68     Chapter 2 • General Security Concepts: Attacks

             sequence to insert into connections, or to intercept communications that are
             encrypted during transit.

             Replay Attacks

             In a replay attack, a malicious person captures an amount of sensitive traffic, and
             then simply replays it back to the host in an attempt to replicate the transaction.
             For example, consider an electronic money transfer. User A transfers a sum of
             money to Bank B. Malicious User C captures User A’s network traffic, then replays
             the transaction in an attempt to cause the transaction to be repeated multiple times.
             Obviously, this attack has no benefit to User C, but could result in User A losing
             money. Replay attacks, while possible in theory, are quite unlikely due to multiple
             factors such as the level of difficulty of predicting TCP sequence numbers.
             However, it has been proven, especially in older OSes, that the formula for gener-
             ating random TCP sequence numbers isn’t truly random or even that difficult to
             predict, which makes this attack possible.
                 Another potential scenario for a replay attack is this:An attacker replays the
             captured data with all potential sequence numbers, in hopes of getting lucky and
             hitting the right one, thus causing the user’s connection to drop, or in some cases,
             to insert arbitrary data into a session.
                 As with MITM attacks, the use of random TCP sequence numbers and encryp-
             tion like Secure Shell (SSH) or Internet Protocol Security (IPSec) can help defend
             against this problem.The use of timestamps also helps defend against replay attacks.

             Spoofing Attacks

             Spoofing means providing false information about your identity in order to gain
             unauthorized access to systems, or, in even simpler terms, pretending to be
             someone you are not.These attacks can either be IP, e-mail, or Web site spoofing.

             IP Spoofing

             The most classic example of spoofing is IP spoofing.TCP/IP requires that every
             host fills in its own source address on packets, and there are almost no measures in
             place to stop hosts from lying. Spoofing, by definition, is always intentional.
             However, the fact that some malfunctions and misconfigurations can cause the
             exact same effect as an intentional spoof, causes difficulty in determining whether
             an incorrect address indicates a spoof.
                 Spoofing is really easy and is a result of some inherent flaws in TCP/IP.TCP/IP
             basically assumes that all computers are telling the truth.There is little or no



          www.syngress.com