Basics
• In spoofing (fooling, deceiving), an
Spoofing
Basics
Types of spoofing:
• IP spoofing: Attacker uses IP address of another
computer to acquire information or gain access
• Email spoofing: Attacker sends email but makes
it appear to come from someone else
• Web spoofing: Attacker tricks web browser into
communicating with a different web server than
the user intended.
Misconception (IP spoofing)
• A common misconception is that via
spoofing you can surf the net, chat on line,
send/receive email while hiding your
identity.
• This is not possible since the replies do
not go to you.
attacker impersonates someone else.
• This allows him/her to exploit the access
privileges of the spoofed.
IP Spoofing
• IP spoofing is the creation of TCP/IP packets with
somebody else's IP address in the header.
• Routers use the destination IP address to forward
packets, but ignore the source IP address.
• The source IP address is used only by the destination
machine, when it responds back to the source.
• When an attacker spoofs someone’s IP address, the
victim’s reply goes back to that address.
• Since the attacker does not receive packets back, this is
called a one-way attack or blind spoofing.
• To see the return packets, the attacker must intercept
them.
Basic types of IP spoofing attacks
• Basic address change
• Use of source routing to intercept
packets
• Exploitation of trust relationships on
UNIX machines
• Session Hijacking (covered in a
separate lecture)
1
 Basic address change (IP spoofing) Source Routing (IP spoofing)

• In Windows go to: control panel + Network • One way for an attacker to see return
+ TCP/IP + IP screens, and simply change traffic from a spoofing attack is for him to
the IP address to the one you want to insert himself in the path the traffic would
spoof and reboot. normally take.
• In UNIX use ifconfig • Internet routing is normally dynamic, there
• All replies go the spoofed address. Since is no guarantee that the same route
TCP requires a 3-way handshake no between 2 IPs is always taken.
session could be established. But a UDP • Source routing can be used to guarantee
attack could work. that a packet follows a set path.

Types of source routing: Source Routing (IP spoofing)

1. Loose source routing (LSR): The sender specifies a list • An attacker sends a packet to the
of some IP addresses that a packet must go through (it destination with a spoofed address but
might go through more)
2. Strict source routing (SSR): The sender specifies the specifies LSR and puts his IP address in
exact path a packet must take (if it is not possible the the list.
packet is dropped)
• The best way to protect against source
• Source routing is supported for diagnosis purposes and to make sure your
traffic does not go thru a competitors network. routing spoofing is to simply disable
• Only 8 hops can be specified in an IP packet header. (Many Internet routes source routing at your routers.
require more hops than this.) That’s why SSR is not practical.

• If the sender specifies source routing to the destination, the destination

machine automatically uses source routing to get back to the sender.

Trust relationships on UNIX (IP spoofing)

Spoofed host disabling
(see diagrams)
• On UNIX a user can use rlogin or rsh to • The attacker must first disable the spoofed host
access a machine A without providing a and ensure that no network traffic gets to it.
Otherwise, it will receive a SYN/ACK sent by the
password if he is on B and B is trusted by victim, and since it (the spoofed) did not initiate the
A. TCP 3 way handshake it will send back a RST
• Trust relationships in UNIX are based on message which will foil the attack.
IP addresses… which could be spoofed.
• The primary method for disabling a host is by SYN
flooding: attacker overwhelms the spoofed
machines with SYN messages, filling up its queue.
Any subsequent messages (including SYN/ACK
from the victim) will be dropped.

2
 Connection establishment
Establishing a TCP
• 3-way handshake algorithm between A
Connection and B
Attacker Send SYN
A B
Receive SYN (client) (server)
SYN,
S eqNu
m=S
Send SYN + ACK N of A
B
Spoofed Receive SYN N of
m=S
+ ACK eqNu fA+
1
+ ACK , S S N o
SYN um =
AckN
Attacker Send ACK ACK,
AckN
um = SN
Receive ACK of B +
1

Network Messages Site B (victim)

Site A (attacker +
spoofed)

Predicting Sequence Numbers Predicting Sequence Numbers

• Just prior to starting an attack, the attacker
connects to a TCP port on the victim and
completes a three-way handshake.
• This process is repeated several times to
allow him to predict how the victim
increments the sequence numbers.
• After initiating a spoofing attack, the
attacker waits for the victim’s SYN/ACK to
reach the trusted host, which cannot
respond (it was SYN flooded).

