Guide to Spoofing Attacks and How to Prevent Them

What is a Spoofing Attack?

A spoofing attack is a type of cyber attack where an intruder imitates another legitimate device or user to launch an attack against the network. In other words an attacker sends a communication from a device disguised as a legitimate device.

There are many different ways that spoofing attacks can be attempted from IP address spoofing attacks to ARP spoofing attacks.

Spoofing attacks have allowed countless cyber criminals to breach enterprise networks covertly without being detected.

Shockingly, Microsoft estimates that attackers hide within a network for an average of 146 days before detection. This suggests that spoof attackers have an ample amount of time to get their hands on important data. The price of overlooking these attacks can be catastrophic. In fact it is estimated that cybercrime cost organizations over $600 billion in 2017. A considerable percentage of these attacks will have been spoof attacks.

Why are Spoofing Attacks Such a Threat?

Spoofing attacks are a widespread problem because they don’t draw the same attention level as other attacks. While ransomware caught the attention of organizations around the world during the WannaCry attack, many organizations underplay the damage that can be caused by a successful spoofing attack.

Spoofing attacks are a tricky entity because they can occur in so many different ways. From ARP spoofing to IP spoofing, MAC spoofing and DNS spoofing, there are many concerns to keep track of. It isn’t surprising many organizations fail to cover everything. An email spoofing attack can be launched simply by replying to the wrong email!

In many cases, this is exacerbated as business owners make the dangerous misconception that their company is a small fish in a big pond. Unfortunately, nobody is safe from IP spoofing. Without the right training or equipment, a moderately-skilled attacker can sidestep your defense strategy and access your data at will.

Having an awareness of all main forms of spoofing attacks and implementing measures to stay protected against them is the only way to safeguard your organization. In the next section, we’re going to look at some of the types of spoofing attacks you can experience.

The main types of Spoofing Attacks

As mentioned above, spoofing attacks come in many different forms. We’ll look at the most common types of spoofing attacks that organizations encounter on a daily basis. We’ll also look at how these attacks can be detected before looking at how to prevent them altogether in the next section. Here is a list of spoofing attack types:

  • ARP Spoofing Attack
  • IP Spoofing Attack
  • MAC Spoofing Attack
  • Email Spoofing Attack
  • DNS Spoofing Attack

ARP Spoofing Attack

An ARP spoofing attack is an attack that uses the Address Resolution Protocol (ARP) to fish for information. In an ARP spoofing attack the attacker sends ARP messages out across a network in an attempt to connect their MAC address with the IP address of a member of staff. The attacker waits quietly on the network until they manage to crack the IP address.

Once the IP address has been cracked, the attacker can intercept data in between the computer and the router. Then data sent to the member of staff is actually sent on to the attacker’s IP address. The end result is data in the hands of the attacker. The attacker can then use IP addresses throughout your network against you to launch a denial-of-service DOS attack. One of the most important things to note about ARP spoofing attacks is that they can only work on LANs that use the ARP protocol.

How to Detect an ARP Spoofing Attack

There are many ways that you can detect an ARP spoofing attack. One simple way to check if an unwanted intruder is spoofing on your network is to open up the command line and enter the following:

arp-a

This command will show you the ARP table of your device. You want to look through the table and see if any IP addresses are sharing the same MAC address. If two IP addresses are sharing the same MAC address then this means that there is an intruder on the network.

IP Spoofing Attack

An IP spoofing attack is where an attacker tries to impersonate an IP address so that they can pretend to be another user. During an IP address spoofing attack the attacker sends packets from a false source address. These IP packets are sent to devices within the network and operate much like a DoS attack. The attacker uses multiple packet addresses to overwhelm a device with too many packets.

How to Detect an IP Spoofing Attack

As one of the more popular types of spoofing attack, IP spoofing attacks can be detected through the use of a network analyzer or bandwidth monitoring tool. Monitoring your network will allow you to monitor normal traffic usage and recognize when anomalous traffic is present. This gives you a heads-up that something isn’t right so you can investigate further.

In particular, you’re looking to pay attention to IP addresses and flow data that can point you to illegitimate internet traffic. Catching IP spoofing attacks early is especially important because they often come as part of DDoS (Direct Denial of Service) attacks which can take the entire network offline.

