Page |1

CHAPTER – 1

1.1 Introduction

In the context of information security, and especially network security, a spoofing

attack is a situation in which a person or program successfully masquerades as another
by falsifying data, to gain an illegitimate advantage.

Just like real-world criminals and con artists, online thieves can use impersonation as
a means to steal important information or get access to bank accounts. This practice is
called spoofing — an umbrella term that includes IP address spoofing (sending
messages to a computer using an IP address that makes it look as if the message is
coming from a trusted source), email spoofing (forging an e-mail header to make it
look like it came from somewhere or someone other than the actual source) and DNS
spoofing (modifying the DNS server in order to reroute a specific domain name to a
different IP address).

Spoofing is a type of technological impersonation that seeks to fool either a network

or a human into believing that the source of some information is trustworthy, when it’s
anything but. Hackers, for example, might email spoof you by sending you emails
disguised as coming from someone you trust as a way to get you to hand over
sensitive data. Or, they might try IP spoofing and DNS spoofing to trick your network
itself into leading you to fraudulent sites that will infect your computer.

1.2 Research Objectives

1) To study spoofing and its various kinds.

2) To analyze the effect of spoofing as an offence and to prevent it.

1.3 Literature Review

Books –
 Page |2

1) Talat Fatima, Cyber Crimes, 2nd Edition, Eastern Book Company

This book is an authoritative commentary on the subject. It identifies special

legal problems which the internet has created and examines the ways in which
these are dealt with under Indian law.

2) Dr. Farooq Ahmad, Cyber Law in India (Law on Internet), New Era Law
Publications

This book critically examines the provisions of IT Act. It also analyzes the
scope of electronic commerce in the light of IT Act and Indian Contract Act,
and all the problems and developing crimes that has been developing in the
cyber space and addresses it in today’s time.

1.4 Research Methodology

Given a study of this kind, this research project has been written using the doctrinal
or principled method of research, which involves the collection of data from
secondary sources, like articles found in journals and websites.

1.5 Source of Data

Accumulation of the information on the topic includes various secondary sources

such as books, e-articles, etc. The matter from these sources has been complied and
analysed to understand the topic in a better way.
 Page |3

CHAPTER -2

2.1 Spoofing – A Contextual Outline

The word spoof, according to Merriam Webster, is to deceive, or a hoax. This

definition is relevant in the cyber law as well. Spoofing, in general, is a fraudulent or
malicious practice in which communication is sent from an unknown source disguised
as a source known to the receiver. Spoofing is most prevalent in communication
mechanisms that lack a high level of security.

Spoofing is a malicious practice employed by cyber scammers and hackers to

deceive systems, individuals, and organizations into perceiving something to be what
it is not. Communication is initiated by the spoofer to the victim or system from an
unknown source but disguised to present itself as an authentic and safe sender. If you
have ever received an email from a seemingly familiar source asking you to update
your profile details because some funny system upgrade was necessary, then you have
experienced spoofing.

Spoofing is covered in India under section 416 1, 4172 and 4633 of Indian Penal Code,
1860.

A spoofing attack is when an attacker or malicious program successfully acts on

another person’s (or program’s) behalf by impersonating data.

It takes place when the attacker pretends to be someone else (or another computer,
device, etc.) on a network in order to trick other computers, devices or people into
performing legitimate actions or giving up sensitive data. Some common types of
spoofing attacks include ARP spoofing, DNS spoofing and IP address spoofing. These
types of spoofing attacks are typically used to attack networks, spread malware and to
access confidential information and data.

1 Cheating by personation.
2 Punishment for Cheating.
3 Forgery.
 Page |4

How does spoofing work?4 It’s pretty simple. Consider the practice of CEO fraud:
Using email software, spoofers change the sender’s name, address, and source IP (the
computer’s social security number) to make it appear as if the email is from a
company’s CEO. With either an alluring or generic header, the email travels to the
receiver’s inbox.

In this example, the hackers hope to trick the recipient to transfer funds or hand over
sensitive information, believing they are following the CEO’s instructions. The
average employee receives 121 emails each day, so spoofed email stands a decent
chance of bypassing filters and going unnoticed—especially considering that 54.8
and 66.4 percent of U.S. companies have poor SPF (Sender Policy Framework) and
DKIM (Domain Keys Identified Mail) practices, respectively.