Perform sequence number

Predicting Sequence Numbers
• The attacker then sends an ACK to the
victim with the predicted sequence number
plus one.
• If the attacker’s calculations are correct,
the target will accept the ACK.
• The victim server has been compromised.
• Most attackers will then install a backdoor
to make it easier to get into the system in
the future.
prediction
• Nmap (-O) let’s you know what OS you
are dealing with and rank its TCP
sequence number prediction:
– Easy with NT prior to Service Pack 4
– Difficult with Linux
• The following are the sequence numbers
when connecting 5 consecutive times from
an NT to a Linux machine:

3
 Perform sequence number prediction Summary of steps in IP spoofing
• Selecting a victim
• The trust relationships are reviewed to identify a host
(the spoofed) that has a "trust" relationship with the
PrevSeqNum + victim.
seconds since noon Linux NT 1000*(time-prevTime)
• The trusted host is then disabled (via SYN flooding)
(04:54:35.20972) 17675.20972 321765071 2887495515 -
and the target’s TCP sequence numbers are analyzed.
• The trusted host is then impersonated, the sequence
17680.19562 332010905 2887500502 2887500502
numbers forged (after being calculated).
17686.79997 338617656 2887507109 2887507109 • A connection attempt is made to a service that only
requires IP-based authentication (no user id or
17692.00139 339459049 2887512311 2887512311 password).
17696.80527 334021331 2887517117 2887517117
• If a successful connection is made, the attacker
executes a simple command to leave a backdoor.

Countermeasures to IP Spoofing Email Spoofing

• Don’t rely on IP-based authentication. With email spoofing, someone receives email that
appears to have originated from one source when it
• Use router filters to prevent packets from actually was sent from another source.
entering your network if they have a source
address from inside it. Prevents an outside Purposes of email spoofing:
attacker from exploiting the trust of an inside – Hiding sender’s identity
machine. – Impersonating someone
• Use router filters to prevent packets from leaving – Implicating someone
your network if they have a source address from – Trick someone into making a damaging statement or releasing
sensitive information
outside it. Prevents someone from using an
inside machine to launch an attack against
another site. Note that anonymous email can be sent using an
anonymous remailer (spam vehicles)
• Use random initial sequence numbers. Prevents
SN prediction.

3 basic ways to perform (email spoofing) Aliasing

One simple form of email spoofing is to create a valid email account
(on yahoo or hotmail) and put someone else’s name in the alias field.

• Aliasing Example:
From: Bill Clinton
Sent: Friday, March 22, 2002 4:57 PM
To: Laura Bush
Subject: Romantic dinner?
• Modify mail client
Mail clients must be configured to show the full email address and not
just the alias:
From: Bill Clinton [mailto: bubba@aol.com]
• Telnet to port 25 Sent: Friday, March 22, 2002 4:57 PM
To: Laura Bush
Subject: Romantic dinner?

4
 A full email header may look like:
Modifying a Mail Client
• When email is sent by a user, the From: address is not
skip
validated. Return-Path: forged_address@fake.com
Received: from wooftech.net ([207.102.129.200])
by mail0.mailsender.net (5.1.036) id 395BB63B0012CA18
• An attacker can use a mail client to specify whatever for alice@email.net; Thu, 6 Jul 2000 16:43:46 -0700
From: address he wants (Eudora, Outlook) → Received: from localhost ([172.153.252.183]) by popper3.vphos.net ;
Thu, 06 Jul 2000 16:44:53 –0700
X-Originating-IP: [172.153.252.183]
From: forged_address@fake.com
• When the receiver replies, the reply goes to the From: To: alice@email.net
address and not to the person spoofing it. Date: Thu, 06 Jul 2000 17:43:57 -0600
Subject: Anonymous email
Message-ID: <96292709501@popper3.vphos.net>
X-UIDL: d88aeacb3ad5b77467f87f8facaf9ce0
• Email messages should be logged by mail servers, to
permit the actual sender of a message to be determined Assuming the example is not forged, the header implies
during an audit. popper3.vphos.net was the first email server. This means the sender
probably uses the service provider vphos.net.
• Examination of the full email header will often reveal the
actual sender and the machines where the email was
originated.

