A spoofed device can be used to circumvent a number of security controls. In this video, you’ll learn about ARP poisoning, MAC spoofing and IP spoofing.
<< Previous Video: DNS Poisoning Next: Wireless Deauthentication >>
Spoofing is a technique used extensively in attacks. It is when one device pretends to be something it’s not. And very often, it pretends to be someone else who is real. This might be someone pretending to be a fake web server, or pretending to take the place of an existing web server, pretending to be a fake DNS server– there’s so many different ways you can implement spoofing.
One type of spoofing I recognize from my email inbox is email address spoofing. That’s when I’ll receive a piece of email that appears to be from someone I recognize, but in reality, that email was sent from someone completely different. But they’ve spoofed the email address to make it appear as if it came from somebody that I trust.
I’m seeing a lot more caller ID spoofing these days. This is obviously done over the telephone. You see an incoming call and it appears that that call is coming from a phone number that’s in your local area. But in reality, it’s probably a solicitation that’s coming from someone well outside your geography.
Another type of spoofing is often done on man-in-the-middle attacks. ARP spoofing is a very good example of this where a device can sit in the middle of a conversation between two devices. One very common type of spoofing is Media Access Control address spoofing, or MAC spoofing.
That’s because every device has a burned-in hardware address that comes from the factory. That means that most devices have a MAC address that’s unique to that device. Although this address is burned into the device at the factory, most drivers allow you to change the MAC address of your device if you’d like to.
The spoofing on this MAC address may be something completely legitimate. For example, your Internet Service Provider may be expecting a certain MAC address to be connecting to their network. And there might be certain applications you are using that are expecting to communicate to a device that has a particular MAC address.
But the spoofing of the MAC address may not be legitimate. It may be a device that trying to circumvent an existing access control list or trying to get through a filter that’s on a wireless network. One of the challenges you have as a security administrator is that it’s very difficult to know when a device is using a spoofed MAC address or when it’s the original built-in address.
IP address spoofing is very similar to MAC address spoofing, except with IP address spoofing, you’re taking the IP address of another device or you’re pretending to be a device that isn’t even on your network. This may be something completely legitimate. Maybe you’re using multiple spoofed IP addresses to perform load balancing or to perform testing of that load.
But sometimes a spoofed IP address is done for malicious reasons. It may be performed during the ARP poisoning, or you often see spoofed IP addresses used for things like DNS amplification for a distributed denial of service attacks. Since only a certain range of IP addresses should be associated with a particular IP subnet, it’s a lot easier to detect a spoofed IP address than it is to detect a spoofed MAC address.
So it can be very easy to configure rules and a firewall to help prevent unwanted traffic or traffic that might be spoofed with a fake IP address.