- ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network.
- This results in the linking of an attacker’s MAC address with the IP address of a legitimate computer or server on the network.
- Once the attacker’s MAC address is connected to an authentic IP address, the attacker will begin receiving any data that is intended for that IP address.
- ARP spoofing can enable malicious parties to intercept, modify or even stop data in-transit. ARP spoofing attacks can only occur on local area networks that utilize the Address Resolution Protocol.
ARP Spoofing attack:
- The effects of ARP spoofing attacks can have serious implications for enterprises.
In their most basic application, ARP spoofing attacks are used to steal sensitive information. Beyond this, ARP spoofing attacks are often used to facilitate other attacks such as:
DoS attacks often leverage ARP spoofing to link multiple IP addresses with a single target’s MAC address. As a result, traffic that is intended for many different IP addresses will be redirected to the target’s MAC address, overloading the target with traffic.
Session hijacking attacks can use ARP spoofing to steal session IDs, granting attackers access to private systems and data.
MITM attacks can rely on ARP spoofing to intercept and modify traffic between victims.
ARP Spoofing Detection, Prevention and Protection The following methods are recommended measures for detecting, preventing and protecting against ARP spoofing attacks:
- Packet filters inspect packets as they are transmitted across a network.
- Packet filters are useful in ARP spoofing prevention because they are capable of filtering out and blocking packets with conflicting source address information (packets from outside the network that show source addresses from inside the network and vice-versa).
Avoid trust relationships:
- Organizations should develop protocols that rely on trust relationships as little as possible.
- Trust relationships rely only on IP addresses for authentication, making it significantly easier for attackers to run ARP spoofing attacks when they are in place.
Use ARP spoofing detection software:
- There are many programs available that help organizations detect ARP spoofing attacks.
- These programs work by inspecting and certifying data before it is transmitted and blocking data that appears to be spoofed.
Use cryptographic network protocols:
- Transport Layer Security (TLS), Secure Shell (SSH), HTTP Secure (HTTPS) and other secure communications protocols bolster ARP spoofing attack prevention by encrypting data prior to transmission and authenticating data when it is received.
Port Scanning is one of the most popular techniques attackers use to discover services that they can exploit to break into systems.
All systems that are connected to a LAN or the Internet via a modem run services that listen to well-known and not so well-known ports.
By port scanning, the attacker can find the following information about the targeted systems: what services are running, what users own those services, whether anonymous logins are supported, and whether certain network services require authentication.
- Port scanning is accomplished by sending a message to each port, one at a time. The kind of response received indicates whether the port is used and can be probed for further weaknesses.
- Port scanners are important to network security technicians because they can reveal possible security vulnerabilities on the targeted system.
Port Scan Techniques
Address Resolution Protocol (ARP)
- ARP scans discover active devices on the local network segment by sending a series of ARP broadcasts and incrementing the value for the target IP address field in each broadcast packet.
- This type of scan will have every IP device on the network respond with its own IP address in response. This scan will effectively map out an entire network.
- The Vanilla TCP connect scan is the most basic scanning technique.
- The scan uses the connect system call of an operating system on a target system to open a connection to every port that is open.
- The scan is extremely noisy and easily detectable. The targeted system logs will show connection requests and error messages for the services that accepted the connections.
- The TCP SYN (Half Open) scans are called half open because the attacking system doesn’t close the open connections.
- The attacking scanner will send a SYN packet to the target and wait for a response. If the port is open, the target will send a SYN|ACK.
- If the port is closed, the target will send an RST.
- This type of scan is difficult to detect. The target system is in charge of closing the open connections and the target, most likely, will not have the proper logging set up to detect this type of scan.
- The TCP FIN scan has the ability to pass undetected through most firewalls, packet filters, and scan detection programs.
- The attacking system sends FIN packets to the targeted system. The closed ports will respond with an RST. The open ports will ignore the packets. The attacking system will take note of which ports it received an RST on and report on the ports that did not respond with an RST.
TCP syn flood attack
TCP SYN flood is a type of Distributed Denial of Service (DDoS) attack that exploits part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive.
Essentially, with SYN flood DDoS, the offender sends TCP connection requests faster than the targeted machine can process them, causing network saturation.
