New Horizons Toronto - Mississauga are computer training centers located in Toronto and Mississauga, ON. This computer training facility in the Greater Toronto Area (GTA) of Ontario provides computer classes and computer certifications like Microsoft and Cisco certification classes and courses to the Toronto, North York, Richmond Hill, and Markham areas.

Our centers in Toronto and Mississauga, ON are also close to: Hamilton, London, Brampton, Markham, Windsor, Kitchener, Vaughan, Burlington, Oakville, Oshawa, Richmond Hill, St. Catharines, Cambridge, Guelph, Barrie, Whitby, Pickering, Waterloo, Brantford, Niagara Falls, Ajax, Peterborough, Clarington, Newmarket, Caledon, Welland, Halton Hills, Georgina, Innisfil and Orangeville, Ontario Canada..

News > Features

Protect your network from spoofers to prevent forgery and phishing

Types of spoofing, Protecting users from spoofed email, websites & IP addresses

August 25th, 2006

 

Attackers use techniques such as spoofing (forging) domain names, email addresses, or IP addresses to disguise who they are so you can't track them down and hold them responsible for damage caused by their attacks.  You can reduce the chances of this happening by learning to detect spoofing attempts and using authentication mechanisms to prevent spoofing.

The solutions are both social and technological, but the first step si to recognize the extent of the problem and how attackers exploit commonly used protocols to gain access to systems through spoofing an hijacking techniques.

Types of spoofing

In the physical world, a spoof refers to a deception, often carried out as a joke. Online spoofing is usually a more serious matter, and more closely resembles the crimes of forgery and identity theft.

Internet spoofing involves using various methods to falsify identifying information such as one's email address, domain name, or IP address or creating websites that appear to belong to companies or person who have nothing to do with them.

Spoofing attacks can be broken into three main categories:

  • Email spoofs
  • Web spoofs
  • IP spoofs

Each works a little differently, but they have one thing in common: the spoofer is pretending to be someone or something he's not.

Email Spoofing

Email spoofers make it appear that a message came from someone other than the actual sender. Email spoofers are often spammers, but others who use spoofing include stalkers, flamers, and anyone else who wants to hide his identity when sending mail. Email spoofing is a form of forgery, akin to signing someone else's name on a printed letter.

The simplest form of email spoofing is done by changing the "from" field in the sender's email client. Instead of your name, you can enter anything you want there, so that when the recipient gets the message, it shows as being from "The President of the United States," "John Doe," or whatever you typed into the configuration field. More sophisticated forms of email spoofing involve changing the message headers.

Spoffers can also send their messages through open relays (SMTP servers that are configured to allow third parties who aren't local users to send mail through them) to disguise the origin of the messages.

Note: In many jurisdictions, sending email with forged headers is against the law, especially if the mail is commercial advertising

It's easy to spoof email because the Simple Mail Transport Protocol (SMPT) on which internet mail is based wasn't designed with security in mind, and doesn't contain a mechanism for verifying the identity of senders.

Web spoofing

Web spoofers set up sites on their own web servers that appear to be other legitimate sites on different servers. For example, a spoofer might create a site that pretends to be the site of the U.S. Department of Defense or that of Microsoft. Spoofers do this by:

  • Attacking the DNS servers that map domain names to IP addresses, to point a domain name that's registered to someone else to the spoofer's imitation site

  • Using CGI, JavaScript, or other code to trick your web browser into going to the imitation site

  • Disguising the real URL of a link by using IP addresses instead of names, or taking advantage of the way web browsers interpret certain characters in URLs, such as International Domain Name (IDN) characters that look like conventional Roman characters

Web spoofers often set up their fake sites for the purpose of phishing (tricking users into entering personal information, such as credit card or bank account numbers, which they will then use for identity theft).

Note: One type of web spoofing attack is called "whole web" spoofing because the attacker places his web server between the victim and the rest of the web an fetches pages from the real web when the victim requests a page through the attackers rewritten URLs. read more about it here: http://bau2.uibk.ac.at/matic/spoofing.htm

IP address spoofing

IP spoofers make it appear that packets came from a trusted computer's IP address instead of their own. This is done by manipulating the headers on the data packet that indicate the source (sender's) address.

IP spoofing is often used to launch attacks, such as denial of service (DoS) attacks. IP spoofing can get around security mechanisms that require authentication based on IP addresses. For example, the packet is modified so it appears to have come from a computer on the local network when it really came from the internet.

Protecting users from email spoofers

You can protect your users from spoofers by:

  • Learning to read internet headers to detect spoofing.
  • Using authentication mechanisms to verify sender identity
  • Protecting email servers to prevent relays

How to detect email spoofing

You ca often detect that a message is spoofed by examining the full header. The headers show the entire path that the message has taken from sender to recipient.

Many email client programs don't show the full headers by default, but there's usually a way to view them. For example, with Microsoft Outlook 2003, you have to open the message (not just view it in the preview pane) and click View | Options. There, you'll see the internet headers, as shown above. You'll have to scroll down to view the entire set of headers, which is quite lengthy, or copy and paste it.

 

By examining the headers, you can see that in a legitimate message, the sender's address is the same in the last "received from" field, the "from" field, and the "return path" field.

 

Use authentication mechanisms

The best way to avoid becoming a victim of email spoofers is to use one of several methods for authenticating the identity of email senders. Try the following:

Protect email servers

You can prevent your organization's email servers from being used by spammers and others who want to disguise their identities by disabling SMTP relaying by persons outside the organization.

 

If you use Microsoft Exchange 2003 or above, open relaying is disabled by default. If you use Exchange 5.5, relaying is enabled by default. To disable it, you must apply Service Pack 1 or later. For more information on how to configure Exchange 5.5, see http://support.microsoft.com/?kbid=836500

 

Protecting users from spoofed websites

Here are some things you can do to protect users from web spoofs:

  • Make sure users use a browser that displays the URL in the location line.

  • Teach users how to view a website's properties sheet to determine its URL. 

  • Disable JavaScript, Java, and ActiveX to prevent spoofers from hiding indications of the spoofed address.

  • teach users not to accept a site as legitimate just because it is secure (uses SSL and displays the "locked" icon). Attackers can get SSL certificates for their sites, too. 

Protecting users from IP spoofing

Packet filtering, performed by firewalls and routers, can protect against IP address spoofing. you can configure you gateway to block any packets that come from outside the local network with a source IP address on the local subnet.

another defense against IP spoofing is to use cryptographic authentication instead of authentication based on IP addressed.

 

IPsec virtual private networking (VPN) can protect against IP spoofing because the IP headers as well as the data are encrypted in the tunnel, and when the packet is decrypted, a  checksum is performed. This will detect if the source address has been modified, and the packet will be dropped. 



Related courses

Certified Ethical Hacker
Learn how to scan, test, hack and secure you own systems so you can take the necessary steps to secure them.

CISSP (Certified Information Systems Security Professional)
This course focuses on the 10 core subject areas fundamental to the understanding of security for CIOs, managers, and engineers.

Security Awareness Concepts and Practices
This course provides an introduction to common security threats and issues, as well as ways that you can counteract them. Students will identify and apply security techniques to common job activities.

Security+ Certification
You will need this course if your job responsibilities include securing network services, network devices, and network traffic. It is also the main course you will take to prepare for the CompTIA Security+ examination.


<< Back to Headliness