Spoofing Attacks
Overview
Cybercriminals uses spoofing attacks to impersonate a familiar or trusted source to interact with targets, aiming to steal information, extort money, or install malicious software on their devices.
Example of spoofing attacks:
- Email Spoofing
- Caller ID Spoofing
- Website/Domain Spoofing
- IP Spoofing
- ARP Spoofing
- GPS Spoofing
- Facial Spoofing
- Man-in-the-middle attack
Mitigations:
- Email Security: Use SPF, DKIM, and DMARC.
- User Training: Educate on recognizing suspicious communications.
- Secure Authentication: Use multifactor authentication.
- Access Controls: Limit sensitive system access.
- Secure Routing: Implement SBGP or similar protocols.
- Network Access Control (NAC): Restrict unauthorized devices.
- IDS/IPS: Detect spoofing patterns.
IP Address Spoofing
Impersonating a trusted IP address to gain unauthorized access.
Mitigations:
- Packet Filtering: Block spoofed IP addresses.
- Secure Routing: Use SBGP to validate routing.
- Network Access Control (NAC): Restrict unauthorized devices from network access.
- IDS/IPS: Monitor for spoofing patterns.
Session Hijacking
Session Management
Session management enables web applications to identify users consistently.
- Allows for unique identification of users across requests.
- Maintains the state of user data throughout interactions.
- Ensures that data generated by the user is assigned solely to that user.
- Information can be stored in databases or cookies.
Cookies
Cookies are important for managing state in web applications, as HTTP is a stateless protocol.
- HTTP doesn’t store client info, so cookies are used.
- Cookies store information about users for future requests.
- Every request from the client includes the stored cookie.
- Encrypting cookies helps protect session data.
- For more information, please see Secure Cookies.
Types of Cookies:
-
Session Cookies
- Non-persistent, only stored in the browser.
- When browser is closed, cookies are deleted.
-
Persistent Cookies
- Stay around even after the browser is closed.
- Stored in the browser cache until they're deleted by the user.
- Delete when user "Clear cookies", or when they pass the defined expiration date.
Session Hijacking
Session hijacking is a spoofing attack where the host is disconnected and replaced by the attacker.
- Occurs through theft or modification of cookies.
- Can be performed when user is currently logged in to a web session.
Session Prediction
In session prediction, an attacker attempts to predict session token to hijack the session.
- If token is predictable, they can be guessed.
- Attackers can take over the session.
Cookie Poisoning
Cookie poisoning involves modifying the contents of the cookies to be sent to a client's browser.
- Modified cookie can be used to exploit vulnerabilities.
Replay Attack
Attacker intercepts and retransmits a valid data transmission to trick the receiver into unauthorized actions, often impersonating one of the legitimate parties in the communication.
- Interception and retransmission of valid data packets.
- Unauthorized access, data manipulation, session hijacking.
Mitigations:
- Time-stamped tokens or nonces, ensures each transaction is unique and only valid for a short period.
- Use TLS/SSL to encrypt data and make interception more difficult.
- Mutual authentication techniques, validate each other's identities.
- Maintain a session or message log to track and verify unique transactions.
- Replay detection mechanisms to identify and block replayed messages.
- Use WPA3 to avoid replay attacks.
Difference with Session Hijacking:
- Replay Attacks - attacker intercepts data, decides whether to retransmit it later.
- Session Hijacking - attacker alters data transmission in real-time.