How Common Are Spoofing Attacks?
Spoofing attacks are rare, but they do occur. Consider this Defense Data Network advisory from July, 1995:
- ASSIST has received information about numerous recent IP spoofing attacks directed against Internet sites internationally. A large number of the systems targeted in the IP spoofing attacks are name servers, routers, and other network operation systems, and the attacks have been largely successful.
The attack documented by John Markoff in The New York Times occurred over the Christmas holiday of 1994. By mid-1995, the attack had been discussed in cracker circles across the Internet. After it was demonstrated that the Morris attack technique was actually possible, crackers quickly learned and implemented IP spoofing worldwide. In fact, source code for pre-fabbed spoofing utilities was posted at sites across the Net. A fad was established.
Even though the word is out on spoofing, the technique is still quite rare. This is because, again, crackers require particular tools and skills. For example, this technique cannot--to my knowledge--be implemented on a non-UNIX operating system. However, I cannot guarantee that this situation will remain. Before long, someone will introduce a Windows-based auto-spoofer written in Visual C++ or some other implementation of C/C++. I suspect that these will be available within a year. For the moment, the technique remains a UNIX thing and therefore, poses all the same obstacles (root access, knowledge of C, technical prowess to manipulate the kernel, and so forth) as other UNIX-based cracking techniques.
Spoofing is sometimes purposely performed by system administrators. This type of spoofing, however, varies considerably from typical IP spoofing. It is referred to as LAN spoofing or WAN spoofing. These techniques are used primarily to hold together disparate strings of a WAN (see Figure 28.2).
In many WAN environments, networks of widely varying design are attached to a series of WAN servers, nodes, or devices. For each time a message is trafficked over these lines, a toll is generally incurred. This can be expensive, depending largely on the type and speed of the connection. One thing is obvious: The best arrangement is one in which none of the nodes pays for the connection unless data is being trafficked across it (it seems wasteful to pay merely for the connection to exist).
To avoid needless charges, some engineers implement a form of spoofing whereby WAN interfaces answer keep alive requests from remote LAN servers rather than actually routing those requests within the overall WAN network. Thus, the remote LAN assumes it is being answered by the remote WAN, but this is not
