Spoofing – N10-008 CompTIA Network+ : 4.2

Spoofing allows an attacker to appear as a legitimate network user. In this video, you’ll learn about IP spoofing, MAC spoofing, and how to identify and stop these attack types.

If there’s a device on your network that is pretending to be a completely different device, we refer to that as spoofing. For example, if an attacker creates a fake server which has a similar look and feel to the original but it’s under the control of the attacker, that is spoofing. You may notice some spoofing that’s happening on your own system.

If you look through your Spam folder, you’ll probably see email addresses that say they’re from a particular person, but in reality, those email addresses are spoofed. You might also see spoofing on your mobile phone. You might have an incoming call and you’ll notice that call is in your local area, but when you answer the call it’s from an organization that is outside of your area or maybe in a different country.

That caller spoofed a local phone numbers that you would be more comfortable in answering that call, and we even demonstrated how spoofing can be used to create an on path attack, where the attacker can sit-in the middle of a conversation and they use spoofing as a method to be able to create that path. In a previous video, we talked about ARP poisoning, and the attacker uses IP spoofing to be able to accomplish this poisoning.

With a normal ARP communication, a device that’s looking for another will send out a broadcast with the IP address that it’s looking for, hoping to get a Mac address in return. The device receiving that broadcast will send back a response that says, you found the right IP address and here is the Mac address of my device. That information is in saved by the original workstation into an ARP cache so that it knows exactly where to send this traffic for all subsequent communication.

An attacker can take advantage of ARP spoofing by sending that ARP response, again, but instead of sending it with the attacker’s IP address, the attacker sends it by spoofing the IP address of the router. You’ll notice that, although the router’s IP address is spoofed, the Mac address that is being sent matches the Mac address of the attacker’s workstation. The device receiving that spoofed response doesn’t realize that it’s been spoofed, it just assumes that the Mac address has changed for that IP address, removes the original information in the cache, and replaces it with the spoofed IP address.

Any time you see a device using an IP address of a third party device, that is IP address spoofing. This is a device that’s trying to pretend to be someone that it doesn’t happen to be. These situations could be legitimate. For example, load balancers use spoofed IP addresses to pretend that they are an IP address, but in reality there are different IP addresses providing that service. But in the case of an attacker, this IP addressing may not be legitimate. They may be performing ARP poisoning like the example we just saw, or they may be doing DNS amplification or performing a distributed denial of service using that spoofed IP address.

You can often configure firewall rules or access control lists to look for situations where IP address spoofing might be occurring and block that traffic from entering or leaving your network. Not only can attackers change or modify the IP address so that they can spoof another device, they might also change their Mac address and perform MAC spoofing. This is the media access control address. Sometimes you’ll hear this referred to as the burned in address.

It’s the address that is associated with the ROM that’s on your network interface card. And although it’s burned into the realm of that device, many of the drivers for the network interface card allow you to modify that address to be anything you’d like. As with IP address spoofing, MAC spoofing could be legitimate or not legitimate. Legitimate uses may be that an internet provider is expecting a certain MAC address from your device, so you have to modify your Mac address to work properly on the internet provider’s network.

There might also be applications that are looking for particular MAC address as part of a security control, so you may have to modify your MAC address or the application will work properly. But attackers also know that MAC addresses are often used for access control lists, and if they can modify their MAC address, they may be able to circumvent the existing security.

So on your network, you might have firewalls or other security devices using MAC based access control lists, or you might have wireless devices that are allowing or disallowing communication through the network based on the MAC address of the sending device. These MAC filters make it very difficult to know if the information that’s being sent is from the legitimate device or device that’s being spoofed. There’s no way to tell just based on the MAC address whether this is a MAC address that’s burned in or whether it’s one that someone is modified.

Since this type of spoofing is only useful on a local subnet, part of the security to prevent this from occurring is limiting the scope or access of devices onto your local network.