See also: Understanding DoS and DDoS attacks

MAC Spoofing Attack

All endpoints on a network are identified by a MAC address and that identifier can also be faked by hackers. The real MAC address on each device is unique and it is hard-coded onto the network card and so cannot be changed. However, through software, a fake MAC address can be inserted into outgoing communications. This is a MAC spoofing attack.

MAC spoofing bypasses access control measures, gives a hacker the identity of a valid user, fools simple authentication checks, and can hide a rogue device on a network.

MAC spoofing operates within the network because routers rely on IP addresses to identify endpoints. However, MAC spoofing can be combined with IP address spoofing to enable attacks to be launched from remote locations.

How to Detect a MAC Spoofing Attack

Falsifying a MAC address doesn’t bypass the network. A network manager will still be able to view the traffic from that spoofed MAC address. An address that has been duplicated will show up as sending traffic from two different sources simultaneously. Other telltale signs would be a company device seemingly connecting to the network from a different physical location on the network.

Tools that would facilitate the detection of MAC spoofing include traffic analyzers and bandwidth monitors.

Email Spoofing Attacks

Email spoofing attacks are where an attacker sends an email imitating another sender. In these attacks, the sender field is spoofed to show fake contact details. The attacker impersonates this entity and then sends you an email requesting information. These attacks are often used to pose as administrators and ask other members of staff for account details.

How to Detect an Email Spoofing Attack

Email spoofing attacks are perhaps the riskiest because they target staff directly. Responding to the wrong email can lead to an attacker gaining leverage over important data. In the event that a spoofed email makes it into your inbox, your first line of defense is to stay skeptical of email display names.

Attackers spoof display names all the time so you’re going to need to check the email address. If there are any links within the email you can type them in a new window to check if they are legitimate. It can also help to check for spelling errors and other inaccuracies that can indicate the sender isn’t legitimate.

See also: Common phishing scams and how to recognize and avoid them

DNS Spoofing Attack

DNS or domain name system attacks are where attackers jumble up the list of public IP addresses. DNS servers have a database of public IP addresses and hostnames that are used to help with navigating the network. When a DNS attack occurs, the attacker changes domain names so that they are rerouted to a new IP address.

One example of this is if you enter a website URL and you are then sent to a spoofed domain instead of the website that you originally wanted to go to. This is a popular way for attackers to spread worms and viruses into networks.

How to Detect DNS Spoofing Attacks

To detect a DNS spoofing attack it is a good idea to use a tool like dnstraceroute. DNS spoofing attacks are dependent upon an attacker spoofing the DNS reply. Using dnstraceroute will allow you to see where the DNS request has been answered. You’ll be able to see the DNS server destination and see whether somebody has spoofed the DNS reply.

Related: SolarWinds Traceroute Tools Review (with free trials)

See also: Best DNS Server Monitoring and Troubleshooting Tools

How to Prevent Spoofing Attacks

Being able to prevent a spoofing attack is dependent entirely on the type of attack you experience. There are many different types of attack and each of these exploit different vulnerabilities on your network to take effect. As such, we’re going to discuss how you can prevent each kind of spoofing attack separately (as well as a general guide to preventing spoofing attacks).

As a universal rule, the only way to be protected against spoofing attacks is to stay vigilant and implement company policies that include measures to detect and respond to spoofing attacks when they occur. After all, the best cybersecurity policy in the world is worthless if it isn’t put into practice.

General Tips on How to Prevent Common Spoof Attacks

Confronting spoofing attacks is all about being proactive. There are a range of steps you can implement into your organization to keep yourself protected from spoofing attacks. Some of the main ways are shown below:

  • Packet Filtering – Packet filters inspect packets in transit. Packet filtering can help you to prevent IP address spoofing attacks because they block packets with incorrect source address information.
  • Stop using trust relationships – Trust relationships are where networks only use IP addresses to authenticate devices. Eliminating trust relationships provides an extra layer of security.
  • Deploy a spoof detection tool – Many vendors have produced spoof detection software in an attempt to limit the spread of ARP spoofing attacks. These tools are designed to inspect data and block data which isn’t legitimate.
  • Use encrypted protocols – Encrypting data in transit can be a great way to prevent attackers from being able to view or interact with data. HTTP Secure (HTTPS), Transport Layer Security (TLS), and Secure Shell (SSH) are protocols that can all keep cyber attackers away.
  • Deploy antivirus software on your devices – Using antivirus software on your devices will ensure that they can deal with any malicious software that has been planted.
  • Install firewalls on your network – A firewall will help to keep unwanted intruders out and ensure your network stays protected.
  • Start using VPNs – A VPN or a Virtual Private network encrypts data so that it cannot be read by an external party.