- When a client and server establish a normal TCP “three-way handshake,” the exchange looks like this:
- Client requests connection by sending SYN (synchronize) message to the server.
- Server acknowledges by sending SYN-ACK (synchronize-acknowledge) message back to the client.
- Client responds with an ACK (acknowledge) message, and the connection is established.
- In a SYN flood attack, the attacker sends repeated SYN packets to every port on the targeted server, often using a fake IP address.
- The server, unaware of the attack, receives multiple, apparently legitimate requests to establish communication. It responds to each attempt with a SYN-ACK packet from each open port.
- The malicious client either does not send the expected ACK, or—if the IP address is spoofed—never receives the SYN-ACK in the first place. Either way, the server under attack will wait for acknowledgement of its SYN-ACK packet for some time.
- During this time, the server cannot close down the connection by sending an RST packet, and the connection stays open.
- Before the connection can time out, another SYN packet will arrive. This leaves an increasingly large number of connections half-open – and indeed SYN Food attacks are also referred to as “half-open” attacks.
- Eventually, as the server’s connection overflow tables fill, service to legitimate clients will be denied, and the server may even malfunction or crash.
A normal connection between a user (Alice) and a server. The three-way handshake is correctly performed.
SYN Flood. The attacker sends several packets but does not send the "ACK" back to the server. The connections are hence half-opened and consuming server resources. Alice, a legitimate user, tries to connect but the server refuses to open a connection resulting in a denial of service
- IP address spoofing is one of the most frequently used spoofing attack methods. In an IP address spoofing attack, an attacker sends IP packets from a false (or “spoofed”) source address in order to disguise itself.
- Denial-of-service attacks often use IP spoofing to overload networks and devices with packets that appear to be from legitimate source IP addresses.
- IP spoofing is the action of masking a computer IP address so that it looks like it is authentic.
- During this masking process, the fake IP address sends what appears to be a malevolent message coupled with an IP address that appears to be authentic and trusted.
- In IP spoofing, IP headers are masked through a form of Transmission Control Protocol (TCP) in which spoofers discover and then manipulate vital information contained in the IP header such as IP address and source and destination information.
Types of Spoofing attacks
- This type of attack takes place when the attacker is on the same subnet as the victim. The sequence and acknowledgement numbers can be sniffed, eliminating the potential difficulty of calculating them accurately.
- The biggest threat of spoofing in this instance would be session hijacking. This is accomplished by corrupting the data stream of an established connection, then re-establishing it based on correct sequence and acknowledgement numbers with the attack machine.
- Using this technique, an attacker could effectively bypass any authentication measures taken place to build the connection.
- This is a more sophisticated attack, because the sequence and acknowledgement numbers are unreachable.
- In order to circumvent this, several packets are sent to the target machine in order to sample sequence numbers. While not the case today, machines in the past used basic techniques for generating sequence numbers.
- It was relatively easy to discover the exact formula by studying packets and TCP sessions. Today, most OSs implement random sequence number generation, making it difficult to predict them accurately.
- If, however, the sequence number was compromised, data could be sent to the target. Several years ago, many machines used host-based authentication services (i.e. Rlogin). A properly crafted attack could add the requisite data to a system (i.e. a new user account), blindly, enabling full access for the attacker who was impersonating a trusted host.
Man in the Middle Attack
- Both types of spoofing are forms of a common security violation known as a man in the middle (MITM) attack. In these attacks, a malicious party intercepts a legitimate communication between two friendly parties.
- The malicious host then controls the flow of communication and can eliminate or alter the information sent by one of the original participants without the knowledge of either the original sender or the recipient.
- In this way, an attacker can fool a victim into disclosing confidential information by “spoofing” the identity of the original sender, who is presumably trusted by the recipient.
Denial of Service Attack
- IP spoofing is almost always used in what is currently one of the most difficult attacks to defend against – denial of service attacks, or DoS.
- Since crackers are concerned only with consuming bandwidth and resources, they need not worry about properly completing handshakes and transactions.
- Rather, they wish to flood the victim with as many packets as possible in a short amount of time. In order to prolong the effectiveness of the attack, they spoof source IP addresses to make tracing and stopping the DoS as difficult as possible.
- When multiple compromised hosts are participating in the attack, all sending spoofed traffic, it is very challenging to quickly block traffic.