web spoofing full report
#1

[attachment=1361]
ABSTRACT
This paper describes an Internet security attack that could endanger the privacy of World Wide Web users and the integrity of their data. The attack can be carried out on today's systems, endangering users of the most common Web browsers, including Netscape Navigator and Microsoft Internet Explorer.
Spoofing means pretending to be something you are not. In Internet terms it means pretending to be a different Internet address from the one you really have in order to gain something. That might be information like credit card numbers, passwords, personal information or the ability to carry out actions using someone elseâ„¢s identity. IP spoofing attack involves forging one's source address. It is the act of using one machine to impersonate another.
Web spoofing allows an attacker to create a "shadow copy" of the entire World Wide Web. Accesses to the shadow Web are funneled through the attacker's machine, allowing the attacker to monitor the all of the victim's activities including any passwords or account numbers the victim enters. The attacker can also cause false or misleading data to be sent to Web servers in the victim's name, or to the victim in the name of any Web server. In short, the attacker observes and controls everything the victim does on the Web.

1.0 INTRODUCTION
This paper describes an Internet security attack that could endanger the privacy of World Wide Web users and the integrity of their data. The attack can be carried out on today's systems, endangering users of the most common Web browsers, including Netscape Navigator and Microsoft Internet Explorer.
1.1 HISTORY
The concept of IP spoofing was initially discussed in academic circles in the 1980's. It was primarily theoretical until Robert Morris, whose son wrote the first Internet Worm, discovered a security weakness in the TCP protocol known as sequence prediction. Another infamous attack, Kevin Mitnick's Christmas day, crack of Tsutomu Shimomura's machine, employed the IP spoofing and TCP sequence prediction techniques. While the popularity of such cracks has decreased due to the demise of the services they exploited, spoofing can still be used and needs to be addressed by all security administrators.
1.2 WHAT IS SPOOFING
Spoofing means pretending to be something you are not. In Internet terms it means pretending to be a different Internet address from the one you really have in order to gain something. That might be information like credit card numbers, passwords, personal information or the ability to carry out actions using someone elseâ„¢s identity.
IP spoofing attack involves forging one's source address. It is the act of using one machine to impersonate another. Most of the applications and tools in web rely on the source IP address authentication. Many developers have used the host based access controls to secure their networks. Source IP address is a unique identifier but not a reliable one. It can easily be spoofed.
Web spoofing allows an attacker to create a "shadow copy" of the entire World Wide Web. Accesses to the shadow Web are funneled through the attacker's machine, allowing the attacker to monitor the all of the victim's activities including any passwords or account numbers the victim enters. The attacker can also cause false or misleading data to be sent to Web servers in the victim's name, or to the victim in the name of any Web server. In short, the attacker observes and controls everything the victim does on the Web.
The various types of spoofing techniques that we discuss include TCP Flooding, DNS Server Spoofing Attempts, web site names, email ids and page link redirection.

