Read this whole guide offline with no ads, for a low price!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Need more practice? 300 additional Security+ questions!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 1:  General Security Concepts (Domain 1.0; 30%)
      9  1.4  Attacks
           9  1.4.3  Spoofing

Previous Topic/Section
Problem #2: An Attacker Can Pretend to Be From A Trusted Host
Previous Page
Pages in Current Topic/Section
1
Next Page
How Can We Protect Our Network From Spoofing?
Next Topic/Section

Types of Spoofing

It should be noted that spoofing is broken down into two categories normal spoofing, and “blind” spoofing, denoting the type of control an attacker has. Normal spoofing, which is a combination of IP spoofing and packet sniffing (see 2.5.4.1), is easier to control. Because the attacker is faking the source IP address of the packets he is sending, the responses from the target machine will obviously be directed to that source IP address, and not the attacker’s “true” IP address.

This means that for the attacker to see the responses of the machine he is sending these spoofed packets to, he must sniff the network and use a packet capture & decoding tool to read the responses of the machine. Taking the Freedom/Spirit example again, when the attacker sends spoofed packets to Spirit with Freedom’s IP address as the source, Spirit will send its replies back to Freedom.

To read these replies, the attacker must sniff the network and decode the packets as they are sent. To do this, the attacker must be able to place a network card on the same network segment as the hosts into promiscuous mode. However, tools such as Antisniff 74 are able to detect this.

Blind spoofing removes the requirement for sniffing the network, and operates on a “best guess” principle. The attacker sends spoofed packets to the target as before, but instead of sniffing the network and reading the replies, he just guesses at what the replies will be in hope that when he has completed his attack, the system will have performed the actions he requested. The advantage here is that packets can be sent from any network that has a route to the target and there is no requirement for sniffing the reply packets on the target network. It does of course make the attack harder to perform because if it fails the attacker has no way of diagnosing what went wrong.

At this point you should note that there are legitimate uses for changing a packet’s source IP address. The most obvious one is NAT, or Network Address Translation, where a device, such as a router, deliberately and legitimately rewrites packet headers. See 3.3.3 for more information.

Unfortunately, the problems spoofing presents do not end here, as we’ll see in future sections.


 __________________

74. http://www.securitysoftware.com/antisniff/download.html

Previous Topic/Section
Problem #2: An Attacker Can Pretend to Be From A Trusted Host
Previous Page
Pages in Current Topic/Section
1
Next Page
How Can We Protect Our Network From Spoofing?
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.