Spoofing Attack

By:-
Surafiel Habib Asefa

1 02/15/2021
 Outlines

 Introduction
 Types of Spoofing Attack
 ARP Spoofing Attack
 IP Spoofing Attack
 Web Spoofing Attack
 Email Spoofing Attack
 GPS Spoofing Attack

2 02/15/2021
 Introduction

 A spoofing attack occurs when an attacker (Person or malicious

Program) successfully acts as another authorized person or program
by falsifying data, to gain an illegitimate advantage.
 Security-relevant decisions and context are the two parts of the
definition of spoofing that helps to appreciate the range and
strictness of possible spoofing attacks.
 In a spoofing attack, the attacker creates misleading context in order
to trick the victim into making an inappropriate security-relevant
decision.
3 02/15/2021
 Cont’d

 Security-relevant decision is an any decision that makes by a person and that

might lead to undesirable results such as a gap of privacy and unauthorized
altering of data.
 Security-relevant decision is a deciding to reveal sensitive private or
confidential information, for example typing a password or credit card
numbers.
 Choosing to accept a downloaded document is a security-relevant
decision, since in many cases a downloaded document is capable of
containing malicious elements that harm the person receiving the
document.
4 02/15/2021
 Cont’d

 Context refers a certain impression that might convey by the appearance

of an object.
 The names of files can convey context.
 People often deduce what is in a file by its name.
 Is “manual.doc” the text of a user manual? It might be another kind
of document, or it might not be a document at all.
 URLs are another example; Is MICR0S0FT.COM the address of
Microsoft software company? the round symbols in MICR0S0FT
here are the number zero (0), not the letter O.

5 02/15/2021
 Types of Spoofing Attack

 All types of spoofing attacks are typically used to attack networks,

spread malware and to access confidential information and data.
 There are different types of spoofing attacks:-
 ARP Spoofing Attack
 IP Spoofing Attack
 Web Spoofing Attack
 Email Spoofing Attack
 GPS Spoofing Attack

6 02/15/2021
 ARP Spoofing Attack

 ARP stands for Address Resolution Protocol.

 ARP is a protocol used to translate IP addresses into Media Access Control
(MAC) addresses for a proper data transmitting.
 In short, ARP is a protocol that maps an IP address to a physical machine address.
 ARP spoofing attacks can only occur on Local Area Networks that utilize the Address
Resolution Protocol.
 An ARP spoofing attack occurs when a malicious party sends spoofed (tricked)
ARP messages across a Local Area Network (LAN).
 ARP spoofing attack results the linking of an attacker’s MAC address with the IP
address of a legitimate computer or server on the LAN.

7 02/15/2021
 Cont’d

 Once the attacker’s MAC address is connected to an authentic IP address,

the attacker will begin receiving any data that is intended for that IP address.
 Malicious parties commonly use ARP spoofing to steal information, modify
data-in-transit or stop traffic on a LAN. 
 ARP spoofing attacks can also be used to facilitate other types of attacks,
including denial – of – Service, Session hijacking and Man – in the – Middle
attacks.
 Denial of Service attack: can occurs in ARP spoofing because of the traffic that
is intended for many different IP addresses will be redirected to the targets MAC
address, overloading the target with traffic.

8 02/15/2021
 Cont’d

 Session hijacking: is the exploitation of a valid temporary and interactive

information interchange between two or more communicating devices, or
between a computer and user (E.g. login session) to gain unauthorized
access to information or services in a computer system.
 Session hijacking can use ARP spoofing to steal session ID’s, granting
attackers to access private systems and data.
 A session ID is a unique number that a Web server assigns a specific user for the
duration of that user visit (Session).
 Man-in-the-Middle attacks: can rely on ARP spoofing to intercept and
modify traffic between victims.

9 02/15/2021
 ARP Spoofing Prevention and Detection
Methods

 The following methods are recommended measures for preventing and

detecting against ARP spoofing attacks:
 Packet Filtering:
 Is used to controlling the network access by analyzing the incoming and out
going packets by letting them by pass or halting based on the IP addresses of
the source and destination.
 Is one of the techniques for implementing security firewalls.
 Useful in ARP spoofing prevention because they are capable of filtering
out and blocking packets with conflicting source address information.

10 02/15/2021
 Cont’d

Avoid Trust Relationships:

 Trust relationships rely only on IP addresses for authentication.
 Making it significantly easier for attackers to run ARP spoofing attacks
when they are in place.
Use cryptographic network protocols:
 Transport Layer Security (TLS), Secure Shell (SSH), HTTP Secure
(HTTPS) and other secure communications protocols encourages ARP
spoofing attack prevention by encrypting data before transmission and
authenticating data when it is received.

11 02/15/2021
 Cont’d

 Use ARP spoofing detection software:

 There are many programs available that helps to detect ARP spoofing
attacks. E.g. XArp
 These programs work by inspecting and certifying data before it is
transmitted and blocking data that appears to be spoofed.