2.0 WEB SPOOFING
2.1 INTRODUCTION
Web spoofing allows an attacker to create a "shadow copy" of the entire World Wide Web. Accesses to the shadow Web are funneled through the attacker's machine, allowing the attacker to monitor the all of the victim's activities including any passwords or account numbers the victim enters. The attacker can also cause false or misleading data to be sent to Web servers in the victim's name, or to the victim in the name of any Web server. In short, the attacker observes and controls everything the victim does on the Web.
2.2 SPOOFING ATTACKS
In a spoofing attack, the attacker creates misleading context in order to trick the victim into making an inappropriate security-relevant decision. A spoofing attack is like a con game: the attacker sets up a false but convincing world around the victim. The victim does something that would be appropriate if the false world were real. Unfortunately, activities that seem reasonable in the false world may have disastrous effects in the real world.
Spoofing attacks are possible in the physical world as well as the electronic one. For example, there have been several incidents in which criminals set up bogus automated-teller machines, typically in the public areas of shopping malls. The machines would accept ATM cards and ask the person to enter their PIN code. Once the machine had the victim's PIN, it could either eat the card or "malfunction" and return the card. In either case, the criminals had enough information to copy the victim's card and use the duplicate. In these attacks, people were fooled by the context they saw: the location of the machines, their size and weight, the way they were decorated, and the appearance of their electronic displays.
People using computer systems often make security-relevant decisions based on contextual cues they see. For example, one might decide to type in your bank account number because he/she believes you are visiting your bank's Web page. This belief might arise because the page has a familiar look, because the bank's URL appears in the browser's location line, or for some other reason.
To appreciate the range and severity of possible spoofing attacks, we must look more deeply into two parts of the definition of spoofing: security-relevant decisions and context.
2.2.1 Security-relevant Decisions
By "security-relevant decision," we mean any decision a person makes that might lead to undesirable results such as a breach of privacy or unauthorized tampering with data. Deciding to divulge sensitive information, for example by typing in a password or account number, is one example of a security-relevant decision. Choosing to accept a downloaded document is a security-relevant decision, since in many cases a downloaded document is capable of containing malicious elements that harm the person receiving the document.
Even the decision to accept the accuracy of information displayed by oneâ„¢s computer can be security-relevant. For example, if one decide to buy a stock based on information one get from an online stock ticker, he/she is trusting that the information provided by the ticker is correct. If somebody could present some incorrect stock prices, they might cause the victim to engage in a transaction that the person would not have otherwise made.
2.2.2 Context
A browser presents many types of context that users might rely on to make decisions. The text and pictures on a Web page might give some impression about where the page came from; for example, the presence of a corporate logo implies that the page originated at a certain corporation.
The names of objects can convey context. People often deduce what is in a file by its name. Is manual.doc the text of a user manual (It might be another kind of document, or it might not be a document at all.) URLs are another example. Is MICR0S0FT.COM the address of a large software company (For a while that address pointed to someone else entirely. By the way, the round symbols in MICR0S0FT here are the number zero, not the letter O.).
People often get context from the timing of events. If two things happen at the same time, you naturally think they are related. If you click over to your bank's page and a username/password dialog box appears, you naturally assume that you should type the name and password that you use for the bank. If you click on a page link and a document immediately starts downloading, you assume that the document came from the site whose page link you clicked on. Either assumption could be wrong.
If you only see one browser window when an event occurs, you might not realize that the event was caused by another window hiding behind the visible one.
Modern user-interface designers spend their time trying to devise contextual cues that will guide people to behave appropriately, even if they do not explicitly notice the cues. While this is usually beneficial, it can become dangerous when people are accustomed to relying on context that is not always correct.
2.3 WEB SPOOFING
Web spoofing is a kind of electronic con game in which the attacker creates a convincing but false copy of the entire World Wide Web. The false Web looks just like the real one: it has all the same pages and links. However, the attacker controls the false Web, so that all network traffic between the victim's browser and the Web goes through the attacker.
Consequences Since the attacker can observe or modify any data going from the victim to Web servers, as well as controlling all return traffic from Web servers to the victim, the attacker has many possibilities. These include surveillance and tampering.
Surveillance The attacker can passively watch the traffic, recording which pages the victim visits and the contents of those pages. When the victim fills out a form, the entered data is transmitted to a Web server, so the attacker can record that too, along with the response sent back by the server. Since most on-line commerce is done via forms, this means the attacker can observe any account numbers or passwords the victim enters.
The attacker can carry out surveillance even if the victim has a "secure" connection (usually via Secure Sockets Layer) to the server, that is, even if the victim's browser shows the secure-connection icon (usually an image of a lock or a key).
Tampering The attacker is also free to modify any of the data traveling in either direction between the victim and the Web. The attacker can modify form data submitted by the victim. For example, if the victim is ordering a product on-line, the attacker can change the product number, the quantity, or the ship-to address.
The attacker can also modify the data returned by a Web server, for example by inserting misleading or offensive material in order to trick the victim or to cause antagonism between the victim and the server.
2.3.1 Spoofing the Whole Web
You may think it is difficult for the attacker to spoof the entire World Wide Web, but it is not. The attacker need not store the entire contents of the Web. The whole Web is available on-line; the attacker's server can just fetch a page from the real Web when it needs to provide a copy of the page on the false Web.
2.3.2 How the Attack Works
The key to this attack is for the attacker's Web server to sit between the victim and the rest of the Web. This kind of arrangement is called a "man in the middle attack" in the security literature.
2.3.3 URL Rewriting
The attacker's first trick is to rewrite all of the URLs on some Web page so that they point to the attacker's server rather than to some real server. Assuming the attacker's server is on the machine attacker.org, the attacker rewrites a URL by adding http://attacker.org to the front of the URL. For
example, http://home.netscape.com becomes http://attackerhttp://home.netscape.com.
The victim's browser requests the page from attacker.org, since the URL starts with http://attacker.org. The remainder of the URL tells the attacker's server where on the Web to go to get the real document.
Once the attacker's server has fetched the real document needed to satisfy the request, the attacker rewrites all of the URLs in the document into the same special form by splicing http://attacker onto the front. Then the attacker's server provides the rewritten page to the victim's browser.
Since all of the URLs in the rewritten page now point to attacker.org, if the victim follows a page link on the new page, the page will again be fetched through the attacker's server. The victim remains trapped in the attacker's false Web, and can follow links forever without leaving it.