While CEO is the most frequently spoofed job position, according to a recent study,
managing director comes in a not-so-close second. CFO and finance director also are
among the most targeted positions.

In a high-profile case from January, the U.S. Commodity Futures Trading

Commission filed anti-spoof actions against three banks and six individuals. One of
the targets, well-known German banking chain Deutsche Bank, allegedly used
numerous manual spoofing techniques to manipulate the prices of precious metals
futures contracts.

As you can see, spoofing can be dangerous if left unchecked. Not only can it harm the
economy by targeting individual SMBs, but it can influence national markets. In
2016, a London-based futures trader pleaded guilty to U.S. fraud and spoofing charges
in connection with a multiple-year scheme that contributed to the 2010 “flash crash,”
when the Dow Jones Industrial Average plunged 600 points in five minutes.

Of course, not all spoofing activity is rooted in the workplace. Another study revealed
that more than 50 percent of open-access journals accepted a spoofed medical paper
that was filled with errors.

4 Elizabeth Mack, Spoofing Attacks and How to Prevent Them, https://www.springboard.com/blog/spoofing-

attacks, (Last Updated, June 7, 2018)
 Page |5

2.1.1 How do you recognize Spoofing?

Email spoofing is the easiest to recognize as it targets users directly. Any strange
email that requests sensitive information could be a spoof, especially if it asks for
usernames and passwords. Remember, legitimate sites will never ask for these. You
can also check the email address to make sure it’s from a legitimate account.
However, you may never know if you’re the victim of IP or DNS spoofing, although
keeping keen eye out for small changes or unusual behaviour could clue you in. When
in doubt, it’s better to play it safe to keep from making any disastrous mistakes.

Since spoofing is a type of impersonation, it’s not really something you can remove.
Instead, you can protect yourself by using a little bit of common sense and discretion
when browsing or answering emails, even if you think they’re trustworthy.

Email spoofing is one of the best known spoofs. Since core SMTP fails to offer
authentication, it is simple to forge and impersonate emails. Spoofed emails may
request personal information and may appear to be from a known sender. Such emails
request the recipient to reply with an account number for verification. The email
spoofer then uses this account number for identity theft purposes, such as accessing
the victim's bank account, changing contact details and so on.

The attacker (or spoofer) knows that if the recipient receives a spoofed email that
appears to be from a known source, it is likely to be opened and acted upon. So a
spoofed email may also contain additional threats like Trojans or other viruses. These
programs can cause significant computer damage by triggering unexpected activities,
remote access, deletion of files and more.
 Page |6

CHAPTER – 3

3.1 Various Kinds of Spoofing

1) IP Spoofing

IP (Internet Protocol) forms the third layer of the ISO model. It is the network
protocol which is used for the transmission of messages over the internet.
Every email message sent has details in the message header of the IP address of
the sender (source address). Hackers and scammers alter the header details to
mask their true identity by editing the source address. The emails then appear to
have been transmitted by a trusted source.

There are many types of IP Spoofing –

 Non-blind Spoofing – This type of attack takes place when the attacker is on
the same subnet as the victim. The sequence and acknowledgement numbers
can be sniffed, eliminating the potential difficulty of calculating them
accurately. The biggest threat of spoofing in this instance would be session
hijacking. This is accomplished by corrupting the data stream of an
established connection, then re-establishing it based on correct sequence and
acknowledgement numbers with the attack machine. Using this technique, an
attacker could effectively bypass any authentication measures taken place to
build the connection.

 Blind Spoofing – This is a more sophisticated attack, because the sequence

and acknowledgement numbers are unreachable. In order to circumvent this,
several packets are sent to the target machine in order to sample sequence
numbers. While not the case today, machines in the past used basic
techniques for generating sequence numbers. It was relatively easy to
discover the exact formula by studying packets and TCP sessions. Today,
most OSes implement random sequence number generation, making it
difficult to predict them accurately. If, however, the sequence number was
compromised, data could be sent to target. Several years ago, many machines
used host-based authentication services (i.e. Rlogin). A properly crafted
attack could add the requisite data to a system (i.e. a new user account),
 Page |7

blindly, enabling full access for the attacker who was impersonating a trusted
host.