12 02/15/2021
Internet Protocol (IP) Spoofing

 Internet Protocol (IP) – a set of rules that dictate how data should be delivered over
the public network (Internet).
 The concept of IP spoofing was discovered as a security weakness in the protocol
which carries the Source IP address and the TCP protocol which contains port and
sequencing information.
 IP routing is a step by step process.
 A TCP/IP network packet contains several pieces of information, including the data it
is carrying, source and destination IP addresses, and other constraints required for
quality of service and packet handling.
 Every IP packet is routed separately.
 The route of an IP packet is decided by all the routers the packet goes through.

13 02/15/2021
 Cont’d

 IP spoofing is the creation of IP packets with a false source IP address

in order to gain unauthorized access to another Computers (Servers).
 IP address spoofing is possible because routers only require inspection
of the destination IP address in the packet to make routing decisions.
 The source IP address is not required by routers and an invalid source IP
address will not affect the delivery of packets.
 The source IP address is only used by the destination machine when it
responds back to the source.

14 02/15/2021
 How does IP Spoofing work?

 A user accesses the Internet from his/her local computer which has the IP
address “192.168.0.5”.
 When an IP spoofing attack occurs, this address is hidden and the user sends
the packets indicating the spoofed IP address “192.168.0.6” which is an
authorized IP address.
 These IP addresses (192.168.0.5 & 192.168.0.6) are used to identify each
computer in the network.
 In Internet communication, the data is transferred in the form of packets.
 The client sends web requests in the form of data packets to the server and the
webserver sends back the responses in the form of data packets.
15 02/15/2021
 Cont’d

 When a client sends a packet to the server, the packet will have the IP
address of the computer it is coming from.
 When an IP spoofing attack occurs, the source details that IP address which
specifies the sender of the packet is not actual, but a fake IP address which is
permitted to access the website.
 This will make the server handle the request packet as it is coming from the
permitted user.
 Thus the server grants access to the attacker and it can cause various security
threats.
 This is how the IP spoofing works.
16 02/15/2021
 Types of attacks implemented
through the IP spoofing

 The following attacks can be caused by the IP spoofing:

 Blind Spoofing attack
 Non-Blind Spoofing attack
 Denial-of-service attack
 Man-in-the-middle attack

17 02/15/2021
 Cont’d

 Blind Spoofing
 The attacker is not aware of all network conditions.
 The sequence and acknowledgement numbers from the victim are unreachable.
 Sequence of numbers are generally used to assemble packets in the order in which they
intended to read the packets.
 i.e., in the order of packet 1 to be read first, then packet 2 and then packet 3.
 The attacker sends several packets to the victim machine to receive a sequence
of numbers.
 The attacker can inject data into the stream of packets without having
authenticated himself when the connection was first established.

18 02/15/2021
 Cont’d

 Non-Blind Spoofing
 In this type of attack the attacker and victim resides on the same subnet.
 The sequence and acknowledgement numbers can be sniffed, eliminating the
potential difficulty of calculating them accurately.
 The biggest threat of spoofing in this instance would be session hijacking.
 Session Hijacking is accomplished by corrupting the DataStream of an established
connection.
 Then re-establishing it based on correct sequence and acknowledgement numbers
with the attack machine.
 Using this technique, an attacker could effectively bypass any authentication
measures taken place to build the connection.

19 02/15/2021
 Cont’d

 Denial- of- Service attack (DoS)

 Attackers are concerned only with consuming bandwidth and resources
 When multiple compromised hosts are participating in the attack, all sending spoofed
traffic.
 They wish to flood the victim with as many packets as possible in a short amount of time.
 They spoof source IP addresses to make tracing and stopping the DoS as difficult as
possible.
 When a DoS attack is launched, the IP spoofing is used not to identify the exact machines
from where the requests are coming.
 This makes the DoS attack more powerful because, it will be difficult to identify the
senders and block them.

20 02/15/2021
 Cont’d

 Man-in-the-middle-attack
 The attacker intercepts the packets sent by the systems, When two legitimate
parties are communicating with each other.
 The attacker host then controls the flow of communication.
 It can eliminate or alter the information sent by one of the original participants
without the knowledge of either the original sender or the recipient.
 an attacker can fool a victim into disclosing confidential information by
“spoofing” the identity of the original sender, who is presumably trusted by the
recipient.

21 02/15/2021
 How to Prevent IP Spoofing?

