CertiGuide to Security+  9  Chapter 1:  General Security Concepts (Domain 1.0; 30%)       9  1.4  Attacks            9  1.4.3  Spoofing

Problem #2: An Attacker Can Pretend to Be From A Trusted Host 1 How Can We Protect Our Network From Spoofing?

It should be noted that spoofing is broken down into two categories – normal spoofing, and “blind” spoofing, denoting the type of control an attacker has. Normal spoofing, which is a combination of IP spoofing and packet sniffing (see 2.5.4.1), is easier to control. Because the attacker is faking the source IP address of the packets he is sending, the responses from the target machine will obviously be directed to that source IP address, and not the attacker’s “true” IP address.

This means that for the attacker to see the responses of the machine he is sending these spoofed packets to, he must sniff the network and use a packet capture & decoding tool to read the responses of the machine. Taking the Freedom/Spirit example again, when the attacker sends spoofed packets to Spirit with Freedom’s IP address as the source, Spirit will send its replies back to Freedom.

To read these replies, the attacker must sniff the network and decode the packets as they are sent. To do this, the attacker must be able to place a network card on the same network segment as the hosts into promiscuous mode. However, tools such as Antisniff ⁷⁴ are able to detect this.

Blind spoofing removes the requirement for sniffing the network, and operates on a “best guess” principle. The attacker sends spoofed packets to the target as before, but instead of sniffing the network and reading the replies, he just guesses at what the replies will be in hope that when he has completed his attack, the system will have performed the actions he requested. The advantage here is that packets can be sent from any network that has a route to the target and there is no requirement for sniffing the reply packets on the target network. It does of course make the attack harder to perform because if it fails the attacker has no way of diagnosing what went wrong.

At this point you should note that there are legitimate uses for changing a packet’s source IP address. The most obvious one is NAT, or Network Address Translation, where a device, such as a router, deliberately and legitimately rewrites packet headers. See 3.3.3 for more information.

Unfortunately, the problems spoofing presents do not end here, as we’ll see in future sections.

Problem #2: An Attacker Can Pretend to Be From A Trusted Host 1 How Can We Protect Our Network From Spoofing?