2.3.4 Forms
If the victim fills out a form on a page in a false Web, the result appears to be handled properly. Spoofing of forms works naturally because forms are integrated closely into the basic Web protocols: form submissions are encoded in URLs and the replies are ordinary HTML. Since any URL can be spoofed, forms can also be spoofed.
When the victim submits a form, the submitted data goes to the attacker's server. The attacker's server can observe and even modify the submitted data, doing whatever malicious editing desired, before passing it on to the real server. The attacker's server can also modify the data returned in response to the form submission.
2.3.5 "Secure" connections don't help
One distressing property of this attack is that it works even when the victim requests a page via a "secure" connection. If the victim does a "secure" Web access (a Web access using the Secure Sockets Layer) in a false Web, everything will appear normal: the page will be delivered, and the secure connection indicator (usually an image of a lock or key) will be turned on.
What is SSL
SSL stands for Secure Sockets Layer. This protocol, designed by Netscape Communications Corp., is used to send encrypted HTTP (Web) transactions.
Seeing "https" in the URL box on your browser means SSL is being used to encrypt data as it travels from your browser to the server. This helps protect sensitive information--social security and credit card numbers, bank account balances, and other personal information--as it is sent.
The victim's browser says it has a secure connection because it does have one. Unfortunately the secure connection is to attacker.org and not to the place the victim thinks it is. The victim's browser thinks everything is fine: it was told to access a URL at attacker.org so it made a secure connection to attacker.org. The secure-connection indicator only gives the victim a false sense of security.
2.3.5 Starting the Attack
To start an attack, the attacker must somehow lure the victim into the attacker's false Web. There are several ways to do this.
1) An attacker could put a page link to a false Web onto a popular Web page.
2) If the victim is using Web-enabled email, the attacker could email the victim a pointer to a false Web, or even the contents of a page in a false Web.
3) Finally, the attacker could trick a Web search engine into indexing part of a false Web.
2.3.6 An example from real life
As web surfers and users we must always be wary of the content of the web pages we surf, look for clues to spoofing, and report immediately to the providers. NEVER click on page link provided to you in an e-mail from someone you donâ„¢t know or trust.
This is a very easy way to get you to that Hacker Intercept site! As an example, letâ„¢s say you get the following e-mail from someone claiming to know you.
Hi Johnny,
I found this new book on gardening on Amazon and I thought you would enjoy it. Check it out...
Square Foot Gardening ” Mel Bartholome
Love,
Mom
Close inspection of the page link above provides the following:
http://amazoneexec/obidos/search-handleform/102-7984499-0468854
The page link points to amazone.com instead of amazon.com. Everything else in the page link is genuine. So before buying this great new book recommended by Mom, youâ„¢ll be stopping by and visiting the folks at amazone.com and giving them your credit card number, expiration date, name, address and phone.
2.4 COMPLETING THE ILLUSION
The attack as described thus far is fairly effective, but it is not perfect. There is still some remaining context that can give the victim clues that the attack is going on. However, it is possible for the attacker to eliminate virtually all of the remaining clues of the attack's existence.
Such evidence is not too hard to eliminate because browsers are very customizable. The ability of a Web page to control browser behavior is often desirable, but when the page is hostile it can be dangerous.
Another artifact of this kind of attack is that the pages returned by the hacker intercept are stored in the userâ„¢s browser cache, and based on the additional actions taken by the user; the spoofed pages may live on long after the session is terminated.
2.4.1 The Status Line
The status line is a single line of text at the bottom of the browser window that displays various messages, typically about the status of pending Web transfers.
The attack as described so far leaves two kinds of evidence on the status line. First, when the mouse is held over a Web link, the status line displays the URL the page link points to. Thus, the victim might notice that a URL has been rewritten. Second, when a page is being fetched, the status line briefly displays the name of the server being contacted. Thus, the victim might notice that attacker.org is displayed when some other name was expected.
The attacker can cover up both of these cues by adding a JavaScript program to every rewritten page. Since JavaScript programs can write to the status line, and since it is possible to bind JavaScript actions to the relevant events, the attacker can arrange things so that the status line participates in the con game, always showing the victim what would have been on the status line in the real Web. Thus the spoofed context becomes even more convincing.
2.4.2 The Location Line
The browser's location line displays the URL of the page currently being shown. The victim can also type a URL into the location line, sending the browser to that URL. The attack as described so far causes a rewritten URL to appear in the location line, giving the victim a possible indication that an attack is in progress.
This clue can be hidden using JavaScript. A JavaScript program can hide the real location line and replace it by a fake location line which looks right and is in the expected place. The fake location line can show the URL the victim expects to see. The fake location line can also accept keyboard input, allowing the victim to type in URLs normally. Typed-in URLs can be rewritten by the JavaScript program before being accessed.

