Hello and welcome to the Webmasters Forums!. This is the best place to get webmasters resources for free. Get $2 for free today, read more - Make your payment today. Download premium and professional templates for free. Get free web hosting without ads, read more. You can get lot more by simply join with this forum. To gain full access to the forums you must sign up for a free account.
Posts: 995
Group: Forum Team
Joined: Sep 2006
Status: Online
Make money from now. You can make money just for posting on this forum. Every discussions on this community gives you more money. $2 minimum payout. So get your payment today, SignIn with this forum.
This paper describes an Internet security attack that could endanger the privacy of World Wide Web users and the integrity of their data. The attack can be carried out on today's systems, endangering users of the most common Web browsers, including Netscape Navigator and Microsoft Internet Explorer.
HISTORY
The concept of IP spoofing was initially discussed in academic circles in the 1980's. It was primarily theoretical until Robert Morris, whose son wrote the first Internet Worm, discovered a security weakness in the TCP protocol known as sequence prediction. Another infamous attack, Kevin Mitnick's Christmas day, crack of Tsutomu Shimomura's machine, employed the IP spoofing and TCP sequence prediction techniques. While the popularity of such cracks has decreased due to the demise of the services they exploited, spoofing can still be used and needs to be addressed by all security administrators.
WHAT IS SPOOFING?
Spoofing means pretending to be something you are not.? ? In Internet terms it means pretending to be a different Internet address from the one you really have in order to gain something.? ? That might be information like credit card numbers, passwords, personal information or the ability to carry out actions using someone else's identity.
IP spoofing attack involves forging one's source address. It is the act of using one machine to impersonate another. Most of the applications and tools in web rely on the source IP address authentication. Many developers have used the host based access controls to secure their networks. Source IP address is a unique identifier but not a reliable one. It can easily be spoofed.
Web spoofing allows an attacker to create a "shadow copy" of the entire World Wide Web. Accesses to the shadow Web are funneled through the attacker's machine, allowing the attacker to monitor the all of the victim's activities including any passwords or account numbers the victim enters. The attacker can also cause false or misleading data to be sent to Web servers in the victim's name, or to the victim in the name of any Web server. In short, the attacker observes and controls everything the victim does on the Web.
The various types of spoofing techniques that we discuss include TCP Flooding, DNS Server Spoofing Attempts, web site names, email ids and link redirection.
WEB SPOOFING
INTRODUCTION
Web spoofing allows an attacker to create a "shadow copy" of the entire World Wide Web. Accesses to the shadow Web are funneled through the attacker's machine, allowing the attacker to monitor the all of the victim's activities including any passwords or account numbers the victim enters. The attacker can also cause false or misleading data to be sent to Web servers in the victim's name, or to the victim in the name of any Web server. In short, the attacker observes and controls everything the victim does on the Web.
SPOOFING ATTACKS
In a spoofing attack, the attacker creates misleading context in order to trick the victim into making an inappropriate security-relevant decision. A spoofing attack is like a con game: the attacker sets up a false but convincing world around the victim. The victim does something that would be appropriate if the false world were real. Unfortunately, activities that seem reasonable in the false world may have disastrous effects in the real world.
Spoofing attacks are possible in the physical world as well as the electronic one. For example, there have been several incidents in which criminals set up bogus automated-teller machines, typically in the public areas of shopping malls. The machines would accept ATM cards and ask the person to enter their PIN code. Once the machine had the victim's PIN, it could either eat the card or "malfunction" and return the card. In either case, the criminals had enough information to copy the victim's card and use the duplicate. In these attacks, people were fooled by the context they saw: the location of the machines, their size and weight, the way they were decorated, and the appearance of their electronic displays.
People using computer systems often make security-relevant decisions based on contextual cues they see. For example, one might decide to type in your bank account number because he/she believes you are visiting your bank's Web page. This belief might arise because the page has a familiar look, because the bank's URL appears in the browser's location line, or for some other reason.
WEB SPOOFING
Web spoofing is a kind of electronic con game in which the attacker creates a convincing but false copy of the entire World Wide Web. The false Web looks just like the real one: it has all the same pages and links. However, the attacker controls the false Web, so that all network traffic between the victim's browser and the Web goes through the attacker.
Consequences Since the attacker can observe or modify any data going from the victim to Web servers, as well as controlling all return traffic from Web servers to the victim, the attacker has many possibilities. These include surveillance and tampering.
Surveillance The attacker can passively watch the traffic, recording which pages the victim visits and the contents of those pages. When the victim fills out a form, the entered data is transmitted to a Web server, so the attacker can record that too, along with the response sent back by the server. Since most on-line commerce is done via forms, this means the attacker can observe any account numbers or passwords the victim enters.
