Network Security Fundamentals [Electronic resources] نسخه متنی

Spoofing Techniques

The TCP/IP section of this chapter focused solely on IP spoofing. Let's now take a step back and look at spoofing within a larger context. In general, spoofing methods are used by crackers to compromise computer systems. Many people mistakenly think that spoofing is an actual attack. In reality, spoofing is just one step in a process whereby an attacker tries to exploit the relationship between two hosts. Two spoofing techniques are discussed with some guidelines on spoofing prevention.

Address Resolution Protocol Spoofing

The Address Resolution Protocol (ARP) provides a mechanism to resolve, or map, a known IP address to a MAC sublayer address. In Figure 2-9, two hosts are attempting to start a conversation across a multiaccess medium such as Ethernet.

Host A wants to initiate the conversation with Host B but requires both the IP address and the MAC address. During the conversation setup, Host A is aware only of Hosts B's IP address, 132.12.25.2. To determine a destination MAC address for a datagram, the ARP cache table locally in Host A is checked first. If the MAC address is not in the table, Host A sends an ARP request, which is a broadcast on the wire looking for a destination station Host B with IP address 132.12.25.2. Every host on the network receives this broadcast. Host B hears the message, finds out the message is destined for it, and replies with an ARP reply containing its MAC address and IP address.

There is no real authentication; the verification between two hosts is based only on the hardware address, which is a weak part of the ARP process. Using ARP spoofing, the cracker can exploit this hardware address authentication mechanism by spoofing the hardware address of Host B. Basically, the attacker can convince any host or network device on the local network that the cracker's workstation is the host to be trusted. This is a common method used in a switched environment.

Domain Name Service Spoofing

Domain Name Service (DNS) is used for network clients who need an IP address of a remote system based on their names. The host sends a request to a DNS server including the remote system's name, and the DNS server responds with the corresponding IP address. DNS spoofing is the method whereby the hacker convinces the target machine that the system it wants to connect to is the machine of the cracker. The cracker modifies some records so that name entries of hosts correspond to the attacker's IP address. There have been instances in which the complete DNS server was compromised by an attack.

Countermeasures

ARP spoofing can be prevented with the implementation of static ARP tables in all the hosts and routers of your network. Alternatively, you can implement an ARP server that responds to ARP requests on behalf of the target host. To counter DNS spoofing, the reverse lookup detects these attacks. The reverse lookup is a mechanism to verify the IP address against a name. The IP address and name files are usually kept on different servers to make compromise much more difficult. This chapter has touched so far on only two spoofing and antispoofing examples, but more prevention and protection methods (access filters, intrusion detection systems, and auditing tools) are discussed in the next chapters.