Before you start
Objectives: Familiarize yourself with different types of authentication attacks and general ways to prevent them.
Prerequisites: no requirements.
Key terms: attacks, network, spoofing, attacker. authentication, packet, client, legitimate, private
What is Spoofing
There are several types of spoofing attacks. The first one is packet spoofing, which means that the source and/or destination addresses of a packet are altered before they are transmitted over the network. The reason to do this can be to hide the source of the attack. Other reason can be to bypass certain security mechanisms.
Besides packet spoofing we also have site spoofing. Site spoofing attack redirect traffic from legitimate to false sites. Those false sites look very similar to legitimate sites, so visitors may submit and reveal confidential or sensitive data to those false sites. Spam e-mail messages are a common way of inviting users to those spoofed sites.
There is also an identity spoofing which means that someone takes over identity of another, legitimate user. Identity spoofing can be performed by masquerading or impersonating. Masquerading means that we use someone elses logon credentials to log on to the system. Masquerading is a passive type of attack. Impersonation means that we actually capture some type of authentication traffic which is then used to get access to the session of the existing user. Impersonation is an active type of attack, since we have to capture traffic first in order to replay it.
There are some things that we can do to cope with packet, site or identity spoofing. The first measure that we can implement are address filters. With address filters we can actually prevent spoofed packets from outside network to enter our private network. This is typically implemented using a router or a firewall which separates our private and the public network. One port on the router is connected to our private network, and the other one is connected to the public network. Private network is trusted, while public network is not trusted environment. If we receive packet on the port which is connected to the public network, and which claims that it comes from the private network, we can be sure that that packed is a spoofed packet. That kind of packets should not be allowed to enter our private network.
To control spoofing we can also also use certificates, which provide identity. We can also use encrypted protocols such as IPSec. This kind of protocols encrypt traffic, and because of that fact that kind of traffic is much harder to spoof.
In this type of attack the communications between two legitimate partners is intercepted by a third-party. Attacker tries to insert himself into the stream of data that flows between the host computer and the server. It typically does this by impersonating the server device and it tries to get the user to connect to the attacker system, instead of the target server. This type of attack is often used to steal credit card numbers, user credentials and other types sensitive information. The whole process is quite complicated. The man in the middle (attacker) first has to persuade the client to authenticate to the attacker. The attacker will than use that authentication information to authenticate and communicate with the server directly. The client will perceive that it communicates directly with the server, but it’s not. The client is actually communicating with the attacker, which is then communicating with the server. This allows the attacker to copy, to change, or to hide packets which go between the client and the server.
One common example of a man-in-the-middle attack is a rogue wireless access point. In this case, we typically have a private network that has an access point configured to provide wireless access for its users. A rogue access point may be another access point configured in the same general area as the valid access point, with the same SSID as the valid access point. When a client in the area tries to connect to a wireless network, he may simply browse the available wireless access points, and may connect to the rogue wireless access point instead of the valid wireless access point. Rouge access point is a wireless access point connected to our network without our knowledge. This may be an attacker who gains physical access to our network long enough to plug in a wireless access point and get it working on our network. This way the attacker can connect to our wired network outside our building and try to access other devices on our LAN. The rouge access point might also be installed by a user who decides that he want wireless access without our knowledge. It’s called a rogue access point because it’s unauthorized. Even configured by an internal user, it presents a problem. The reason is, the wireless signal broadcasts in a wide range, even outside of our building, where attackers could connect to the wireless access point and then attempt other attacks on our network.
To prevent man-in-the-middle attacks we should always implement some kind of an authentication method that is secure and reliable. This may involve certificates and mutual authentication. With mutual authentication, the client authenticate to the server and the server authenticates to the client. With mutual authentication, the man in the middle attacks are prevented because the client is able to verify the identity of the server. When the attacker tries to insert himself into this communication stream, the attacker will not be able to authenticate as the server. Another protection is to encrypt all traffic between both devices using IPSec or SSL. Encrypted traffic cannot be captured as it travels between the two devices.
To prevent replay attacks we can use timestamps and sequencing. Timestamps will ensure that certain packets can only be used within a specific time frame. If they are used outside of that time frame, they will be rejected. Sequencing will ensure that all packet have their own sequence number. If the received packets are out of sequence with other packets on the network, they are also rejected by the server.
In this type of attack the attacker takes over the current (open and active) session from the legitimate client. This way the legitimate client is dropped from the session. This is actually a sort of a man-in-the-middle attack. To prevent it we can use encryption protocols, certificates, mutual authentication, and sequencing.