2.4.3 Viewing the Document Source
There is one clue that the attacker cannot eliminate, but it is very unlikely to be noticed.
By using the browser's "view source" feature, the victim can look at the HTML source for the currently displayed page. By looking for rewritten URLs in the HTML source, the victim can spot the attack. Unfortunately, HTML source is hard for novice users to read, and very few Web surfers bother to look at the HTML source for documents they are visiting, so this provides very little protection.
A related clue is available if the victim chooses the browser's "view document information" menu item. This will display information including the document's real URL, possibly allowing the victim to notice the attack. As above, this option is almost never used so it is very unlikely that it will provide much protection.
2.4.4 Bookmarks
There are several ways the victim might accidentally leave the attacker's false Web during the attack. Accessing a bookmark or jumping to a URL by using the browser's "Open location" menu item might lead the victim back into the real Web. The victim might then reenter the false Web by clicking the "Back" button. We can imagine that the victim might wander in and out of one or more false Webs. Of course, bookmarks can also work against the victim, since it is possible to bookmark a page in a false Web. Jumping to such a bookmark would lead the victim into a false Web again.
2.5 WEB SPOOFING DEMONSTRATION
The HTML Source Code
<HTML>
<HEAD>
<TITLE>Web Spoofing Demonstration
</TITLE>
</HEAD>
<BODY onload=init()>
<HR>
<H2>Spoofing</H2>
<P>In both the cases below, if you mouse-over the page link below, you'll see http://basement.dartmouth.edu" in the status line at the bottom of your screen.
<P>If you click on it, and you're not susceptible, then you'll actually go there.
<P>If you click on it, and you are susceptible, then we'll pop open a new window for you.
<P><A onclick="return openWin();
"href="http://basement.dartmouth.edu/"> Click here to see a spoof, if you're configured correctly.</A></P>
<P><A onclick="javascript:openRealWin();return false;"
href="http://basement.dartmouth.edu/">Click here to see the real basement site</A></P>

<P>
<HR>
</BODY>
</HTML>
The HTML Page as seen
________________________________________
Spoofing
In both the cases below, if you mouse-over the page link below, you'll see "http://basement.dartmouth.edu" in the status line at the bottom of your screen.
If you click on it, and you're not susceptible, then you'll actually go there.
If you click on it, and you are susceptible, then we'll pop open a new window for you.
Click here to see a spoof, if you're configured correctly.
Click here to see the real basement site
________________________________________
2.6 TRACING THE ATTACKER
Some people have suggested that this attack can be deterred by finding and punishing the attacker. It is true that the attacker's server must reveal its location in order to carry out the attack, and that evidence of that location will almost certainly be available after an attack is detected.
Unfortunately, this will not help much in practice because attackers will break into the machine of some innocent person and launch the attack there. Stolen machines will be used in these attacks.
2.6.1 Remedies
Web spoofing is a dangerous and nearly undetectable security attack that can be carried out on today's Internet. Fortunately there are some protective measures you can take.
2.6.2 Short-term Solution
In the short run, the best defense is to follow a three-part strategy:
1. disable JavaScript in your browser so the attacker will be unable to hide the evidence of the attack;
2. make sure your browser's location line is always visible;
3. pay attention to the URLs displayed on your browser's location line, making sure they always point to the server you think you're connected to.
This strategy will significantly lower the risk of attack, though you could still be victimized if you are not conscientious about watching the location line.
At present, JavaScript, ActiveX, and Java all tend to facilitate spoofing and other security attacks, so we recommend that you disable them. Doing so will cause you to lose some useful functionality, but you can recoup much of this loss by selectively turning on these features when you visit a trusted site that requires them.
2.6.3 Long-term Solution
We do not know of a fully satisfactory long-term solution to this problem. Changing browsers so they always display the location line would help, although users would still have to be vigilant and know how to recognize rewritten URLs.
For pages that are not fetched via a secure connection, there is not much more that can be done.
For pages fetched via a secure connection, an improved secure-connection indicator could help. Rather than simply indicating a secure connection, browsers should clearly say who is at the other end of the connection. This information should be displayed in plain language, in a manner intelligible to novice users; it should say something like "Microsoft Inc." rather than "microsoft.com."
Every approach to this problem seems to rely on the vigilance of Web users. Whether we can realistically expect everyone to be vigilant all of the time is debatable.
3.0 IP SPOOFING
3.1 TCP FLOODING
3.1.1 Introduction
When a system (called the client) attempts to establish a TCP connection to a system providing a service (the server), the client and server exchange a set sequence of messages. This connection technique applies to all TCP connec-
tions-telnet, Web, email, etc.
Examining the IP header, we can see that the first 12 bytes (or the top 3 rows of the header) contain various information about the packet. The next 8 bytes (the next 2 rows), however, contains the source and destination IP addresses. Using one of several tools, an attacker can easily modify these addresses “ specifically the source address field. It's important to note that each datagram is sent independent of all others due to the stateless nature of IP.
The client system begins by sending a SYN message to the server. The server then acknowledges the SYN message by sending SYN-ACK message to the client. The client then finishes establishing the connection by responding with an ACK message. The connection between the client and the server is then open, and the service-specific data can be exchanged between the client and the server.
Here is a view of this message flow:
Client Server
------ ------
SYN-------------------->
<--------------------SYN-ACK
ACK-------------------->
Client and server can now send service-specific data
TCP uses sequence numbers. When a virtual circuit establishes between two hosts, then TCP assigns each packet a number as an identifying index. Both hosts use this number for error checking and reporting. Rik Farrow, in his article "Sequence Number Attacks", explains the sequence number system as follows:
"The sequence number is used to acknowledge receipt of data. At the beginning of a TCP connection, the client sends a TCP packet with an initial sequence number, but no acknowledgment. If there is a server application running at the other end of the connection, the server sends back a TCP packet with its own initial sequence number, and an acknowledgment; the initial number from the client's packet plus one. When the client system receives this packet, it must send back its own acknowledgment; the server's initial sequence number plus one."
Thus an attacker has two problems:
1) He must forge the source address.
2) He must maintain a sequence number with the target.
The second task is the most complicated task because when target sets the initial sequence number, the attacker must response with the correct response. Once the attacker correctly guesses the sequence number, he can then synchronize with the target and establish a valid session.
3.1.2 Services vulnerable to IP Spoofing:
Configuration and services that are vulnerable to IP spoofing:
¢ RPC (Remote Procedure Call services)
¢ Any service that uses IP address authentication
¢ The X Window system
¢ The R services suite (rlogin, rsh, etc.)
3.1.3 TCP and IP spoofing Tools:
1) Mendax for Linux
Mendax is an easy-to-use tool for TCP sequence number prediction and rshd spoofing.
2)spoofit.h
spoofit.h is a nicely commented library for including IP spoofing functionality into your programs. [Current URL unknown. -Ed.]
3) ipspoof
ipspoof is a TCP and IP spoofing utility.
4) hunt
hunt is a sniffer which also offers many spoofing functions.
5) dsniff
dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic.
3.2 DESCRIPTION
3.2.1 TCP Flags
¢ Flags are used to manage the establishment and shutdown of a virtual circuit
o SYN: request for the synchronization of syn/ack numbers (used in connection setup)
o ACK: states that the acknowledgment number is valid (all segments in a virtual circuit have this flag set, except for the first one)
o FIN: request to shutdown one stream
o RST: request to immediately reset the virtual circuit.
3.2.2 TCP Virtual Circuit: Setup
¢ A server, listening to a specific port, receives a connection request from a client: The segment containing the request is marked with the SYN flag and contains a random initial sequence number sc
¢ The server answers with a segment marked with both the SYN and ACK flags and containing
o an initial random sequence number ss
o sc + 1 as the acknowledgment number
¢ The client sends a segment with the ACK flag set and with sequence number sc+ 1 and acknowledgment number ss+ 1.
3.2.3 TCP Virtual Circuit: Data Exchange
¢ A partner sends in each packet the acknowledgment of the previous segment and its own sequence number increased by the number of transmitted bytes
¢ A partner accepts a segment from the other partner only if the numbers match the expected ones
¢ An empty segment may be used to acknowledge the received data.