 Man in the Middle Attacks – As the name suggests, communication between

the original sender of the message and the desired recipient is intercepted.
The content of the message is then modified without the knowledge of either
party. The attacker feeds the packet with his own message. The victim is
deceived into thinking the contents of the message are authentic.

The malicious host controls the flow of communication and can eliminate or
alter the information sent by one of the original participants without the
knowledge of either the original sender or the recipient. In this way, attacker
can a fool a victim into disclosing confidential information by “spoofing” th
identity of the original sender, who is presumably trusted by the recipient.

 Denial of Service Attack – In this practice, the message packet between the
sender and the recipient is intercepted and the source address is spoofed. The
connection is literally hijacked. The recipient is then flooded with more
packets than their bandwidth or resources can handle. This overloads and
effectively shuts down the victim's system.

Being a significant part of the network, India too, can be a victim or a source
of the DoS attack5. Though the said attack is not made a criminal offence
under the Act, it is included in Chapter IX and thus Section 43(f) defines it:

Section 43 – If any person without permission of the owner or any other

person who is in charge of a computer, computer system or computer
network –

(f) denies or causes the denial of access to any person authorized to access
any computer, computer system or computer network by any means.

Thus, this sub-section read with section 66 regards it an offence.

IP spoofing is almost always used in what is currently one of the most

difficult attack to defend against – denial of service attacks. Since crackers
are concerned only with consuming bandwidth and resources, they not worry

5 Talat Fatima, Cyber Crimes, 2nd edition, Eastern Book Company, Pg: 195.
 Page |8

about properly completing handshakes and transactions. Rather, they wish to

flood the victim with as many packets as possible in a short amount of time.
In order to prolong the effectiveness of the attack, they spoof source IP
addresses to make tracing and stopping the DoS as difficult as possible.
When multiple compromised hosts are participating in the attack, all sending
spoofed traffic, it is very challenging to quickly block traffic.

2) ARP Spoofing

The Address Resolution Protocol (ARP) is a protocol used to translate IP

addresses into Media Access Control (MAC) addresses in order to be properly
transmitted. In short, the protocol maps an IP address to a physical machine
address.

This type of spoofing attack occurs when a malicious attacker links the
hacker’s MAC address with the IP address of a company’s network. This
allows the attacker to intercept data intended for the company computer. ARP
spoofing attacks can lead to data theft and deletion, compromised accounts and
other malicious consequences. ARP can also be used for DoS, hijacking and
other types of attacks.

LANs (Local Area Networks) that use Address Resolution Protocol (ARPs) are
susceptible to ARP spoofing attacks. The ARP is used for the resolution of IP
addresses on a network to MAC (Media Access Control) addresses. In this
instance, the malicious party transmits spoofed messages across the local
network. A response maps the victim MAC address with his IP address. This
information is used to intercept messages for the intended host. The attack
results in messages intended for the host being sent to the malicious third party.

There are three types of ARP spoofing:

 Man-In-The-Middle Attacks: These involve traffic modifications.

 Denial-of-Service Attacks: These involve a fake MAC address attached to the

user’s default gateway.

 Passive Sniffing: This happens when traffic is sent to the user’s default
gateway through their IP address.
 Page |9

There also are useful, non-malicious usages for ARP spoofing, such as hotels
utilizing the technique to allow guests to access the Internet from their laptops.

3) DNS Spoofing Attack - The Domain Name System (DNS) is responsible for
associating domain names to the correct IP addresses. When a user types in a
domain name, the DNS system corresponds that name to an IP address,
allowing the visitor to connect to the correct server. For a DNS spoofing attack
to be successful, a malicious attacker reroutes the DNS translation so that it
points to a different server which is typically infected with malware and can be
used to help spread viruses and worms. The DNS server spoofing attack is also
sometimes referred to as DNS cache poisoning, due to the lasting effect when a
server caches the malicious DNS responses and serving them up each time the
same request is sent to that server.

