SHREE LEARNING ACADEMY

MAC Spoofing

Physical addresses, Ethernet addresses, or hardware addresses are alternative names for MAC (media access control) addresses. MAC address are usually composed of a 48-bit binary number and are allocated to a network interface card (NIC) by the manufacturer. An organizationally unique identifier (OUI) and a NIC-specific number make up the MAC address, and these two parts are of equal size. The OUI is allocated to NIC vendors by the Institute of Electrical and Electronics Engineers (IEEE). After receiving the OUI from IEEE, NIC vendors create their own NIC-specific number which can include information about the model, build run, and a unique value for each device. The MAC address is then programmed onto the ROM chip of the NIC. Although the MAC address is initially read from the NIC's ROM, it is stored in a software configuration location like a CFG file in Linux or the Registry in Windows by the Ethernet protocol, which operates in computer memory.

By eavesdropping on a network, one can observe the MAC addresses being used. Subsequently, one of these addresses can be manipulated to gain access to a system by modifying the software copy of the NIC's MAC address. As a result of this modification, the Ethernet driver generates frames using the falsified MAC address instead of the original one assigned by the manufacturer. This makes it relatively easy to forge a MAC address.

MAC spoofing is employed to mimic another system, frequently an authorized or valid network device, to circumvent port security or MAC filtering restrictions. MAC filtering is a security measure designed to restrict or limit network access to devices with specific known MAC addresses. The purpose of MAC filtering is to avoid unauthorized machines from taking part in network communications. Despite this, a user-friendly Linux program, known as macchanger, can bypass this measure with just a few keystrokes.

Technitium MAC Address Changer simplifies MAC spoofing on the Windows platform. In Windows 10, changing your MAC address is possible if the device driver for your NIC supports it. You can check whether it is supported by viewing the Advanced tab of the adapter's device properties dialog box as shown in the figure. Hence, MAC filtering alone cannot provide complete security as it can be circumvented by MAC spoofing.

The following are countermeasures to MAC spoofing:

• Deploying intelligent switches that monitor for unusual MAC address activities and misuse.
• Implementing a NIDS that detects and flags any abnormal MAC address activities.
• Keeping a record of devices and their MAC addresses to verify the authorization of a device and to detect any unknown or rogue devices.

IP spoofing

Spoofing is a technique used to alter data by modifying the source address of network packets. This can make it difficult for victims to identify the true attackers or originators of a communication. In addition, when the source address is spoofed, the attacker can redirect packet responses, replies, and echoes to a different system. This is evident in Smurf, Fraggle, and land DoS attacks.

IP spoofing can be classified into three primary types. The first method involves generating IP packets for an attack, where the source IP address is set to that of an unrelated and uninvolved third party. This form of IP spoofing creates simplex or one-way communication for the attacker, where any response from the primary victim will be directed to the innocent third party. The logs pertaining to the attack incident will indicate the third-party device, which is innocent, as the one responsible.

Another approach involves disconnecting the owner or user of an IP address through a denial-of-service (DoS) attack and then assuming that IP address temporarily on the attacker's system. This creates a two-way communication channel for the attacker to access information from the main target. After the attack concludes, the IP address returns to its original usage by the authentic system. Nevertheless, the log files attribute the attack to the unsuspecting third party who was originally assigned the IP address, rather than the malicious system.

One more alternative approach is to utilize an IP address within the subnet that is presently unallocated to a legitimate authorized system. By employing this technique, the attacker can establish two-way communication. However, the records demonstrate that the origin of the attack was an unassigned address, which strongly suggests that a malicious device was exploiting the address to carry out the assault.

The measures to prevent IP spoofing attacks consist of the following:

• Reject all incoming packets that are received by border systems and possess a source destination originating from within your private network, as this is an indication of IP spoofing.
• Discard any outgoing packets that border systems receive with a source destination originating from outside your private network, which can also be an indication of spoofing.
• If a LAN address is not officially issued to a valid system, discard any packets that contain it in their header.
• Run a NIDS that detects any alterations in the usage of an IP address.