The potential for abuse arises at the point where the server system has sent an acknowledgment (SYN-ACK) back to client but has not yet received the ACK message. This is what we mean by half-open connection. The server has built in its system memory a data structure describing all pending connections. This data structure is of finite size, and it can be made to overflow by intentionally creating too many partially-open connections.


Creating half-open connections is easily accomplished with IP spoofing. The attacking system sends SYN messages to the victim server system; these appear to be legitimate but in fact reference a client system that is unable to respond to the SYN-ACK messages. This means that the final ACK message will never be sent to the victim server system.
The half-open connections data structure on the victim server system will eventually fill; then the system will be unable to accept any new incoming connections until the table is emptied out. Normally there is a timeout associated with a pending connection, so the half-open connections will eventually expire and the victim server system will recover. However, the attacking system can simply continue sending IP-spoofed packets requesting new connections faster than the victim system can expire the pending connections.


In most cases, the victim of such an attack will have difficulty in accepting any new incoming network connection. In these cases, the attack does not affect existing incoming connections nor the ability to originate outgoing network connections. However, in some cases, the system may exhaust memory, crash, or be rendered otherwise inoperative.
The location of the attacking system is obscured because the source addresses in the SYN packets are often implausible. When the packet arrives at the victim server system, there is no way to determine its true source. Since the network forwards packets based on destination address, the only way to validate the source of a packet is to use input source filtering.
3.3 IMPACT
Systems providing TCP-based services to the Internet community may be unable to provide those services while under attack and for some time after the attack ceases. The service itself is not harmed by the attack; usually only the ability to provide the service is impaired.
In some cases, the system may exhaust memory, crash, or be rendered otherwise inoperative.

3.3.1 TCP Virtual Circuit: Shutdown
¢ One of the partners, say A, can terminate its stream by sending a segment with the FIN flag set
¢ The other partner, say B, answers with an ACK segment
¢ From that point on, A will not send any data to B: it will just acknowledge data sent by B
¢ When B shutdowns its stream the virtual circuit is considered closed.