Thanks to the DNS server, you do not have to remember Yahoo!’s or AOL’s IP
addresses, much less any other domain’s. The DNS (domain name system)
server is a database made up of public IP addresses and corresponding
hostnames. DNS spoofing occurs when hackers mix these up. Instead of going
to Google’s search page when you enter appropriate URL, hackers direct you to
a spoofed domain.

Google is in the process of removing spoofed domains from its search engine,
but keeping an eye out for inconsistencies and errors on sites helps to identify
DNS spoofing.

4) Content Spoofing – Content spoofing is a hacking technique used to lure a user

on to a website that looks legitimate, but is actually an elaborate copy. Hackers
looking to spoof content use dynamic HTML and frames to create a website
with the expected URL and a similar appearance, and then prompt the user for
personal information. Content spoofing is also common with email alerts,
account notifications and so on.

A hacker can design a web page very similar to that of any legitimate website
and then use that facade to collect the information that users usually input into
that page. This can be relatively harmless data such as an email address or the
username and password for that particular site. However, content spoofing can
 P a g e | 10

dupe people into revealing more sensitive information like bank account
numbers, Social Security numbers, birth dates, credit card numbers, mailing
addresses and so on.

Content spoofing by itself is not inherently harmful, but the identity theft that
may follow can be devastating and difficult to reverse. The best way to avoid
these false websites is to question even seemingly legitimate emails from
trusted sites.

5) Email Spoofing - Email spoofing is a fraudulent email activity hiding email

origins. The act of e-mail spoofing occurs when imposters are able to deliver
emails by altering emails' sender information. Although this is usually done by
spammers and through phishing emails for advertising purposes, email
spoofing can have malicious motives such as virus spreading or attempts to
gain personal banking information. Simple Mail Transfer Protocol (SMTP)
does not provide any type of authentication process for persons sending emails.
Yet, it is the primary email system for most people, facilitating email spoofing.
Nowadays, most email servers can provide further security. Also many digital
software vendors have created products remedying this problem.

There are very few legitimate reasons for email spoofing to exist. Whistle
blowing, or reporting an immoral or illegal activity, may prompt an individual
to engage in email spoofing and remain anonymous. However, the primary
reasons for email spoofing involve advertising, but are just considered
nuisances. Unfortunately, misleading or corrupt emails are more common than
legitimately spoofed emails.

Spammers use open relay as a method for sending email spoofs. An incorrectly
configured SMTP server, known as open relay, is vulnerable to the use of
 P a g e | 11

spammers since it is easy to manipulate to and from areas of the emails. This
lends itself well to those who send spam and phishing emails.

Some U.S. states are beginning to enact laws against email spoofing where the
use of third-party emails is a crime. Another legislative safeguard against email
spoofing is the CAN SPAM Act, which prohibits unsolicited emails containing
false headers or disguised impertinent subject lines. Yet the irony of this law is
evident when one considers that the act of spoofing deliberately disguises the
real sender’s identity. This can cause problems when trying to identify and stop
those responsible for the email spoofing. Even so, the Federal Trade
Commission encourages reporting instances of email spoofing.

6) Caller ID Spoofing – Caller ID spoofing is the practice of altering or

deliberately falsifying information displayed on caller ID systems, which are
systems that are intended to identify the source of a phone call to its recipient.
The practice is used for many different purposes by a number of different
entities, such as private investigators, secret shoppers or just pranks callers.

FCC (Federal Communications Commission) rules prohibit caller ID spoofing

with the intent to defraud, cause harm or wrongly obtain anything of value. If
harm is caused by the spoofing, then the perpetrator could be liable for steep
financial penalties. However, caller ID spoofing is legal within certain contexts,
such as to carry out a police investigation.

