Spoofing is the term hackers use to describe the act of faking information sent to a computer. This is a broad definition of spoofing, but there are many subtle variations of this attack. However, the purpose is generally the same: to disguise the location from which the attack originates.
Session hijacking takes the act of spoofing one step further. It involves the faking of one's identity in order to take over a connection that is already established. Because spoofing is required in order to successfully hijack a connection, we will discuss the two hacking techniques together.
The most common spoofing attack is called an IP spoof . This type of attack takes advantage of the Internet Protocol, which is part of TCP/IP. TCP/IP requires a return address on data packets to keep a connection open and to maintain a level of reliability when transmitting information. However, if this return address is faked, the sender is fairly safe from being traced.
An Example of Spoofing
Spoofing has two main uses. The first use is an untraceable denial-of-service attack. By intimately understanding the internal workings of TCP/IP, a hacker can abuse the software used in Internet communication and bring a network to its knees. Flooding a network with packets that have a fake return address not only will slow the flooded network, but will also affect the computer that owns the forged return address. This is like sending out a thousand pieces of insulting mail to your boss while using the return address of your annoying neighbor (not recommended).
This type of spoofing attack is very common on the Internet. One of the most common uses for spoofing is spam . Spam is unsolicited , bulk advertising email that plagues us all. Although spam is illegal in some states, and very rude in all the others, spammers are getting away with it. The reason they can do this is because the origin of the spammer remains hidden. Spammers use a spoofing technique to disguise the source of the email. They can do this by using email servers that allow anyone to connect and send mail. This is known as open relay . Many of these servers are misconfigured; however, some servers are available for just this purpose. By sending the email through the server, the email is tagged with the wrong return address, which makes it difficult to track down and prosecute the responsible parties.
Another common abuse of spoofing is in a denial-of-service (DoS) attack. This type of attack is very similar to the child's game of "knock and hide." A computer virtually knocks on another computer's door and then hides. Using amplification, the target computer can be kept so busy answering false knocks that a real knock will go unanswered.
Although spoofing can protect a hacker from being traced, there are yet more sinister uses for this technique, such as session hijacking. This type of attack can be understood through the illustration of a letter exchange between two friends on the opposite sides of the world. Let's call these people Sally and Joe, and let's call our attacker Mr. Mean.
Assuming the letter exchange was previously in place before the attacker noticed it, both Sally and Joe would know each other's address and have it stored away in their address book. The attacker knows this, and realizes that in order to capture and control the conversation, he must gain control of the addresses.
The first step to session hijacking is to discover the original addresses of both parties. In this case, it is a simple matter ”Mr. Mean can look up both Sally and Joe's address in the phone book. The same applies in the digital world. An attacker would have to know both IP addresses and MAC addresses in order to attack. However, coming by this knowledge is often a simple matter, as it is typically public knowledge. Just as Mr. Mean would use a phone book to look up the addresses of his victims, a hacker would use the WHOIS service to look up the addresses of the computers online. This database is nothing more than a listing of all domain names with their corresponding IP addresses.
The next step would be to convince both Sally and Joe that the other had moved. This would be a relatively simple matter for Mr. Mean. All he would have to do is pick up some standard change of address forms from a card shop and mail them to both Sally and Joe. On the form, he would simply tell each party that their new address was 123 Lane Street. This would result in both Sally and Joe updating their address books with the new, fake address. Because of the formality of the form, neither Sally nor Joe would suspect anything. However, in reality, they would now be sending all messages directly to Mr. Mean's house.
Likewise, a hacker can perform such trickery . Using something known as an ARP request, the attacker would send his targets the same message telling them that the new IP address (tied to MAC address) is now located at XXX.XXX.XXX.XXX . This would result in each computer updating its ARP tables (address book) with the new address, which would cause all data to be passed to the attacker's computer.
At this point, Mr. Mean has all the mail messages arriving at his doorstep. He can now read, change, or even throw away any messages sent by Sally or Joe. This is the power of session hijacking. A computer can do the same thing. After the ARP addresses have been changed, the attacker's computer would receive all data being passed between the targets. The hacker can capture, adjust, and delete data just like Mr. Mean.
If Mr. Mean wants to stop monitoring the connection, he can simply ignore all the messages. However, this might lead Sally or Joe to discover that their messages have been compromised. The smartest thing Mr. Mean can do is send out another moving notice to both Sally and Joe informing each other of the correct address. Again, Sally and Joe would update their address books and continue as if nothing happened . The same would apply for a hacker. Although she could just turn off her computer and leave the area, this would result in a loss of communication, and could tip someone off that the connection was not secure. If this is not an acceptable risk for a hacker, she can simply forge ARP packets and correct the ARP table for the victim's computers.
There are many uses for these types of spoofing techniques. For example, secure links between a home computer and a Web store can be hijacked, chat connections can be hijacked, and even updates and downloads for popular programs can be spoofed. In other words, that virus update you just downloaded might not be what you think it is ”instead of getting an update to your virus scanner, you could instead be installing a deadly computer virus.