An IP spoofing attack is one in which the source IP address of a packet is forged. There are generally two types of spoofing attacks: IP spoofing used in DoS attacks and man in the middle attacks.
IP spoofing-based DoS attacks are relatively straightforward. An attacker sends a packet to the target host with a forged IP address (SYN)often an IP address in the RFC 1918 address space, though it does not have to be. The targeted host sends an acknowledgement (ACK) and waits for a response. The response never comes, and these unanswered queries remain in the buffer of the targeted device. If enough spoofed queries are sent, the buffer will overflow and the network device will become unstable and crash.
Man in the middle attacks are much more onerous. Here, the attacker intercepts traffic heading between two devices on the network. The attacker can either monitor information or alter the data as it passes through the network. This is illustrated in Figure 3.5.
Figure 3.5 The user sends a request to 10.10.100.1. The attacker pretends to be 10.10.100.1 and sends a response to that effect. The user then forwards all packets destined for 10.10.100.1 to the attacker.
Typically a man in the middle attack works like this: An attacker sits on the network and watches traffic. When another user on the network sends an ARP request to a network device, the attacker sends a response saying the compromised machine is the requested device. Even if the actual device responds, the second response will override the first. The user now sends all data destined for the original device to the compromised machine.
It is possible for an attacker to use this method to intercept enough data to effectively monitor and log all network traffic and gain important information such as usernames and passwords. Users may never know that the traffic is being intercepted, because each packet will eventually be forwarded onto its intended destination.
As with the other attacks described in this chapter, there are pre-compiled tools that help attackers carry out man in the middle attacks. One of the most popular tools used for man in the middle attacks is Ettercap (etter-cap.sourceforge.net/). Ettercap binaries are available for Windows, Solaris, BSD, and Linux.