SecurityFocal
Attackers and Cybercriminals widely abuse some inherent weaknesses in the communication protocols by using Spoofing. Spoofing is a type of cyber attack in which someone masquerades as a legitimate entity in the attempt to use a computer, device, or network to trick other computer networks. We will understand what is IP Spoofing and how to stay protected in this post.
Spoofing allows hackers to impersonate as another device to obscure the attack source. Cybercriminals leverage spoofing to attack computers to compromise them, turn them into zombies, launch Denial-of-Service (DoS), DDoS attacks, or mine them for sensitive data.
What are the different types of Spoofing?
We can broadly categorize Spoofing in following categories:
1. IP Spoofing
IP Spoofing is when an attacker disguises IP addresses to acquire access as a trusted system used to launch a DDoS attack or infiltrate the communication. Since IP Spoofing works at the network layer, there are no visible signs of any tampering.
Once the Spoofing is successful, the attacker can then take malicious actions such as launching a DDoS attack, infecting the target computer with malware, stealing sensitive data, or even crashing the target server.
There is also some legitimate usage of IP Spoofing for traffic redirection and transparent proxying of a request.
2. ARP Spoofing
ARP spoofing is a Man in the Middle attack using which hackers can connect to an IP address via a spoofed address resolution protocol (ARP) message. ARP spoofing occurs at the data link layer.
3. DNS Server Spoofing
In DNS Server spoofing, an attacker modifies a DNS server to point a domain name to a different IP address with the intent of spreading a virus. This form of attack exploits DNS vulnerabilities diverting internet traffic away from legitimate servers towards malicious servers.
4. Email Spoofing
Email Spoofing is when an attacker uses an email to trick a recipient into believing it has come from a known or trusted source. Attackers widely use Email Spoofing for Phishing or Spear Phishing attacks.
5. Website Spoofing
Website Spoofing is when an attacker creates a website to mimic an existing trusted site known and trusted by the user. The attacker can then use these sites to steal login credentials and other personal information from users.
6. Caller ID Spoofing
Caller ID Spoofing is when attackers make it look like their malicious phone calls come from a trusted source or location. Using social engineering, attackers can then trick their victims over the phone to provide sensitive information like account details, passwords, OTP, social security numbers, etc.
IP spoofing is indeed the most abused type of Spoofing and relatively easy to achieve.
The History of IP Spoofing
Internet Protocol (IP) packets are the backbone of the Internet. Spoofing is almost as old as the Internet itself though people weren’t aware of the problem initially. In the 1980s, researchers became aware that hackers could alter the data within the IP header. To spread awareness regarding this, they wrote articles explaining the working of Spoofing and its dangers.
Things changed in 1994 when a well-known security expert named Tsutomu Shimomura endured a devastating IP spoofing attack on Christmas Day. The attack was known as the “Computer Crime of the Year”. This incident received a lot of publicity, making many people aware of the damage of Spoofing. IP spoofing prevention stems came into existence post-1994.
Types of IP Spoofing Attacks
IP Spoofing can be divided into following four basic types:
1. Blind Spoofing
Blind Spoofing is an attack where the attacker is not on the same subnet as the destination. In this type of Spoofing, the attacker transmits multiple packets to the intended target to receive a series of numbers required to assemble the packets.
In this type of Spoofing, the hacker does not have visibility of how the transmissions work in this network. The machine should be coaxed into responding to the hacker’s requests so that the attacker can analyze the sequence numbers. Once the attacker has the sequence number, the attacker can use them to forge his identity by injecting data into the packets’ stream without authenticating himself when the connection was initially established.
2. Non-Blind Spoofing
In a Non-Blind Spoofing attack, the attacker resides on the same subnet as his intended target and is aware of the sequence of the packets. This is also the reason this Spoofing is called Non-Blind Spoofing.
3. Denial-of-Services (DOS) attack
When attackers launch a DoS or DDoS attack, they use IP spoofing to mask the exact machines from where the requests are coming. This is the key reason that DDoS attacks are potent since it is difficult to identify the senders and block them.
4. Man-in-the-Middle Attack
When two systems communicate with one another, the attacker intercepts the packets sent by them and alters the packets. The sending and receiving devices are unaware that their communication has been tampered with. Attacker, using IP spoofing modifies the packets and sends them to the recipient computer without the original sender or receiver knowing that the attacker has altered the packets.
An attacker becomes the “man in the middle,” intercepting sensitive communications to commit crimes like identity theft and other frauds. Attackers use this type of attack to reveal secure information of targets and continue such transmissions for an extended time.
Man in the middle attack methodology is also used by proxy servers in transparent proxying the request.
A proxy server is a device that acts as an intermediary or broker between the end-user and the Internet. It not only helps add security by hiding the actual source ip address or end user, but also typically adds a number of additional functionalities like Web traffic Filtering, SSL decryption, DLP, Gateway Anti Malware etc.
Proxy servers work at the application layer of OSI Model. Some of the leading proxy servers are Zscaler (Cloud Proxy), Forcepoint (earlier known as Websense), Bluecoat (from Broadcom). They are a vital component of modern security architecture.
Real life example of IP spoofing
One of the most significant DDoS attacks on record targeted GitHub, the leading online code management service used by millions of developers. The attack reached 1.3 Tbps by sending packets at the whopping rate of 126.9 million per second.