The attacker can carry out surveillance even if the victim has a "secure" connection (usually via Secure Sockets Layer) to the server, that is, even if the victim's browser shows the secure-connection icon (usually an image of a lock or a key).
Tampering The attacker is also free to modify any of the data traveling in either direction between the victim and the Web. The attacker can modify form data submitted by the victim. For example, if the victim is ordering a product on-line, the attacker can change the product number, the quantity, or the ship-to address.
The attacker can also modify the data returned by a Web server, for example by inserting misleading or offensive material in order to trick the victim or to cause antagonism between the victim and the server.
Spoofing the Whole Web
You may think it is difficult for the attacker to spoof the entire World Wide Web, but it is not. The attacker need not store the entire contents of the Web. The whole Web is available on-line; the attacker's server can just fetch a page from the real Web when it needs to provide a copy of the page on the false Web.
How the Attack Works:
The key to this attack is for the attacker's Web server to sit between the victim and the rest of the Web. This kind of arrangement is called a "man in the middle attack" in the security literature.
The victim's browser requests the page from http://www.webmasters-forums.com, since the URL starts with http://www.webmasters-forums.com. The remainder of the URL tells the attacker's server where on the Web to go to get the real document.
Once the attacker's server has fetched the real document needed to satisfy the request, the attacker rewrites all of the URLs in the document into the same special form by splicing http://www.webmasters-forums.com/ onto the front. Then the attacker's server provides the rewritten page to the victim's browser.
Since all of the URLs in the rewritten page now point to http://www.attacker.org, if the victim follows a link on the new page, the page will again be fetched through the attacker's server. The victim remains trapped in the attacker's false Web, and can follow links forever without leaving it.
Forms:
If the victim fills out a form on a page in a false Web, the result appears to be handled properly. Spoofing of forms works naturally because forms are integrated closely into the basic Web protocols: form submissions are encoded in URLs and the replies are ordinary HTML. Since any URL can be spoofed, forms can also be spoofed.
When the victim submits a form, the submitted data goes to the attacker's server. The attacker's server can observe and even modify the submitted data, doing whatever malicious editing desired, before passing it on to the real server. The attacker's server can also modify the data returned in response to the form submission.
"Secure" connections don't help:
One distressing property of this attack is that it works even when the victim requests a page via a "secure" connection. If the victim does a "secure" Web access (a Web access using the Secure Sockets Layer) in a false Web, everything will appear normal: the page will be delivered, and the secure connection indicator (usually an image of a lock or key) will be turned on.
What is SSL?
SSL stands for Secure Sockets Layer. This protocol, designed by Netscape Communications Corp., is used to send encrypted HTTP (Web) transactions.
Seeing "https" in the URL box on your browser means SSL is being used to encrypt data as it travels from your browser to the server. This helps protect sensitive information--social security and credit card numbers, bank account balances, and other personal information--as it is sent.
The victim's browser says it has a secure connection because it does have one. Unfortunately the secure connection is to http://www.attacker.org and not to the place the victim thinks it is. The victim's browser thinks everything is fine: it was told to access a URL at http://www.attacker.org so it made a secure connection to http://www.attacker.org. The secure-connection indicator only gives the victim a false sense of security.
Starting the Attack:
To start an attack, the attacker must somehow lure the victim into the attacker's false Web. There are several ways to do this.
1) An attacker could put a link to a false Web onto a popular Web page.
2) If the victim is using Web-enabled email, the attacker could email the victim a pointer to a false Web, or even the contents of a page in a false Web.
3) Finally, the attacker could trick a Web search engine into indexing part of a false Web.
An example from real life:
As web surfers and users we must always be wary of the content of the web pages we surf, look for clues to spoofing, and report immediately to the providers. NEVER click on link provided to you in an e-mail from someone you don't know or trust.
This is a very easy way to get you to that Hacker Intercept site! As an example, let's say you get the following e-mail from someone claiming to know you.
Hi Johnny,
I found this new book on gardening on Amazon and I thought you would enjoy it. Check it out...
Square Foot Gardening Mel Bartholome
Love,
Mom
Close inspection of the link above provides the following: http://www.amazone.com/exec/obidos/searc...99-0468854
The link points to amazone.com instead of amazon.com. Everything else in the link is genuine. So before buying this great new book recommended by Mom, you'll be stopping by and visiting the folks at amazone.com and giving them your credit card number, expiration date, name, address and phone.
COMPLETING THE ILLUSION
The attack as described thus far is fairly effective, but it is not perfect. There is still some remaining context that can give the victim clues that the attack is going on. However, it is possible for the attacker to eliminate virtually all of the remaining clues of the attack's existence.
Such evidence is not too hard to eliminate because browsers are very customizable. The ability of a Web page to control browser behavior is often desirable, but when the page is hostile it can be dangerous.