Email Clues Telnet to Port 25

skip
Return-Path: forged_address@fake.com
Received: from wooftech.net ([207.102.129.200]) • Mail is sent across the Internet using SMTP (Simple Mail
by mail0.mailsender.net (5.1.036) id 395BB63B0012CA18 Transfer Protocol) servers listening on port 25.
for alice@email.net; Thu, 6 Jul 2000 16:43:46 -0700
Received: from localhost ([172.153.252.183]) by popper3.vphos.net ; • An attacker can telnet to port 25 of a mail servers
Thu, 06 Jul 2000 16:44:53 –0700 pretending to be another mail server:
→ X-Originating-IP: [172.153.252.183]
From: forged_address@fake.com
To: alice@email.net
Date: Thu, 06 Jul 2000 17:43:57 -0600 telnet ip-address 25
Subject: Anonymous email
Message-ID: <96292709501@popper3.vphos.net>
X-UIDL: d88aeacb3ad5b77467f87f8facaf9ce0 Once connected, the spoofer types:
Sometimes emails contain an “originating-IP” header. This header helo
gives the unique address of the computer the sender was sitting in front mail from:spoofed-email-address
of when the email was sent, making it even easier to trace the email. rcpt to: target-email-address
data
If a remailer is used, the headers can identify the name and address of the the message you want to send, followed by a period
sending remailer but not where the email originated.

Telnet to Port 25 (skip) Telnet to Port 25 (skip)

• In mail relaying, an attacker uses a mail • To bypass the previous restrictions: An
server to send mail to someone in a attacker can run his own mail server.
different domain.
• But the server’s address will be in the
• The most basic form of mail spoofing email header so this scheme is easier to
protection is to check that the recipient’s
trace back.
domain is the same as the mail server’s.
• Newer SMTP servers also check for any
remote connection that the To: and From:
addresses are from the server’s domain.

5
 Web Spoofing Web Spoofing
• Web spoofing is tricking someone into One way to lure people to a malicious site is to
visiting a web site other than the one they give it a URL that is similar to that of a legitimate
intend to and mimicking the intended site. site, e.g.,
www.paypai.com
• In this way, an attacker may obtain
wwwFirstNationalBank.com
confidential information.
• They can also provide false or misleading
Another way is for the attacker to provide HTML
information. with a mislabeled link to another page, e.g., in
• They can even create a ‘shadow copy’ of an email. Example:
the whole web to the victim <a HREF="http://www.badhack.org"> American Red Cross</a>

• >From: "james odion" <jamesodion@msn.com>

>Reply-To: box_nic@yahoo.com

A recent incident
>Subject: Your Assistance
>Date: Mon, 22 Aug 2005 23:33:01 +0000
>
>Your Assistance
>10 NKRUMA WAY,
>MONROVIA, Liberia.
>
>My name is James Odion. I was the director of special duties to president
>Charles Taylor in Liberia. We the former members of government are no
>longer in Liberia. We are currently in exile outside our country.
>
>I am requesting your co operation for immediate acceptance of my
>US$12,000,000.00 {Twelve Million United States Dollars Only}.
• Attackers registered a domain named
>
>This amount is my compensation from unofficial payments made to our
>government by foreign buyers of our major export, diamonds, which were
>under my supervision. As the former Director of Special Duties, President
www.citi.com (as opposed to citibank.com)
>Charles Taylor compensated me with these funds during our last days in
>Liberia before we handed over power to the interim government few years
>back.
>
• Sent emails to the bank’s customer asking
>All that has to do with the US$12M are decent, morally sound, and legal.
>But the money is in United States Dollars, which attracts undue attention
>especially when it is connected with someone in and around government. I
>therefore request that you receive and keep the funds on my behalf until I
them to connect to the new web site (by
>am able to take back control of it in a short period of time.Please reply
>me urgently so you can receive the amount into your bank account. Once the
>money is in your account, feel free to keep 20% of it for your personal
>use as compensation for your efforts, while the balance will be kept for me
simply clicking on the link below) and
>until I can take control of it.
>
>We shall sign a formal partnership agreement and I can also make available
>my detailed profile and photographs to assure you of my honesty and good
reregistering by entering their account
>faith. Send me the following information:
>
>1. Your direct telephone and fax numbers.
>
information (including password)
>2. Bank account details where you want the money transferred into.
>
>I need to call you and speak with you on phone and also fax you the
>relevant documents before the funds will be transferred into your bank
>account.
>Please reply to my alternate email address as soon as possible:
>flonoch@yahoo.co.uk
>
>Yours faithfully,
>James Odion
>
>

