Spoofing is the act of faking the source address and port of a outgoing packet. It is used to make other systems believe that the said packet has been sent by another host. There are multiple reasons to spoof (most of them are not legitimate):
- To create a Denial of Service (DoS for short) to the target without people being able to trace you back easily.
- To fool the logging systems into thinking that someone else did something (such as trying to brute force passwords).
- To fool host-based protections, such as a firewall. This is what Kevin Mitnick used.
There are many kinds of spoofing techniques. The most common one is IP Spoofing, since IP is the protocol the interet is based on. Spoofing IP packets is quite easy. All that you need to do is change the source address and the source port in the packet you want to spoof. However, since IP is just a protocol whose purpose is just to get a packet from a place to another, it is NEVER used by itself. For this reason, modifying the header of the protocol used in the payload of the ip packet might also be necessary.
TCP is the most widely used protocol under IP, as it is used for things like http, ftp, imap, pop3, smtp. It's goals are to make sure that the data has been successfully received by the target host, even on a line with heavy packet loss. For this reason, it has various mechanisms that enable the sending host to know when a packet has been received by the target, and if it hasn't, to send it again. This is done by having two variables in each packet: the ACK (Acknowlegement) number and the SEQ (sequence) number. These two values are generated randomly at the beginning of the connection and updated, afterwards, in each packet sent. For these reasons, spoofing TCP connections is quite difficult. However, there are clever techniques that enable people to spoof tcp connections.
- The first technique is called nonblind spoofing. It consists in using a host between the target and a host that cannot reply to packets (it can be down, inexistant or even DoSed) to spoof. Since the host that is being used is between those two, it can read the packets sent from the target to the downed host. Because of that, The attacker can send packets with source address the downed host and still read the 'answers' from the target and can therefore send other packets to the target with valid ACK and SEQ values. This type of TCP spoofing is not too hard to perform, but assumes that you have access to a router.
- The other method, blind spoofing is a lot more difficult to perform, but does not require the attacker to have access to routers or gateways. The way it works is that some operating systems do not generate ACK and SEQ numbers randomly enough, when the connection is made. For example, some old operating systems use a constant value for their ISN (Initial Sequence Number). Others, such as Windows 95, 98, NT, have a ISN which is dependent on time. For example, ISN1 = X, ISN2 = X + AMOUNT_OF_TIME_PASSED_SINCE_LAST_REQUEST. This can be easily predicted. Other more recent systems are also vurnerable to this kind of attack. In fact, the algorithm they use to generate random ISNs might not be good enough, generating numbers that can be predicted with a little work. The only problem with this technique is that it will not allow the attacker to read the responses from the target, making it only suitable for batch jobs, such as a smtp session.
UDP, is also often used under IP, mostly for applications that do not require every packet to arrive to the target. A good example for this is online games such as Quake. Because of this fact, there are no mechanisms that make sure that no packet is received. Therefore, no extra work is required to spoof a packet using this protocol. UDP spoofing is mostly used to do UDP floods.
ICMP is used to transmit errors and other kinds of semi-important information from one host to another. For this reason, this protocol is, just like UDP, very easy to spoof. It probably is the most spoofed protocol. In fact, ICMP spoofing is used for the very popular smurf attack.