APPLICATION SECURITY
Knowledge Base
Search Our Knowledge Base
Spoofing Attack: IP, DNS & ARP
Having a well-developed security posture is essential to any business. Organizations should not assume the security of their customers' data and instead must take proactive steps to ensure it throughout the development process. Veracode provides powerful cloud-based tools, including static and dynamic security analysis, to detect vulnerabilities and security flaws before attackers can take advantage of them.
One common threat to be wary of is spoofing, where an attacker fakes an IP address or other identifier to gain access to sensitive data and otherwise secure systems. According to a 2018 report by the Center for Applied Internet Data Analysis (CAIDA), there are close to 30,000 spoofing attacks per day.
What Is a Spoofing Attack?
Spoofing is when an attacker impersonates an authorized device or user to steal data, spread malware, or bypass access control systems.
There are many different types of spoofing, with three of the most common being:
- IP address spoofing - Attacker sends packets over the network from a false IP address
- ARP spoofing - Attacker links their MAC address to an authorized IP address already on the network
- DNS spoofing - Attacker initiates a threat such as cache poisoning to reroute traffic intended for a specific domain name traffic to a different IP address
Read on to learn more about these three spoofing attacks and how to mitigate or prevent them. You can also download our free State of Software Security v11 report to learn more about software security.
IP Address Spoofing Attacks
An IP (Internet Protocol) address is a unique number used to identify a specific computer on a network. In IP address spoofing, attackers manipulate the IP header so that the packet appears to be coming from a legitimate source. This tricks the target machine into accepting malicious code or giving attackers access to sensitive data.
IP address spoofing can be used to carry out a denial-of-service attack. In this attack, attackers flood the network with more data than it can handle by sending hundreds or thousands of IP packets from multiple spoofed IP addresses. Alternatively, a specific machine's address can be spoofed to send many packets to other machines on the same network. Because machines automatically send responses when they receive an IP packet, this results in the spoofed machine being knocked offline.
Another way attackers use IP spoofing is to bypass authentication that relies upon a device’s IP address. Systems designed to assume a specific list of IP addresses is trustworthy can be tricked into accepting connections from untrusted machines that spoof a trusted machine’s IP address.
ARP Spoofing Attacks/ARP Cache Poisoning
ARP (Address Resolution Protocol) is used to identify legitimate machines on a network by resolving IP addresses to a specific MAC (Media Access Control) address. In ARP spoofing, an attacker sends ARP packets to the network, which appear to be from these legitimate devices. Because other machines on the network will think the attacker is legitimate, they will gladly send data back, which the attacker can use for other, more sophisticated attacks.
Successful ARP spoofing can be used to carry out:
- Denial-of-service attacks, where networks or machines are flooded with bogus data and taken offline
- Session hijacking, in which attackers exploit in-progress authentication by legitimate users to gain unauthorized access to data and devices
- Man-in-the-middle attacks, where attackers impersonate multiple devices to steal data intended for legitimate devices
DNS Spoofing Attacks
In DNS spoofing, an attacker provides false information to the DNS (Domain Name System) facility used by a given system, usually by inserting incorrect information into the local DNS cache. When an application needs to access a network resource by hostname, the system looks up the correct IP address associated with that name by using a DNS query to a DNS server that’s configured for the network. To reduce load on that server, most systems cache the responses to DNS queries for a time – so if an attacker is able to alter the contents of that cache, they can trick applications into accessing an IP different from those registered in the DNS system for a given hostname.
DNS server spoofing is often used to route web traffic to a server under the attacker's control and deliver computer viruses, and other malware onto users' machines, or to trick the user into supplying sensitive information.
How to Prevent and Mitigate Spoofing Attacks
Spoofing attacks can have disastrous consequences, but there are ways to reduce their likelihood and prevent them altogether.
Employ Packet Filtering with Deep Packet Inspection
Packet filtering analyzes IP packets and blocks those with conflicting source information. Because malicious packets will come from outside the network despite what their headers say, this is a good way to eliminate spoofed IP packets. Because attackers have developed techniques for evading simple packet filters, most packet-filter systems offer a DPI (Deep Packet Inspection) feature. DPI allows you to define rules based on both the header and the content of network packets, allowing you to filter out many kinds of IP spoofing attacks.
Authenticate users and systems
If devices on a network use only IP addresses for authentication, IP spoofing can bypass the authentication control. Connections between devices should be authenticated by the individual users or applications, or by using authenticity systems such as mutual certificate auth, IPSec, and domain authentication.
Use Spoofing Detection Software
Several programs help detect spoofing attacks, especially ARP spoofing. Consider a tool like NetCut, Arp Monitor, or arpwatch for ARP spoofing defense. These and other tools can inspect and certify legitimate data before it is received by a target machine can significantly lower the success of spoofing attacks.
Use Encrypted and Authenticated Protocols
Security experts have developed several secure communications protocols, including Transport Layer Security (TLS) (used by HTTPS and FTPS), Internet Protocol Security (IPSec), and Secure Shell (SSH). When used properly, these protocols authenticate the application or device to which you’re connecting, and encrypt data in transit, reducing the likelihood of a successful spoofing attack.
Learn More About Application Security with Veracode
Spoofing is just one way attackers can access confidential data and install malicious programs on a networked device. Download our free eBook, What Developers Don't Know About Security (But Should), to learn more about application security, or schedule a demo of Veracode's cloud-based application security solutions.