3.3.2 TCP Spoofing
Node A trusts node B (e.g., login with no password)
Node C wants to impersonate B with respect to A in opening a
TCP connection
¢ C kills B (flooding, crashing, redirecting) so that B does not send annoying RST segments
¢ C sends A a TCP SYN segment in a spoofed IP packet with B™s address as the source IP and sc as the sequence number
¢ A replies with a TCP SYN/ACK segment to B with ss as the sequence number. B ignores the segment: dead or too busy
¢ C does not receive this segment but to finish the handshake it has to send an ACK segment with ss + 1 as the acknowledgment number
o C eavesdrops the SYN/ACK segment
o C guesses the correct sequence number
3.4 REDUCING IP SPOOFED PACKETS
3.4.1 Be Un-trusting and Un-trustworthy
One easy solution to prevent this attack is not to rely on address-based authentication. Disable all the r* commands, remove all .rhosts files and empty out the /etc/hosts.equiv file. This will force all users to use other means of remote access (telnet, ssh, skey, etc).
3.4.2 Packet Filtering
With the current IP protocol technology, it is impossible to eliminate IP-spoofed packets. However, you can take steps to reduce the number of IP-spoofed packets entering and exiting your network.
Currently, the best method is to install a filtering router that restricts the input to your external interface (known as an input filter) by not allowing a packet through if it has a source address from your internal network. In addition, you should filter outgoing packets that have a source address different from your internal network to prevent a source IP spoofing attack from originating from your site.
The combination of these two filters would prevent outside attackers from sending you packets pretending to be from your internal network. It would also prevent packets originating within your network from pretending to be from outside your network. These filters will *not* stop all TCP SYN attacks, since outside attackers can spoof packets from *any* outside network, and internal attackers can still send attacks spoofing internal addresses.
3.4.3 Cryptographic Methods
An obvious method to deter IP-spoofing is to require all network traffic to be encrypted and/or authenticated. While several solutions exist, it will be a while before such measures are deployed as defacto standards.
3.4.4 Initial Sequence Number Randomizing
Since the sequence numbers are not chosen randomly (or incremented randomly) this attack works. Bellovin describes a fix for TCP that involves partitioning the sequence number space. Each connection would have its own separate sequence number space. The sequence numbers would still be incremented as before, however, there would be no obvious or implied relationship between the numbering in these spaces. Suggested is the following formula:
ISN=M+F(localhost,localport,remotehost,remoteport)
Where M is the 4 microsecond timer and F is a cryptographic hash. F must not be computable from the outside or the attacker could still guess sequence numbers. Bellovin suggests F be a hash of the connection-id and a secret vector (a random number, or a host related secret combined with the machine's boot time).

4.0 DNS SERVER SPOOFING ATTACKS
The most complex attack is to alter the address the master DNS servers will resolve for a given URL. The URL that an Internet user types in is not the numeric address of the site required, but an alphanumeric address structure. The DNS servers convert, say, articsoft.com, into a real Internet address, say 195.217.192.145 (not the correct address, but the point is made). This has to be done because people donâ„¢t generally remember and associate 12 digit numbers with anything except telephone numbers, and then they generally file them on the telephone with a Ëœfriendly nameâ„¢ that they have some relationship with. An attack of this type has been successfully mounted that altered the server list, so that, for a period of time, users requesting some sites were directed to the wrong addresses.
This type of attack is a major threat and the Internet naming and addressing authorities have taken it very seriously indeed. DNS servers have incorporated numerous security measures to prevent repetitions of this attack from being successful. These include having the servers mirror and monitor each other as well as controlling very carefully how updates are introduced into the servers.

This kind of problem can be resolved by positive site identification, where the end user is able to automatically check the claimed web site URL against the content provided.

5.0 CONCLUSION
When the world has started calling this era as the era of Internet “ A World Wide Web that connects the every nook and corner of the globe we should never be let behind because of some pestering security problems.
Spoofing of the Web and IP has over the years proved to be annoying as well as dangerous. In this tense scenario it is mandatory that we stick onto the various solutions so far available and at the same time spend our sincere efforts in devising better plans to solve this menace. Indeed techniques like Packet Filtering and Cryptographic techniques help to some extend but their efficiency is limited. We still rely on manual security checks of the status line, location line etc. which indeed are quite ineffective and practical.
The whole problem basically exists in that most of the web applications and tools rely on the source IP address authentication. Alternatives are to be derived and a better safer Internet should solve the problem of Spoofing.
---------------------------------

6.0 REFERENCES
IP Spoofing
1. cert.org
2. securityfocus.com
3. webopedia.com
4. linuxgazatte.com
5. networkice.com
Web Spoofing
1. cs.princeton.edu
2. cs.dartmouth.edu
3. fbi.gov
4. systemexperts.com
5. spoonybard.nu

¦¦¦¦¦¦¦¦¦¦¦

CONTENTS
1.0 INTRODUCTION
1.1 HISTORY
1.2 WHAT IS SPOOFING
2.0 WEB SPOOFING
2.1 INRTODUCTION
2.2 SPOOFING ATTACKS
2.3 WEB SPOOFING
2.4 COMPLETING THE ILLUSION
2.5 WEB SPOOFING DEMONSTRATION
2.6 TRACING THE ATTACKER
3.0 IP SPOOFING
3.1 TCP FLOODING
3.2 DESCRIPTION
3.3 IMPACT
3.4 REDUCING IP SPOOFED PACKETS
4.0 DNS SPOOFING ATTACKS
5.0 CONCLUSION
6.0 REFERENCES
¦¦¦¦¦¦¦¦¦..

