Types of Spoofing
It should be noted that spoofing is broken down into two categories normal spoofing, and blind spoofing, denoting the type of control an attacker has. Normal spoofing, which is a combination of IP spoofing and packet sniffing (see 22.214.171.124), is easier to control. Because the attacker is faking the source IP address of the packets he is sending, the responses from the target machine will obviously be directed to that source IP address, and not the attackers true IP address.
This means that for the attacker to see the responses of the machine he is sending these spoofed packets to, he must sniff the network and use a packet capture & decoding tool to read the responses of the machine. Taking the Freedom/Spirit example again, when the attacker sends spoofed packets to Spirit with Freedoms IP address as the source, Spirit will send its replies back to Freedom.
To read these replies, the attacker must sniff the network and decode the packets as they are sent. To do this, the attacker must be able to place a network card on the same network segment as the hosts into promiscuous mode. However, tools such as Antisniff 74 are able to detect this.
Blind spoofing removes the requirement for sniffing the network, and operates on a best guess principle. The attacker sends spoofed packets to the target as before, but instead of sniffing the network and reading the replies, he just guesses at what the replies will be in hope that when he has completed his attack, the system will have performed the actions he requested. The advantage here is that packets can be sent from any network that has a route to the target and there is no requirement for sniffing the reply packets on the target network. It does of course make the attack harder to perform because if it fails the attacker has no way of diagnosing what went wrong.
At this point you should note that there are legitimate uses for changing a packets source IP address. The most obvious one is NAT, or Network Address Translation, where a device, such as a router, deliberately and legitimately rewrites packet headers. See 3.3.3 for more information.
Unfortunately, the problems spoofing presents do not end here, as well see in future sections.
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.