1. Filtering at the Router :

 ingress filtering: It is a form of packet filtering:
 Examines all inbound packets and then permits or denies entry to the network based on
information in the packet header.
 Establishing an access control list that contains the IP addresses of permitted source
addresses.
 The access control list may also be used to block prohibited source addresses. 
 egress filtering:  "egress" means "outgoing"; an egress router.
 Is a process in which outbound data is monitored or restricted, usually by means of
a firewall that blocks packets that fail to meet certain security requirements.
 The main purpose of egress filtering is to ensure that unwanted or destructive traffic (such
as malware, unauthorized e-mail messages, or requests to Web sites) do not leave a particular
network.
22 02/15/2021
 Cont’d

2. Encryption and Authentication

 Implementing encryption and authentication will reduce spoofing
threats.
 Both of these features are included in Ipv6, which will eliminate current
spoofing threats.
 If you allow outside connections from trusted hosts, enable encryption
sessions at the router.
 Eliminate all host-based authentication measures, which are sometimes
common for machines on the same subnet.

23 02/15/2021
 Web Spoofing Attack

 Pretending to be a legitimate site.

 Attacker creates convincing but false copy of the site.
 False Web looks and feels like the real one.
 Attacker controls the false web by surveillance.
 Modifying integrity of the data from the victims.
 Stealing personal information such as login ID, password, credit card,
bank account, and much more.

24 02/15/2021
 Types of Web Spoofing

DNS Server spoofing attack:

 One of the most complex types of attack.
 Alter a domain name to point to different IP address.
 Redirect to a different server hosting a spoofed site.
 DNS translation points to a different server which is typically
infected with malware and can be used to help spread viruses and
worms.

25 02/15/2021
 Cont’d


URL spoofing attack:
Is the process of creating a fake or forged URL which impersonates a legitimate and
secure website.
The spoofed URL or website address looks exactly like the original and safe URL
The attacker not only creates a fake and forged URL, but he also builds a website that
looks exactly like the original website.
Forged URLs are also posted on other websites that are not harmful at all but they
contain spoofed and forged links that would eventually lead the user to a dangerous
website.
The website asks you to enter your username, password, credit card number, or
whatever information the attacker wants to extract using that spoofed URL.
Example, AMAZ0N.COM (instead of the letter O an attacker may use the digit 0).

26 02/15/2021
 How to detect a spoofed
Webpage

URL
 URL is the easiest way to detect the attack!
 Triple check the spelling of the URL.
 Look for small differences such as a hyphen (-) or an underscore (e.g.
ethiosport.com vs. ethio-sport.com).
Mouse over message this can be spoofed too.
Beware of pages that use server scripting such as php, these tools make
it easy to obtain your information.
Beware of java scripting as well.
Beware of longer than average load times.
27 02/15/2021
 Signs for Web spoofing Victim

 If an unexpected error occurs, like unable to login with a correct

user ID and Password.
 If you have to click submit buttons repeatedly.
 If you have to enter your password repeatedly.
 If there is any redirection to other webpages.

28 02/15/2021
 How Web Spoofing Works?
Explain Demo….

29 02/15/2021
 Email Spoofing Attack

 Email spoofing is the act of altering the header of an email so

that the email appears to be sent from someone else other than the
actual source.
 In e-mail , the header is the part of a message that describes the
originator, the addressee and other recipients, message priority level,
and so forth.
 Email spoofing is a tactic used in phishing and spam campaigns
because people are more likely to open an email when they think
it has been sent by a legitimate source.
30 02/15/2021
 Cont’d

 Phishing is a form of fraud in which an attacker masquerades as a

reputable entity or person in email or other communication
channels.
 The attacker uses phishing emails to distribute malicious links or
attachments that can perform a variety of functions, including the
extraction of login credentials or account information from
victims.

31 02/15/2021
 Cont’d

 Email spam, also known as junk email, is unwanted bulk messages sent
through email.
 Recipients of spam often have had their email addresses obtained by spambots.
 A spambot is a program designed to collect, or harvest, e-mail addresses from
the Internet in order to build mailing lists for sending unsolicited e-mail (Spam).
 Spammers use spambots to create email distribution lists.
 Email distribution list is a group of email recipients that is addressed as a single
recipient.
 A spammer typically sends an email to millions of email addresses.

32 02/15/2021
 Recognize spoofed email

 Check the content of the email:

 Is the content weird in some way, or really unexpected from the
sender?
 Does it contain a form?
 Does it request to either confirm or update login or any kind of
information?
 Check the header of the email.

33 02/15/2021
Spoofed Email: Demo

34 02/15/2021
 GPS Spoofing

Attempts to deceive a GPS receiver by broadcasting incorrect GPS signals.

Or by rebroadcasting genuine signals captured elsewhere or at a different time.

These spoofed signals may be modified in such a way as to cause the receiver to estimate its
position to be somewhere other than where it actually is.

One common form of a GPS spoofing attack, commonly termed a carry-off attack, begins by
broadcasting signals synchronized with the genuine signals observed by the target receiver.

The power of the counterfeit signals is then gradually increased and drawn away from the genuine
signals.

35 02/15/2021
Thank You!
Any question?

36 02/15/2021