There are various methods with which to carry out a spoof attempt, one of the
most popular of which is through VOIP (voice over internet protocol), which
allows users to make calls over the internet while configuring their outbound
display ID to their own specification. A very simple motivation for caller ID
spoofing could be to mislead the call recipient into thinking a call is coming
from a specific location, in which case that location’s area code might be
displayed in order to manipulate the recipient into believing that.
 P a g e | 12

CHAPTER – 4

4.1 Prevention of Spoofing

There are several methods that should be implemented in order to properly

avoid spoofing attacks, including:

 Packet filtering should be implemented so that all packets are filtered and
scanned for inconsistencies. As a result, packets with inconsistencies are
blocked, which can effectively prevent spoofing attacks from being
successful.
 P a g e | 13

 Using secure encryption protocols such as Secure Shell (SSHs), Transport

Layer Security (TLS), and HTTP Secure (HTTPS) help avoid many types
of spoofing attacks, as the protocols encrypt the data, therefore making
verification and must be verified in order to be spoofed.

 Avoid all types of trust relationships, as trust relationships only use IP

address verification, opening users up to easy spoofing attacks.

 Use spoofing-detection programs, which inspect and certify data before

transmitting it to avoid attacks, especially ARP spoofing attacks.

There are various methods to prevent IP spoofing attacks specifically as well,

such as –

1) Packet Filtering –

The router that connects a network to another network is known as a border

router. One way to mitigate the threat of IP spoofing is by inspecting packets
when they the leave and enter a network looking for invalid source IP
addresses. If this type of filtering were performed on all border routers, IP
address spoofing would be greatly reduced. Egress filtering checks the
source IP address of packets to ensure they come from a valid IP address
range within the internal network. When the router receives a packet that not
leave the network boundary. Ingress filtering checks the source IP address of
packets that enter the network to ensure they do not come from sources that
are not permitted to access the network. At a minimum, all private, reserved,
and internal IP addresses should be discarded by the router and not allowed
to enter the network.

Packet filtering normally may not prevent a system from participating in an

attack if the spoofed IP address used could fall within the valid internal
address range. However it will simplify the process of tracing the packets,
since the systems will have to use a source IP address within the valid IP
range of the network.
 P a g e | 14

2) Filtering at the Router –

If your site has a direct connection to the Internet, you can use your router to
help you out. First, make sure only hosts on your internal LAN can
participate in trust-relationships (no internal host should trust the host
outside the LAN), then simply filter out all traffic from the outside (the
Internet) that purports to come from the inside (the LAN).

3) Encryption and Authentication.

4) Cryptographic Methods –

An obvious method to deter IP-spoofing is to require all network traffic to

be encrypted and/or authenticated. While several solutions exist, it will be a
while before such measures are deployed as de facto standards.

CONCLUSION

Just like real-world criminals and con artists, online thieves can use impersonation as
a means to steal important information or get access to bank accounts. This practice is
called spoofing — an umbrella term that includes IP address spoofing (sending
messages to a computer using an IP address that makes it look as if the message is
coming from a trusted source), email spoofing (forging an e-mail header to make it look
 P a g e | 15

like it came from somewhere or someone other than the actual source) and DNS
spoofing (modifying the DNS server in order to reroute a specific domain name to a
different IP address).

With these prevention methods and some cyber know-how as mentioned in the project,
you can mitigate spoofing attacks and keep your business, employees, and customers
safe. Although there is no single-hand solution, staying up to date on the latest
spamming tactics allows you to be proactive and bounce back should spoofers strike.

BIBLIOGRAPHY

Secondary Source:

Books:

1. Talat Fatima, Cyber Crimes, 2nd Edition, Eastern Book Company

2. Dr. Farooq Ahmad, Cyber Law in India (Law on Internet), New Era Law
Publications
 P a g e | 16

Websites:

Tal, Spoofing Attack, https://www.checkmarx.com/glossary/spoofing-attack/, (Last

updated, 14th Oct, 2014)

Lyna Griffin, What is a Spoofing Attack, https://study.com/academy/lesson/what-is-a-

spoofing-attack-definition-types.html, (Last Updated, 15th August, 2016)

Elizabeth Mack, Spoofing Attacks and How to Prevent them,

https://www.springboard.com/blog/spoofing-attacks, (Last Updated, June 7, 2018)

Harsha Srinivas, IP Spoofing Seminar Report,

https://www.scribd.com/doc/102827184/Ip-Spoofing-Seminar-Report, (Last Updated,
Aug 14, 2012)