What’s Spoofing and how to defend against it?

CyberPunk MITM

Introduction: What’s Spoofing?

Spoofing is a type of hacking where person/program attempts to gain unauthorized access to a user’s system or information (by bypassing access controls), to steal data or spread malware by successfully masquerading to be the user.

In general, the term spoof refers to scam or deception that imitates another person, software program, hardware device or computer, with the intention to gain access to some information. The main purpose is to bypass security measures and trick the user into releasing sensitive information in order to gain access to user’s computer system, bank account, or to steal personal information, such as passwords/credentials of any kind, etc.

The most commonly known spoofings are:

IP Spoofing,
Email Spoofing,
DNS Spoofing,
ARP Spoofing,
GPS Spoofing
Website Spoofing
MAC Spoofing
…

How does Spoofing work?

Spoofing is a type of tech scam which can fool you into believing that the source of some information is trustworthy, even it’s not. For example, hackers can perform email spoof by sending you masked emails that you think is coming from someone you trust, but you’ll actually hand over your sensitive data/information. They also can try IP or DNS Spoofing to trick your network and lead you to fraudulent sites that might infect your computer with malware, and similar.

TCP/IP Spoofing

IP Address Spoofing refers to connection hijacking through a fake IP (Internet Protocol) address, for the purpose of hiding the identity of the sender or impersonating another computing system.

This kind of spoof attack implies masking a computer IP address so that it looks like it’s authentic. During the masking process, the fake IP address will send malevolent message coupled with an IP address that looks trustworthy. IP headers are being masked through a form of TCP (Transmission Control Protocol), where spoofers can dig up needed information contained in IP headers.

IP address spoofing is most frequently used in denial-of-service attacks, where the objective is to flood the target with an overwhelming volume of traffic, and the attacker does not care about receiving responses to the attack packets. Packets with spoofed IP addresses are more difficult to filter since each spoofed packet appears to come from a different address, and they hide the true source of the attack.

DNS Spoofing

DNS spoofing, also known as DNS cache poisoning, is a type of attack that involves impersonation of DNS server responses in order to introduce false information.

A spoofer attempts to guess that a DNS client/server has sent a DNS query and is waiting for a DNS response. If a spoofing attack succeeds, it will insert a fake DNS response into the DNS server’s cache (DNS cache poisoning). Since spoofed DNS server cannot verify if the DNS data is authentic, it will reply from its cache using the fake information.

Example 1: Redirect the target domain’s name server

This DNS cache poisoning example involves redirecting the name server of the spoofer’s domain to the name server of the target domain, then assigning that name server an IP address specified by the spoofer.

DNS server’s request:

subdomain.spooferdomain.<cctld/tld>. IN A

Spoofer’s response:

Answer:
(no response)

Authority section:
spooferdomain.<cctld/tld>. 3600 IN NS ns.targetdomain.<cctld/tld>.

Additional section:
ns.targetdomain.<cctld/tld>. IN A x.x.x.x

A vulnerable server would cache the additional A-record (IP address) for ns.targetdomain.<cctld/tld>, allowing the attacker to resolve queries to the entire targetdomain.<cctld/tld> domain.

Example 2: Redirect the NS record to another target domain

The second DNS cache poisoning example involves redirecting the nameserver of another domain unrelated to the original request to an IP address specified by the spoofer.

DNS server’s request:

subdomain.spooferdomain.<cctld/tld>. IN A

Spoofer’s response:

Answer:
(no response)

Authority section:
targetdomain.<cctld/tld>. 3600 IN NS ns.spooferdomain.<cctld/tld>.

Additional section:
ns.spooferdomain.<cctld/tld>. IN A x.x.x.x

A vulnerable server would cache the unrelated authority information for targetdomain.<cctld/tld>'s NS-record, allowing the spoofer to resolve queries to the entire targetdomain.<cctld/tld> domain.

Email Spoofing (phishing)

Email Spoofing or phishing, is the forgery of an email header (falsified “From:”) so that the message appears to have originated from someone or somewhere other than the actual source. When you hear someone say “phishing” or “spam”, you’ll immediately know that it’s email spoofing. This is usually done by spammers and through phishing emails for advertising purposes.

Email spoofing also can have malicious motives such as virus spreading or attempts to gain personal data/information. This is possible when the core email protocol (SMTP -Simple Mail Transfer Protocol) doesn’t have any mechanism for authentication. The main goal of email spoofing is to get recipients to open, and in best case to respond to spoofed email.

Be aware, open your eyes, because any email that requires your credentials/passwords or any personal information could be a trick.

Since the email protocol SMTP (Simple Mail Transfer Protocol) lacks authentication, there are many systems/frameworks that can improve authentication and reduce spam/phishing emails, for e.g.:

SPF (Sender Policy Framework)
DKIM (DomainKeys Identified Mail)
DMARC (Domain-based Message Authentication, Reporting & Conformance)

ARP Spoofing

ARP spoofing is a type of attack in which attacker sends falsified ARP (Address Resolution Protocol) messages over a local area network. This causes the redirection of network traffic to a attacker/hacker.

The main goal of the ARP Spoofing attack is to associate the attacker’s host MAC (Media Access Control) address with the IP address of a target host, so that any traffic meant for the target host will be sent to the attacker’s host. Any information intended for that user’s IP address will be transmitted to the attacker,

The basic principle behind ARP spoofing is to exploit the lack of authentication in the ARP protocol by sending spoofed ARP messages onto the LAN. ARP spoofing attacks can be run from a compromised host on the LAN, or from an attacker’s machine that is connected directly to the target LAN.

There are three types of ARP spoofing attacks:

Man-In-The-Middle (MiTM) Attacks: involves traffic modifications.
Denial-of-Service (D0S) Attack: fake MAC address attached to the user’s default gateway.
Session Hijacking: gives attackers the ability to steal session IDs, granting access to private systems and data.

There also are useful, non-malicious usages for ARP spoofing (to implement redundancy of network services, to debug IP traffic between to hosts, etc.).

Spoofing Prevention & Protection

These recommendations refer to all types of spoofing attacks listed above:

First of all, be extremely cautious whenever you receive a message asking for personal information/passwords/credentials and make sure you download files from trusted sources.
Double-check the sender address of any suspicious emails, set up firewalls to block false IP addresses/suspicious inquiries and keep antivirus software installed and up-to-date.
Whenever you can, use cryptographic network protocols (HTTP Secure (HTTPS), Transport Layer Security (TLS), Secure Shell (SSH), HTTP Secure (HTTPS)).
Install spoof detection software to inspect, validate and to block all information/data that seems to be spoofed.
Use packet filtering to inspect packets that are transmitted across your network and make sure you avoid “trust relationships“.

There is no single-hand solution to fight with spoofing attacks. But with this prevention methods and some cyber security awareness, you can surely reduce them, even completely block them.

DNS Phishing spoofing