ACKNOWLEDGMENT

I express my sincere thanks to Prof. M.N Agnisarman Namboothiri (Head of the Department, Computer Science and Engineering, MESCE),
Mr. Sminesh (Staff incharge) for their kind co-operation for presenting the seminars.
I also extend my sincere thanks to all other members of the faculty of Computer Science and Engineering Department and my friends for their
co-operation and encouragement.
Nandakumar.V
Reply
#2
hello
can u pls mail me paper presentation on this topic.. pls pls make t earlier if possible
hello
can u pls mail me paper presentation on this topic.. pls pls make t earlier if possible. my mail id is pruthvi.kumar[at]hotmail.com
Reply
#3
thank you so much for the report but i also want the ppt of the same please can you send me the ppt on web spoofing relating with this repot.....
Reply
#4
i am in urgent need of a ppt on "web spoofing".plzz do send
Reply
#5
[attachment=6758]
WEB SPOOFING


Introduction

Web spoofing is the act of creating a website, as a hoax, with the intention of misleading readers that the website has been created by a different person or organization.

Creating a shadow copy of the world wide web
Reply
#6
Introduction
A progressively growing number of social, government, and commercial activity is being moved to the

web. All these media are using the web as the de-facto medium. The users of physical
services such as the stores, banks, newspaper have developed an intuition that which service to trust and

which not to. There is a gradual movement from the brick and mortar front to the bits and bytes domain .

the fundamental fact behind it is that the bits are maleable. To ensure that when one clicks a link, he is

taken to nowhere else.

Spoofing Attacks:
Ina spoofing attack, the attacker creates misleading context in order to trick the victim into making an

inappropriate security-relevant decision. A false but convincing world is created around the victim and the

victim does somethig thinking that what he sees is real. There has been several reports where the

criminals set up bogus automated-teller machines. The ATM cards are accepted and the person is asked

to enter the PIN. Thus the criminals has had enough information to dupicate the card and misuse it.

report:
Reply
#7
PRESENTED BY
NIDHI KUMARI

[attachment=10975]
Web Spoofing:
What is Spoofing ?

 is a situation in which one person or program successfully masquerades as another by falsifying information and thereby gaining an illegitimate advantage.
Type of spoofing :
 IP Spoof
 Web Spoof
 E-mail Spoof
 Non Technical Spoof
Wanna know about IP Spoofing ?
 The creation of IP packets with a forged source.
 The purpose of it is to conceal the identity of the sender or impersonating another computing system.
Types of IP Spoofing :
1. Denial-of-service attack :
The goal is to flood the victim with overwhelming amounts of traffic. This prevents an internet site or service from functioning efficiently or at all, temporarily or indefinitely.
Spoofing Attacks:
• 2. Impersonation :
• 3.Man in the Middle Attack :
This is also called connection hijacking. In this attacks, a malicious party intercepts a legitimate communication between two hosts to controls the flow of communication and to eliminate or alter the information sent by one of the original participants without their knowledge.
Man in the middle attack:
 Session hijacking
• Who is this freak ?
 None of u know who is spying on u ? Isn`t is amusing..?
Uses of IP Spoofing :
 To defeat networks security :
> Such as authentication based on IP addresses.
This type of attack is most effective where trust relationships exist between machines.
>For example, some corporate networks have internal systems trust each other, a user can login without a username or password as long he is connecting from another machine on the internal network. By spoofing a connection from a trusted machine, an attacker may be able to access the target machine without authenticating.
Fallout of IP based authentication:
Defense against IP spoofing:
 Packet filtering- one defense against IP spoofing
› Ingress filtering- blocking of packets from outside the network with a source address inside the network
› Egress filtering –blocking outgoing packets from inside the network source address.
• Filtering:
• Defense against IP spoofing:
Upper Layers :
Some upper layer protocols provide their own defense against IP spoofing.
For example, TCP uses sequence numbers negotiated with the remote machine to ensure that the arriving packets are part of an established connection. Since the attacker normally cant see any reply packets, he has to guess the sequence number in order to hijack the connection.
Web Spoofing :
 It’s a security attack that allows an adversary to observe and modify all web pages sent to the victim’s machine and observe all information entered into forms by the victim.
• Guess what ? I hv spoofed ur web browser . Rn’t fealing queasy.?
Web Spoofing :
 The attack is initiated when a victim visits a malicious web page, or receives a malicious email message.
 The attack is implemented using JavaScript and Web serves plug-ins.
• Can`t u imbecile see this is a hoax ?
Dangers of Web Spoofing:
 After your browser has been fooled, the spoofed web server can send you fake web pages or prompt you to provide personal information such as login Id, password, or even credit card or bank account numbers.
How to prevent it :
 Don’t click links in emails instead always copy and paste, or even better manually type the URL in.
 When entering personal or sensitive information, verify the URL is as you expect, and the site’s SSL certificate matches that URL.
 Understand why you’re providing the information-does it make sense? Does the site need to know your SSN?
Email Spoofing :
 E-mail spoofing is the forgery of an e-mail header so that the message appears to have originated from someone or somewhere other than the actual source.
Email Spoof Protection:
 Double check the email you are replying to, make sure that the letters are what they truly seem. For example, l(lower case L) is not the same as I(upper case i).
 Look at the IP information of the email header. If an email originated from inside your network, the sender should have very similar IP address.
Non-Technical Spoofing:
 These non-computer based techniques are commonly referred to as social engineering. With social engineering, an attacker tries to convince someone that he is someone else.
 This can be as simple as the attacker calling someone on the phone saying that he is a certain person.
• Aren`t u smelling some foul..? “Trust ur intuition”
Example of Non-Technical Spoofing :
 An attacker calls the help desk to request a new account to be set up. The attacker pretends to be a new employee.
 A “technician” walks into a building saying that he has been called to fix a broken computer. What business does not have a broken computer?
Why does Non-Technical Spoof Works :
 The main reason is that it exploits attributes of human behavior: trust is good and people love to talk. Most people assume that if someone is nice and pleasant, he must be honest. If an attacker can sound sincere and listen, you would be amazed at what people will tell him.
 Lessons learntà trust the good old lore about strangers that they r seldom good keep a distance from them
Non-Technical Spoof protection :
 Educate your users:
› The help desk
› Receptionist
› Administrators
 Have proper policies:
› Password policy
› Security policy
Reply
#8
They are swaying in the wind, one , as if beckoning to me thank it !Autumn , golden millet capsules full , facing the autumn doubled up laughing , turned up full blast waves .
Miles sky send Qiu Yan , which can send me love .
Just remember, someone in my most beautiful love longing age, promised to hurt me, love me, pet me all my life.
yql2014
Qi Li insisted her story to accompany Ms. Yao Chunjuan go to the hospital for treatment. The next month , they are every day back and forth between the hospital and the rental. Li Qi her story down to this end of the business regardless of the billiard club , revenues plummeted, but a complaint nor a day, but also find ways to let Ms. Yao Chunjuan happy. Ms. Yao Chunjuan filled moved, she knew that this affection of a good boy , have slowly into her heart .
Whats up, being seated last belonging to the underlying part short period outside the "Asian Literature" book shelves daughter, Actually, i know one labeled as Unces, under what a a few. As i soundlessly monitoring one for two main quite a few years, though So i'm terrified As i will rest ones own careless simply because Lolita -like little girl is actually core. I must masteral, to understand you a strategy, As i H, I want one.
In the footsteps of harassment , the river habitat grass flute flutter frog jumped into the water from time to time , some overturned Siyangbacha , panic escape looks very funny.
yql2014
Reply
#9
Paused, there isn't a response. Is visually lovely heartbroken loving filled, this girl imagined most of the long term future to make sure you redouble this results for work for a aging population people life save cash.
Your dad proclaimed angrily: "If you need a certainly well-rounded, helpful good enough, browsing you should not. inch
Previously heard people say that you learn it well, it will be hello and never betray you .
yql2014
Reply
#10
please give me ppt's related to web spoofing ? please please...........
Reply