One of the key elements of prevention is awareness. In order to stay protected against spoofing attacks, you need to be aware of the risks associated with them. This comes with recognizing that trust-based authentication is a liability. Likewise, if you’re not monitoring your network traffic you can only guess that your network is behaving as it should be.

How to Prevent an ARP Spoofing Attack

ARP spoofing attacks appear quite complex on the surface but the methods you can use to prevent them are actually quite simple. Using a combination of VPNs, anti ARP spoofing tools and packet filtering is key to keeping these attacks at bay:

  • Use a Virtual Private Network (VPN) – Using a VPN will allow you to keep your traffic protected via encryption. This means that even if your network falls victim to ARP spoofing the attacker won’t be able to access any of your data because it has been encrypted.
  • Anti ARP Spoofing Tools – You can also download an anti ARP spoofing tool. Anti ARP spoofing tools can help to detect and fight off incoming ARP attacks. Tools like ARP AntiSpoofer and shARP are two popular anti-spoofing tools.
  • Packet Filtering – Packet filtering is used to filter incoming packets and prevent compromised packets from questionable sources. This means that if someone attempts to launch an ARP attack you will be able to fight it off.

How to Prevent an IP Spoofing Attack

Ensuring that all IP addresses present on your network are legitimate can be a tall task but it is manageable. Dealing with IP spoofing attacks is reliant upon making some key changes to your day-to-day operations:

  • Use an access control list – An access control list allows you to deny private IP addresses from interacting with your network. This will prevent many attacks from getting off the ground.
  • Packet Filtering – Packet filtering keeps coming up but is one of the best ways to control what traffic is permitted on your network. By filtering traffic you can block traffic from suspicious sources.
  • Authentication – Authenticating interactions between devices on your network will help to ensure that nothing has been spoofed.
  • Change Router and Switch Configurations – Configure your routers and switches to reject incoming packets from outside of the local network which are spoofing an internal origination.

How to Prevent a MAC Spoofing Attack

MAC spoofing is usually implemented to fool access control lists, packet filtering, and authentication processes. So, straightforward security measures won’t help to prevent this type of attack. Instead, use one of these techniques:

  • Alert-based traffic monitoring – Use a network monitor that enables the manager to set up customized alerts. Create an alert to detect for the same MAC address using two IP addresses.
  • Intrusion detection – Intrusion detection systems monitor for activities that are incompatible to the normal behavior of each user or device.

Reverse ARP – Use a tool that implements a Reverse Address Resolution Protocol routine recursively on all active MAC addresses. This will spot the same MAC address being associated with multiple IP addresses.

How to Prevent Email Spoofing Attacks

Though many of the tips above will help to prevent email spoofing attacks, there is a range of other concerns you should also take into account as well. To prevent email spoof attacks from damaging your operations it is a good idea to do the following:

  • Don’t open mail from unrecognized senders – If you don’t recognize the sender, then don’t open the email. This will help to prevent you from communicating with potential attackers
  • Ignore emails sent with your name in the sender form – Sometimes attackers will have the audacity to message you using your own name. Ignoring these messages is the only safe response.
  • Ignore emails sent without the name of the sender – If an email doesn’t have the name of the sender listed then don’t open or respond to it. This is a sign of a spoof attack.
  • Filter messages in your inbox – On your inbox settings, configure a filter to block out blank senders from your inbox. This will lower the risk of your accidentally clicking on a spoofed email.
  • Ignore emails that just have a link in the text body – A single ink within the text body is indicative of a malicious link so don’t open it!
  • Use an email authentication system – An email authentication system like SenderID or Send Policy Framework can ensure that the user you’re talking to is legitimate.

How to Prevent a DNS Spoofing Attack

DNS spoofing attacks rely on being able to capture packets and then create spoofed versions using the same identification number to fly under the radar. However, by putting in place a few measures you can drastically reduce the chances of a successful attack taking place.

  • Use an Antivirus Tool – An antivirus tool will help minimize the chance of an intruder accessing your network. Shutting down this window makes it much more difficult for attackers to capture and modify them without your noticing.
  • Use a Gateway Firewall or  IDS – You can also prevent attacks by investing in a gateway firewall or IDS. Using a firewall will allow you to fight off attacks by inspecting ARPs to identify DNS spoofing or DNS poisoning.
  • Encrypt Network Traffic – Encrypting network traffic makes it difficult for an attacker to interact with your network because it protects data.
  • Use DNSCrypt – DNSCrypt is a protocol that can be used to encrypt DNS traffic between the user and OpenDNS. Encrypting DNS traffic protects it from MITM attacks and DNS spoofing attacks. It comes with clients available for Windows, Mac OS, and Linux. 