This attack was a Memcached DDoS attack; the attackers leveraged the amplification effect of a popular database caching system named Memcached. By flooding the Memcached servers with spoofed requests, the attackers could amplify their attack by a magnitude of about 50,000x.
Fortunately, GitHub was using a DDoS protection service, which kicked in within 10 minutes of the start of this attack. The attack lasted for around 20 minutes.
How Does IP Spoofing Work?
Computer networks communicate by exchanging data packets to ensure transmission continuity. Each data packet contains multiple headers used for routing. Transmitting IP packets is a primary way of communication between networked computers and is the basis of the modern Internet. IP packet consists of header and body. The header of the packet contains essential routing information, including the source IP address.
Similar to physical addresses, IP addresses are used as identifiers to help systems determine whether or not information comes from a trusted source. Although the primary function of IP addresses is to transmit data, they are also used to identify traffic sources to a server.
When you transmit data over the Internet, the data is broken into multiple packets transmitted independently and reassembled at the end. Every packet has an IP header that consists of the source IP address (sender) and the destination IP address (receiver).
IP spoofing happens when a hacker tampers an IP packet to modify their IP source address. This Spoofing can easily go unnoticed since the switch happens before a hacker interacts within a controlled network. IP spoofing provides a shield allowing hackers to appear as though they are someone else. Once a hacker successfully spoofs an IP address, they get access to systems and intercept communications intended for someone else.
Let us consider an example: an attacker accesses the Internet from a computer with the IP address “192.168.0.20”. If an IP spoofing attack occurs, this address is hidden, and the attacker sends the packets with a different spoofed IP address, “192.168.0.30”.
When an IP spoofing attack occurs, the source specified by IP address as the sender of the packet is not actual but a fake IP address used to access the website. Now the server grants access to the attacker, which can lead to various security threats. Since the Spoofing occurs at the network level, there are no external signs of tampering.
You can think of IP Spoofing as an attacker sending a package to someone with the wrong return address. If the package recipient wants to stop receiving the packages, blocking the bogus source address will not help, since it’s a fake address and can change again. If the receiver chooses to respond to the return address, their response package will not reach the actual sender. Thus, IP spoofing makes it challenging for law enforcement and cybersecurity teams to track down the attacker.
IP spoofing provides anonymity by concealing source identities which are advantageous for Cybercriminals for the following reasons:
- Spoofed IP addresses enable attackers to conceal their identities from law enforcement and their victims
- The victims aren’t always aware that they are compromised, so they don’t send out alerts
- Since spoofed IP addresses look like they’re from trusted sources, the packets can successfully bypass the firewalls and other checks that might otherwise blacklist them as a malicious source.
How to prevent IP spoofing?
According to studies, cyberattacks cost organizations an average of $200,000 per incident. Since IP spoofing is one of the most uncomplicated attacks to launch, it becomes essential to take measures to prevent your network.
Here are steps that organizations can take to help protect your devices, data, network, and connections from IP spoofing.
1. Configure Anti-Spoofing in Edge level devices
Most network edge devices such as firewalls, routers, etc., support built-in anti-spoofing mechanisms. Make sure to enable the configuration and block spoofed traffic from the Internet. This is achieved by blocking the use of private addresses on the external interface of the Edge device.
You should also block any traffic originating inside the enterprise network but having an external address as the source IP address (egress filtering). Egress filtering will prevent attackers from abusing your network for spoofing against other external networks.
2. Use a Network Monitoring tool
Use a network monitoring tool to monitor internal networks for suspicious activity. Several good network monitoring tools are available, including Solarwinds and Datadog.
3. Use VPN to provide network access
You can rely on secure access technologies like IPSEC to significantly reduce the risk of IP Spoofing. Negotiating an IPSec connection requires mutual authentication, which is an effective way to validate the identity of the source behind the IP address.
All subsequent IPSEC communications are cryptographically sound, and there’s no way you can carry on those communications unless you successfully completed the mutual authentication. An attacker can spoof the IP, however, they can not convince the other party to trust his IP unless they have somehow compromised the credentials.
4. Use IPV6 Addressing scheme
Implementing IPV6 instead of IPV4 in websites can reduce the likelihood of IP Spoofing. IPv6 incorporates a set of mandatory security protocols including IPsec and other mechanisms to prevent IP address spoofing. These are strong and efficient anti-spoofing measures.
However, IPv6 networks have not yet completely replaced IPv4 since they support IPv4 via tunneling, transition, and translation so IP spoofing is still possible.
5. Enable IP packet encryption
Encryption provides a means to safeguard network data that travels from one router to another across unsecured networks. Enable IP packet encryption on your router so that trusted hosts outside your network can securely communicate with your local hosts. Please refer to this link from Cisco to configure packet encryption.
IP spoofing is a tool used by cybercriminals to impersonate legitimate networks or devices to disrupt the network by launching DDoS or Man-In-The-Middle attacks to steal sensitive data. IP Address Spoofing is a challenge since it exploits inherent weaknesses in the very design of the protocol suites.
Understanding how and why one would use a spoofing attack can significantly increase your chances of successfully defending an attack. Although IP spoofing is hard to detect, various solutions can help organizations prevent spoofed packets from infiltrating their systems.
You can effectively use the combination of proper Edge device configuration, consistent network monitoring, and robust authentication method as weapons to defend against IP spoofing.
One comment
Pingback: What is ARP Spoofing/Poisoning & tips for security | SecurityFocal