A SearchSecurity.com reader recently asked our threats expert Nick Lewis: Can you describe what a "spoofing attack" is, and if there is any way organizations can protect themselves from this new threat?If an attacker is able to send spoofed IP packets, they could attempt a denial-of-service or attack external hosts to make the attack look like it is coming from a different network.
Nick Lewis:There are several different kinds of spoofing attacks, which is when an attacker tries to forge the source of an IP packet, email message or website to deceive the victim into accepting or receiving malicious data. Historically, mainstream IP spoofing has been around since the 1990s. Other types of spoofing are email forgery, which entails a hacker falsifying different fields of an email. Website spoofing is where an attacker makes a website that looks legitimate to get a victim to enter their credit card number or other types of personal information. To defend against IP spoofing attacks, follow the tried and true CERT advice from 1995: "The best method of preventing the IP spoofing problem is to install a filtering router that restricts the input to your external interface (known as an input filter) by not allowing a packet through if it has a source address from your internal network. In addition, you should filter outgoing packets that have a source address different from your internal network in order to prevent a source IP spoofing attack originating from your site."
You may also want to check with your ISP to ensure they have protections in place. If an attacker is able to send spoofed IP packets, they could attempt a denial-of-service or attack external hosts to make the attack look like it is coming from a different network, which makes stopping the attack more difficult.
To defend against email spoofing/forgery, you can use antispam software, train your users to look at the headers of email to identify suspicious information or sign your email so the receiver knows you sent it. CERT also has prudent advice on email spoofing.
To defend against website spoofing, make sure you access a website via SSL/TLS. Non-SSL/TLS websites provide a multitude of spoofing opportunities for hackers, so if you're looking to avoid that fate, ensure that the website is SSL/TLS.
There are threats when using SSL/TLS, though, as well. A man-in-the-middle attack can occur, which is a type of spoofing attack where DNS and the SSL/TLS connection or routes are poisoned and send you to a malicious site. To defend against these types of attacks, make sure you are running the most up-to-date software with patches for man-in-the-middle vulnerabilities and use trusted networks where network-level protections are in place.
About the author:
Nick Lewis (CISSP, GCWN) is an information security analyst for a large Public Midwest University responsible for the risk management program and also supports its technical PCI compliance program. Nick received his Master of Science in Information Assurance from Norwich University in 2005 and Telecommunications from Michigan State University in 2002. Prior to joining his current organization in 2009, Nick worked at Children's Hospital Boston, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University. He also answers your information security threat questions.
This was first published in August 2010