Spoofing – CompTIA A+ 220-1002 – 2.5

A spoofing attack allows an attacker to avoid detection through impersonation. In this video, you’ll learn how IP spoofing and MAC spoofing can be used to circumvent existing security technologies.

<< Previous Video: Brute Force Attacks Next: Non-compliant Systems >>

The term spoofing is used to describe when you pretend to be something you aren’t. You could pretend to be a web server that’s not really the right server. Maybe you’re pretending to be a DNS server instead of one that’s legitimate. You can also perform spoofing of email addresses. You may have seen in your spam folder that email addresses that appear to come from someone you know are really addresses that are coming directly from the spammer.

Even the numbers that show up on your phone with caller ID can be spoofed. So you may think that you’re getting a call from something you recognize. But in fact, it’s someone who has spoofed that phone number. And it’s very common to find spoofing used in attacks like a man in the middle attack.

MAC spoofing is when someone changes the MAC address of a network interface card to appear as some other device on the network. Every network interface card has a burned-in address. This is the Media Access Control address of that network interface card. But many network drivers allow you to change this address to anything you would like. And this is how someone is able to manipulate the driver to appear as someone else on the network.

Being able to modify this MAC address has completely legitimate uses. There are some internet service providers that are expecting a certain MAC address to come from you. Or certain applications may be looking to use a particular MAC address as part of the app.

But when somebody is using this for spoofing, it’s often for uses that are not legitimate. You could be trying to circumvent an access control list that is looking for a particular MAC address or trying to avoid a filter that may be in a wireless access point. Someone spoofing the MAC address of a network interface card is very difficult to detect. By simply looking at the MAC address, how do you know if this particular frame is coming from the original device or one that’s been spoofed?

Another common type of spoofing is an IP address spoofing. This is when someone takes the IP address of a legitimate device and uses this IP address to appear as if the data is coming from that legitimate device. Some uses of IP spoofing are completely legitimate. If you’re performing load balancing, for example, it’s common for the load balancer to share an IP address across multiple devices. If you’re performing load testing, you may be also using IP spoofing.

But it may be that someone’s using this IP spoofing for nefarious reasons. If someone’s trying to perform a man in the middle attack, they may be performing ARP poisoning, which uses a spoofed IP address. Or someone may be performing a DNS amplification, which is a Distributed Denial of Service Attack. And they may be using spoofed IP addresses to hide the original source of this traffic.

Unlike MAC addresses, IP address spoofing can sometimes be identified. That’s because we know where certain IP addresses might happen to be on our network. And if we see inbound traffic from an IP address that’s not coming from the location where that address happens to be, we may suspect that it’s performing IP spoofing.