when spoofing packet from outside the local network. Usually these addresses belong to the private address range as mentioned earlier, unless implemented at ISPs. Another way to mitigate spoofing attacks is to authenticate traffic by using IPSec for example.