Important Note..!

If you are not satisfied with above reply ,..Please

ASK HERE

So that we will collect data for you and will made reply to the request....OR try below "QUICK REPLY" box to add a reply to this page
Popular Searches: ppt and report on seminar topic email spoofing, seminar report of ip spoofing, ip spoofing browser, ip spoofing in ieee format, latest news about web spoofing, kleuniversity edu in, spmp edu polipd com,

[-]
Quick Reply
Message
Type your reply to this message here.

Image Verification
Please enter the text contained within the image into the text box below it. This process is used to prevent automated spam bots.
Image Verification
(case insensitive)

Possibly Related Threads...
Thread Author Replies Views Last Post
  computer networks full report seminar topics 8 42,026 06-10-2018, 12:35 PM
Last Post: jntuworldforum
  OBJECT TRACKING AND DETECTION full report project topics 9 30,658 06-10-2018, 12:20 PM
Last Post: jntuworldforum
  imouse full report computer science technology 3 24,900 17-06-2016, 12:16 PM
Last Post: ashwiniashok
  Implementation of RSA Algorithm Using Client-Server full report seminar topics 6 26,614 10-05-2016, 12:21 PM
Last Post: dhanabhagya
  Optical Computer Full Seminar Report Download computer science crazy 46 66,345 29-04-2016, 09:16 AM
Last Post: dhanabhagya
  ethical hacking full report computer science technology 41 74,445 18-03-2016, 04:51 PM
Last Post: seminar report asees
  broadband mobile full report project topics 7 23,324 27-02-2016, 12:32 PM
Last Post: Prupleannuani
  steganography full report project report tiger 15 41,337 11-02-2016, 02:02 PM
Last Post: seminar report asees
  Digital Signature Full Seminar Report Download computer science crazy 20 43,691 16-09-2015, 02:51 PM
Last Post: seminar report asees
  Mobile Train Radio Communication ( Download Full Seminar Report ) computer science crazy 10 27,940 01-05-2015, 03:36 PM
Last Post: seminar report asees

Forum Jump: