CertiGuide to Security+ - Problem #2: An Attacker Can Pretend to Be From A Trusted Host

WARNING: This site is intended for online use only; mass-downloading of pages degrades the server and is prohibited.
If you attempt to use tools to mass-download the site, you may be blocked permanently by automated software.
If you want to read this CertiGuide offline, please use one of the links on the left to purchase a convenient PDF copy. Thank you.

Like what you see? Get it in one document for easy printing!

Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Test yourself better with 300 extra Security+ questions!

Get It Here!

Custom Search

CertiGuide to Security+
9 Chapter 1:  General Security Concepts (Domain 1.0; 30%)
      9 1.4  Attacks
           9 1.4.3  Spoofing

Problem #1: Spoofing Can Worsen a DoS Attack

Types of Spoofing

Problem #2: An Attacker Can Pretend to Be From A Trusted Host

In addition to obscuring the attacker’s identity during a DDoS, IP address spoofing can also be used to circumvent trusted host configurations. Kevin Mitnick publicized this as a technique he used to break into a bank’s transaction system. To see how this can happen, we’ll look at an example.

To set the scene… A company has 2 systems to control its online automated purchasing service. System 1, let’s call it Freedom, controls the stock and picking system. System 2, let’s call it Spirit, controls the banking credit and debit system. Whenever an order or goods return request is placed, an application on Freedom reduces or increases the stock count as appropriate, and sends a purchase/refund request to Spirit. Spirit then connects to the bank and completes the transaction.

Because both Freedom and Spirit sit in the company’s backend network, the inexperienced system administrator believes that it would be safe to configure them with a trusted host system only. In other words, he configured Spirit so that it would only ever accept connections from Freedom, because that’s the only host that should ever talk to it. Both systems are, however, completely secured and up to date with patches etc.

So if the systems are secure, how can an attacker use this configuration to their advantage? The answer lies in IP spoofing. While the attacker can’t actually break into either Freedom or Spirit, he can control Spirit’s behavior by manually creating packets with Freedom’s IP address as the source. If the attacker crafts a packet containing data to make a transaction of £1million into a bank account, then sets the source IP address to Freedom’s IP address, when Spirit receives this packet it will check the source IP, see that it matches Freedom’s IP, process it as normal and the fake transaction will go through.

While this is a slightly wild example, the theory is valid. Because the IP stack itself does not provide any measures for verifying the source IP address, systems that do not employ other measures are vulnerable to this type of spoofing attack.

Problem #1: Spoofing Can Worsen a DoS Attack

Types of Spoofing

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!

Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.