6
7/31/2004 Asia Pacific Network Information Centre
Taking down the Citibank scam. OrgID: APNIC
Today, ironicly only a few days after slashdot posted a link to the email fraud iq Address: PO Box 2131
test, I recieved a message from Citibank City: Milton
This would be all fine and good, except I don’t have an account at Citibank, never StateProv: QLD
have, and probaly never will. I immediately suspected a scam. PostalCode: 4064
So, I did a little hacking and discovered that ‘validation link’ really pointed to not a Country: AU
URL, but an IP address. To be precise, the link pointed to ReferralServer: whois://whois.apnic.net
http://61.144.211.22/Verify/ NetRange: 61.0.0.0 - 61.255.255.255
Hmmm. Very odd. CIDR: 61.0.0.0/8
But wait! Theres more. Lets take a look at the email header. NetName: APNIC3
From: Citi Identity Theft Solutions admin419 @citi.com NetHandle: NET-61-0-0-0-1
Subject: Urgent Message From Citibank Parent:
That looks ok so far, but when I expanded the header… NetType: Allocated to APNIC
Citi Solutions admin419 @citi.com NameServer: NS1.APNIC.NET
Subject: Urgent Message From Citibank NameServer: NS3.APNIC.NET
Reply-To: Citi Identity Theft Solutions admin419 @citi.com NameServer: NS4.APNIC.NET
To: apex1 (at) bellsouth.net NameServer: NS.RIPE.NET
Citibank mass routing an email though a bellsouth account? This deffanately ain’t NameServer: TINNIE.ARIN.NET
Citibank, folks. Comment: This IP address range is not registered in the ARIN database.
But just to be sure, lets do a whois lookup on that ip adress (61.144.211.22) to see Comment: For details, refer to the APNIC Whois Database via
who is really behind it all. Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
This is the info I got back.

Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry

Comment: for the Asia Pacific region. APNIC does not operate networks Man-in-the-middle attack in which
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more links are rewritten dynamically:
Comment: help, refer to http://www.apnic.net/info/faq/abuse
Comment:
RegDate: 1997-04-25
1. The victim requests a URL from their
Updated: 2004-03-30 browser.
OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact 2. The attacker gets the real page
OrgTechPhone: +61 7 3858 3100
OrgTechEmail: search-apnic-not-arin@apnic.net requested from the World Wide Web.
# ARIN WHOIS database, last updated 2004-07-30 19:10
# Enter ? for additional hints on searching ARIN’s WHOIS database.
3. The real server provides the page to the
Interesting. Why is “Citibank” emailing me from Asia? At this point, we can conclude attacker’s server.
that this is a total scam and stop here. But before I wrap it up, I’ve got to fix it.
4. The attacker then rewrites the page.
5. The attacker then provides the rewritten
version to the victim.

7
 Web spoofing
• On the compromised HTML, the attacker must ensure
that the URLs are modified. For example, if the
attacker’s server is “www.attacker.com”, a link such as
http://www.mybank.com should become
http://www.attacker.com/http://www.mybank.com

• If the victim follows a link on the new page, the page will
again be fetched from the attacker’s server.
• A user can try to avoid being spoofed by checking their
browser’s status/location line before clicking on a link.
(Note that some browsers truncate the left side of the
URL.)
• JavaScript can be used to rewrite the status and location
lines

Web spoofing countermeasures:

• Examine the browser location/status line
carefully.
• Examine links in HTML source code.
• Disable “active” content (Java, JavaScript,
Active X) in the browser.
• Ensure that your browser starts on a
“secure page” (a local HTML page)