Spoofing


Spoofing

by Katherine Knickerbocker


Abstract

Webster's Dictionary describes, "spoof" as a hoax or deception. Spoofing as it applies to computers is exactly that. There are many different types of spoofing attacks, but the goal is the same for them all: to carry out some sort of attack under the name, address or identity of someone else to hide one's own identity.

This paper will focus on e-mail and IP address spoofing. Some common techniques used, and ways to detect spoofing will also be discussed. Methods for safeguarding against spoofing will be examined.


IP Address Spoofing

PTCP/IP (Transmission Control Protocol/Internet Protocol) is a standard format for transmitting data in packets from one computer to another. It is used on the Internet and various other networks. The two parts of TCP/IP are TCP, which deals with construction of data packets, and IP, which routes them from machine to machine (1).

TCP/IP spoofing is the creation of TCP/IP packets using someone else's IP address. Routers use the "destination IP" address in order to forward packets through the Internet, but ignore the "source IP" address. The destination machine only uses that address when it responds back to the source. IP spoofing cannot be used to hide your IP address while surfing the Internet, chatting on-line, or sending e-mail as it causes the responses to be misdirected, thus you will be unable to create a normal network connection (2).

But for attacks that don't require a response, IP spoofing can be used. Some examples are:

1. man-in-the-middle - The attacker positions forces between two communicating parties and both intercepts and relays information between the parties so that each believes they are talking directly to the other when, in fact, both are communicating through the attacker (3).

2. routing redirect - Redirects routing information from the original host to the hacker's host (form of man-in-the-middle) (2)

3. source routing - redirects individual packets by hackers host (2)

4. blind spoofing - Predicts responses from a host, allowing commands to be sent, but cannot get immediate feedback (2).

5. flooding - SYN flood fills up receive queue from random source addresses; smurf/fraggle spoofs victims' address, causing everyone to respond to the victim (2).

Some other attacks include Land, Teardrop, NewTear, TearDrop2, Bonk, Boink, Ping of Death, and snork. The purposes of these attacks can include Denial of Service, slowing down the system, crashing the system, or redirecting to a hostile website, but the sources of these attacks are likely to be spoofed.


E-Mail Spoofing

E-mail spoofing may occur in different forms, but all have a similar result: a user receives email that appears to have originated from one source when it actually was sent from another source (4). The reasons for email spoofing can range from trying to gain sensitive information (such as passwords or credit card numbers) to sending inflammatory or explicit messages to someone using someone else's email address. Within companies, it can result in loss of consumer confidence, betrayal of client confidentiality and theft of data damaging a firm's image. In one such case, a spoof email originating from global law firm Herbert Smith's Hong Kong office falsely said one of its cleaning personnel had been murdered. The message appeared to come from senior management and caused widespread bad publicity (5).

There are many different ways of spoofing email. By using the built in mail facilities in a Web browser, an attacker can type in any return address and nothing in the browser's design, the Internet connection or the mail server will complain about it (6). Also, most email software allows users to edit their return addresses. A more technically difficult way of spoofing email is to make the message look as though it came from a third party's server by telnetting to an open SMTP (Simple Mail Transfer Protocol) port and using it to inject the email into the information stream (6). Telnetting is a command that lets you use your computer as a terminal on another computer through a network: widely used on the Internet. Normally, the telnet program provides a direct path so that the remote computer communicates directly with the terminal you are actually using (1).

Email spoofing is used quite frequently in social engineering attacks. Social engineering or perception management is a way for an attacker to trick a legitimate computer user into providing useful information that helps the attacker gain unauthorized access to their computer system (7). It is also used in identity fraud or theft cases as well as in corporate or industrial espionage. The attacker usually poses as someone to be trusted so that the victim will feel at ease sharing information. The information sought is usually sensitive or private and can include passwords, usernames, account numbers, etc, that will then be used in some other attack.


Detection

Sometimes it is not possible to detect where a forged email has come from, but there are some things a computer user can look for and do to try and figure out where the mail originated:

1. Check the header of the email message as it often contains a complete history of the "hops" the message has taken to reach its destination. Information in the headers such as the "received:" and "message-ID" information, in conjunction with mail delivery logs should help to determine how the email reached the system (4).