Antivirus for Spoofing Attack Protection

A key point to look out for when choosing an anti-virus (AV) package is that traditional AVs just scan program code before allowing installation or watch for suspicious actions in software. They don’t have any procedures for guarding against spoofing attacks.

Look for a “next generation” AV or, even better, an “endpoint protection platform.” These two industry terms describe malware protection that expands beyond just maintaining a blacklist of software or behavior patterns. Next-generation AVs use machine learning to spot unusual activity without referring to standard databases of performance signatures or a blacklist of file names.

CrowdStrike Falcon

CrowdStrike Falcon AV dasboard

An endpoint protection platform blurs the boundaries between AV, firewall, and intrusion prevention systems. This is the kind of approach you need to combat all of the forms of spoofing that are practiced today. Take a look at CrowdStrike Falcon.

Why do we recommend it?

CrowdStrike Falcon is a platform of cyber security tools that provide a range of solutions to protect endpoints. The key element in all CrowdStrike Falcon solutions is the Falcon Prevent unit. This installs on endpoints and acts as a next-generation anti-virus and as an agent for the other elements in the platform, which are all cloud resident.

Who is it recommended for?

CrowdStrike Falcon is a hybrid solution and offers a range of options. The cloud part of the framework provides coordination between endpoint protection units, creating a private threat intelligence alliance. The CrowdStrike platform also offers an XDR option, which is a form of SIEM and detects threats.

Pros:

  • Excels in hybrid environments (Windows, Linux, Cloud, BYOD, etc)
  • Intuitive admin console makes it easy to get started and is accessible in the cloud
  • Can track and alert anomalous behavior over time, which improves the longer it monitors the network
  • Lightweight agents take up little system resources

Cons:

  • Would benefit from a longer trial period

This is a next-generation AV that is bundled into an endpoint protection platform. The system is based in the Cloud, so it doesn’t drag down your endpoints while analyzing activities. Monitoring of events on your on-site devices is implemented with agent software. CrowdStrike offers the Falcon system on a 15-day free trial.

Guide to Spoofing Attacks: Stay One Step Ahead of Attackers

Spoofing attacks are some of the most varied threats that confront modern organizations. Whereas many attacks all have certain patterns, spoof attacks come in many different forms each with their own threats and end goals. Sometimes the attacker is on the hunt for information and other times the attacker wants to DOS your key services into oblivion.

While you can’t stop every attack from making its way through, being aware of the threats and taking steps to limit the risks of an attacker making it through will help to keep your network online. Getting rid of blind trust and analyzing packets will make it that much more difficult for attackers to slip through undetected.

The most critical part of preventing spoofing attacks is making sure that you define a cybersecurity policy tailor-made with these attacks in mind. Making staff aware of spoofing attacks and the precautions they should take will help to ward off spoofing attacks that come your way.

Related: Best Network Monitoring Tools

How to Prevent Spoofing Attacks FAQs

Is spoofing a man-in-the-middle attack?

IP spoofing is an attempt to masquerade as a trusted correspondent, so it is an ideal strategy to use in a man-in-the-middle attack. In a MitM attack, a hacker intercepts a communication, usually posing as the server. The interception system spoofs the address of the server, fooling the client. In some instances, the MitM attack might also have to pose as the client in communications with the server to obtain the convincing output to return to the client.

Can spoofing lead to identity theft?

The main avenue for identity theft is phishing in emails. The phishing email pretends to be from an authority, such as a bank. Spoofing the email address that the email seems to be sent from can improve the believability of the phishing email

What's the difference between spoofing and phishing?

Spoofing involves placing a fake address in a communication, such as an IP address or an email address as the purported source of the communication. Phishing is a text-based strategy of masquerading, using words to convince the target of a fake identity.

When is spoofing illegal?

IP spoofing in and of itself is not illegal. It is often used as a valid method to generate traffic for capacity testing. Illegality occurs when someone uses spoofing to dupe another person. Think of it like a mask:  wearing a mask is not illegal, however, people who wear masks while robbing a bank are committing an illegal act.