Another artifact of this kind of attack is that the pages returned by the hacker intercept are stored in the user's browser cache, and based on the additional actions taken by the user; the spoofed pages may live on long after the session is terminated.
The Status Line
The status line is a single line of text at the bottom of the browser window that displays various messages, typically about the status of pending Web transfers.
The attack as described so far leaves two kinds of evidence on the status line. First, when the mouse is held over a Web link, the status line displays the URL the link points to. Thus, the victim might notice that a URL has been rewritten. Second, when a page is being fetched, the status line briefly displays the name of the server being contacted. Thus, the victim might notice that http://www.attacker.org is displayed when some other name was expected.
The attacker can cover up both of these cues by adding a JavaScript program to every rewritten page. Since JavaScript programs can write to the status line, and since it is possible to bind JavaScript actions to the relevant events, the attacker can arrange things so that the status line participates in the con game, always showing the victim what would have been on the status line in the real Web. Thus the spoofed context becomes even more convincing.
The Location Line
The browser's location line displays the URL of the page currently being shown. The victim can also type a URL into the location line, sending the browser to that URL. The attack as described so far causes a rewritten URL to appear in the location line, giving the victim a possible indication that an attack is in progress.
This clue can be hidden using JavaScript. A JavaScript program can hide the real location line and replace it by a fake location line which looks right and is in the expected place. The fake location line can show the URL the victim expects to see. The fake location line can also accept keyboard input, allowing the victim to type in URLs normally. Typed-in URLs can be rewritten by the JavaScript program before being accessed.
Viewing the Document Source
There is one clue that the attacker cannot eliminate, but it is very unlikely to be noticed.
By using the browser's "view source" feature, the victim can look at the HTML source for the currently displayed page. By looking for rewritten URLs in the HTML source, the victim can spot the attack. Unfortunately, HTML source is hard for novice users to read, and very few Web surfers bother to look at the HTML source for documents they are visiting, so this provides very little protection.
A related clue is available if the victim chooses the browser's "view document information" menu item. This will display information including the document's real URL, possibly allowing the victim to notice the attack. As above, this option is almost never used so it is very unlikely that it will provide much protection.
Bookmarks
There are several ways the victim might accidentally leave the attacker's false Web during the attack. Accessing a bookmark or jumping to a URL by using the browser's "Open location" menu item might lead the victim back into the real Web. The victim might then reenter the false Web by clicking the "Back" button. We can imagine that the victim might wander in and out of one or more false Webs. Of course, bookmarks can also work against the victim, since it is possible to bookmark a page in a false Web. Jumping to such a bookmark would lead the victim into a false Web again.
WEB SPOOFING DEMONSTRATION
Code:
The HTML Source Code
<HTML>
<HEAD>
<TITLE>Web Spoofing Demonstration
</TITLE>
</HEAD>
<BODY onload=init()>
<HR>
<H2>Spoofing</H2>
<P>In both the cases below, if you mouse-over the link below, you'll see "http://basement.dartmouth.edu" in the status line at the bottom of your screen.
<P>If you click on it, and you're not susceptible, then you'll actually go there.
<P>If you click on it, and you are susceptible, then we'll pop open a new window for you.
<P><A onclick="return openWin();
"href="http://basement.dartmouth.edu/"> Click here to see a spoof, if you're configured correctly.</A></P>
<P><A onclick="javascript:openRealWin();return false;"
href="http://basement.dartmouth.edu/">Click here to see the real basement site</A></P>
<P>
<HR>
</BODY>
</HTML>
TRACING THE ATTACKER
Some people have suggested that this attack can be deterred by finding and punishing the attacker. It is true that the attacker's server must reveal its location in order to carry out the attack, and that evidence of that location will almost certainly be available after an attack is detected.
Unfortunately, this will not help much in practice because attackers will break into the machine of some innocent person and launch the attack there. Stolen machines will be used in these attacks.? ?
CONCLUSION
When the world has started calling this era as the era of Internet A World Wide Web that connects the every nook and corner of the globe we should never be let behind because of some pestering security problems.
Spoofing of the Web and IP has over the years proved to be annoying as well as dangerous. In this tense scenario it is mandatory that we stick onto the various solutions so far available and at the same time spend our sincere efforts in devising better plans to solve this menace. Indeed techniques like Packet Filtering and Cryptographic techniques help to some extend but their efficiency is limited. We still rely on manual security checks of the status line, location line etc. which indeed are quite ineffective and practical.
The whole problem basically exists in that most of the web applications and tools rely on the source IP address authentication. Alternatives are to be derived and a better safer Internet should solve the problem of Spoofing.
Welcome.. This topic is from one of my seminars. Web spoofing really fools many of the web users, mainly with paypal account. But, most of online users aware of this attack. Still careless people get atacked by this technique.