2. Try and look up the true name of the IP address. Wendy Grossman (1998) suggests performing a reverse DNS (domain name server) lookup on the IP number. If the Message ID ends in an IP address instead of a domain name, this should be looked up too. There are several websites available to look up this type of information, but Grossman suggests http://cello.cs.uniuc.edu/cgi-bin/slamm/ip2name (6)

3. Compare with other people - since specialized information is sometimes needed to trace an email, comparing information with other people can help get to the bottom of a spoof. For example (6): One message that apparently came from Netcom was queried in a discussion group because the Authenticated sender was listed in the header as <user>@popd.netcruiser. A Netcom user, however, knew that the Netcruiser is the name of Netcom's front-end software package.


Safeguarding

PCERT Coordination Center suggests that the most effective way to safeguard against spoofed email is to use cryptographic signatures such as PGP (pretty good privacy). This will ensure that the message has not been altered in transit and that it is from whom it appears to be from. Other suggestions from CERT are as follows:

- Configure mail delivery daemon to prevent someone from directly connecting to your SMTP port to send spoofed email to other sites.

- Use a single port of entry for email to your site.

- In the office setting, educate users about the site's policies and procedures in order to prevent them from being "social engineered" into disclosing sensitive information, and have them report any such activities.

Packet filtering is another safeguard that can be used, but ZDInc (2001) reports that it may not be enough because it does not prevent spoofing from outside the firewall. They suggest advanced packet switching, which prevents spoofing by using a technique called dynamic packet filtering (DPF). With DPF, all access requests have their IP addresses pinged before data proceeds through a firewall. The ping process, which sends a test data packet to another site and waits for a response, ensures that spoofed packets return anomalous results. The firewall can then stop the transaction (9). Two examples of this are "Firebox" (WatchGuard Technologies) and "Firewall Server" (Secure Computing Corporation).

Another firewall suggestion is to select one that includes application-layer gateway (ALG). ALG's check packets at the application level of the network stack (10). Another benefit of ALG's is that when they write audit records they do so by gathering information on exactly what commands were given during a break-in attempt. This can indicate what the attacker was after (10). Two drawbacks to ALG's are that they are typically slower than packet filters and they can only regulate applications that use specific protocols. For example "…any ALG deals with HTTP, SMTP, and PoP (Post Office Protocol). That's fine, if those are the only protocols you use. If your users run applications that need access to new or unsupported protocols, you're out of luck with an ALG". (10).


Summary, Conclusions, and Further Work

PIn some cases you can contact the ISP (Internet Service Provider) and complain if you're receiving harassing, spoofed emails. In most cases the ISP can handle it from there, but in some cases they cannot. Cynthia Armistead received many, many hostile spoofed emails from a stalker and her ISP could not or would not take action against the harassing party (8).

When all else fails, there are online areas that will assist the user in resolving a "spoof" issue. news.admin.net-abuse.email and news.admin.netabuse.misc are two examples of newsgroups that can help with deciphering the more difficult headers. They also know which services are regular offenders and how to handle them. Other organizations such as the Cyberangels and WHOA (Working to halt online abuse) can assist with this issue as well.

It is important for the user to at the very least be aware of spoofing and have some knowledge on how to detect it. Because this type of attack can lead to other, more serious attacks such as attacks on the computer system or network and even fraud and identity theft, users should also have safeguards in place, and know who to contact should spoofing become apparent.


References

(1) Downing, D., Covington, M., and Covington, M. M. (2000). "Dictionary of Computer and Internet Terms". (7th Ed.). Publisher: Barron's Educational Series, Inc.

(2) ICE Corporation (1998-2001). "Spoofing" [Online] Available: www.advice.networkice.com/advice/intrusions/2000001/default.htm

(3) Cohen, F. (1999). Attacks database. [Online], Available: http://all.net/CID/Attack/Attack74.html

(4) CERT/CC. (1999). "Spoofed/Forged Email". [Online], Available: www.cert.org/tech_tips/email_spoofing.html

(5) ZDNet. (2001). "Spoof emails pose a threat". [Online], Available: www.news.zdnet.co.uk/story/0,,s2085397,00.html

(6) Grossman, W. (1998). "How to Detect Forged Email". [Online], Available:

(7) "Social Engineering" [Online], Available: www.smdc.army.mil/securityguide/v1comput/social.htm

(8) Arimistead, C. (2001). [Online], Available: www.technomom.com/harassed/

(9) ZDNet. (2001). "Choose the Best Security Bricks for a Firewall - Spoof This!" [Online], Available: www.zdnet.com/devhead/stories/articles/0,4413,1600789,00.html

(10) ZDNet. (2001). "Choose the Best Security Bricks for a Firewall - ALG Basics". [Online], Available: www.zdnet.com/devhead/stories/articles/0,4413.1600790,00.html