WEBVTT 00:00.000 --> 00:03.510 >> Hello. We just talked about Smurf 00:03.510 --> 00:05.250 and fraggle attacks and how they 00:05.250 --> 00:07.470 involve spoofing the source address. 00:07.470 --> 00:09.660 There's all sorts of spoofing. 00:09.660 --> 00:12.210 In addition to IP address spoofing, 00:12.210 --> 00:13.890 MAC address spoofing is really 00:13.890 --> 00:15.840 common because a lot of times 00:15.840 --> 00:17.670 switches are set up to only allow 00:17.670 --> 00:20.425 specific MAC addresses to connect. 00:20.425 --> 00:24.110 But MAC spoofing is as easy as any other type. 00:24.110 --> 00:26.870 Email spoofing is where an attacker makes 00:26.870 --> 00:28.340 a message look like it came from 00:28.340 --> 00:30.430 your bank or some other entity, 00:30.430 --> 00:33.260 and caller ID spoofing is where an attacker 00:33.260 --> 00:35.900 spoofs the number that your caller ID shows you. 00:35.900 --> 00:37.550 You think it's coming from someone you 00:37.550 --> 00:40.560 trust but it's actually not. 00:40.580 --> 00:44.070 Spoofing is all about impersonation and 00:44.070 --> 00:47.180 usually when we're talking about IP or MAC spoofing, 00:47.180 --> 00:49.640 it's all about modifying the source address 00:49.640 --> 00:52.950 so it looks like it comes from somewhere else. 00:53.570 --> 00:56.660 Now, with redirection attacks, 00:56.660 --> 00:59.450 the attacker's goal is to send you to a server that 00:59.450 --> 01:02.795 spoofed to look like a legitimate server or service. 01:02.795 --> 01:06.185 Maybe you'll log into an Internet server but 01:06.185 --> 01:08.030 the attacker has redirected you to 01:08.030 --> 01:10.550 his web server that looks like yours. 01:10.550 --> 01:13.595 It has a field for username and password, 01:13.595 --> 01:16.190 and you type in your normal username and password. 01:16.190 --> 01:18.620 But then the site displays a message that it's 01:18.620 --> 01:21.995 temporarily unavailable and to try again later. 01:21.995 --> 01:25.735 But now the attacker has your username and password. 01:25.735 --> 01:28.700 A redirection is very common. 01:28.700 --> 01:30.530 The attacker can send you to 01:30.530 --> 01:33.875 the wrong DNS server or modify your cache. 01:33.875 --> 01:37.040 But ultimately, if the attacker is able to 01:37.040 --> 01:40.295 redirect you to his rogue site, at the very least, 01:40.295 --> 01:41.900 it's a man in the middle attack and 01:41.900 --> 01:44.090 the attacker can intercept information 01:44.090 --> 01:46.040 like usernames and passwords 01:46.040 --> 01:49.090 or financial information and so forth. 01:49.090 --> 01:53.370 Redirection is something to be really concerned about. 01:54.470 --> 01:59.510 Now, Address Resolution Protocol, or ARP, 01:59.510 --> 02:02.060 is something that takes a known IP address and 02:02.060 --> 02:05.095 is used to find out an unknown MAC address. 02:05.095 --> 02:07.250 It sends out a broadcast that is basically 02:07.250 --> 02:09.725 something like "Is anybody out there? 02:09.725 --> 02:12.080 Host IP address 10, 1,1,1," 02:12.080 --> 02:13.714 >> and the host responds, 02:13.714 --> 02:16.225 >> "That's me, here's my MAC address." 02:16.225 --> 02:18.980 Once my client system has that information, 02:18.980 --> 02:23.315 it stores it in the ARP cache or ARP cache. 02:23.315 --> 02:25.370 Then the next time I need to send 02:25.370 --> 02:26.975 that out to the IP address, 02:26.975 --> 02:29.170 I don't have to broadcast out. 02:29.170 --> 02:31.700 That information is stored in my cache. 02:31.700 --> 02:34.610 If someone is able to modify that information, 02:34.610 --> 02:36.530 then they can redirect me. 02:36.530 --> 02:39.155 A cache is just the same regardless of whether it's 02:39.155 --> 02:43.055 ARP or DNS or any other type of cache. 02:43.055 --> 02:45.050 It's where we store information 02:45.050 --> 02:45.830 >> that we're going to need 02:45.830 --> 02:47.600 >> frequently so that way 02:47.600 --> 02:50.095 we can access it quicker in the next time. 02:50.095 --> 02:52.310 Anytime you hear about poisoning, 02:52.310 --> 02:54.245 it means modifying the cache. 02:54.245 --> 02:57.720 It's almost always for the purpose of redirecting. 02:58.160 --> 03:01.020 DNS controls the world. 03:01.020 --> 03:04.220 If I can redirect you to a bogus DNS server, 03:04.220 --> 03:06.620 every time you type out the name of the server, 03:06.620 --> 03:09.640 you're going to go where my DNS server sends you. 03:09.640 --> 03:12.880 Obviously, that's very powerful. 03:13.280 --> 03:17.810 Pharming is associated with modifying DNS records. 03:17.810 --> 03:20.900 DNS keeps track of where your critical servers and 03:20.900 --> 03:24.275 services are and if someone modifies that information, 03:24.275 --> 03:27.100 then again, redirection can occur. 03:27.100 --> 03:29.150 In addition to DNS, 03:29.150 --> 03:31.160 there's also a static text file that 03:31.160 --> 03:34.115 resides on client system called the host file, 03:34.115 --> 03:36.590 and a host file was one of the tools we used for 03:36.590 --> 03:38.360 name resolution before a DNS 03:38.360 --> 03:40.645 was as efficient as it is today. 03:40.645 --> 03:43.190 There would be a static host file that would 03:43.190 --> 03:45.725 indicate that if someone types in server one, 03:45.725 --> 03:49.345 then they should be sent to IP address 1,1,1,1. 03:49.345 --> 03:51.830 But even though we don't use that today as 03:51.830 --> 03:54.065 our primary source of name resolution, 03:54.065 --> 03:56.510 the host files is still there. 03:56.510 --> 03:59.315 If someone were to modify my hosts file, 03:59.315 --> 04:01.600 they can redirects me as well. 04:01.600 --> 04:04.160 It's worth it to learn our DNS 04:04.160 --> 04:06.695 because it's such a powerful service. 04:06.695 --> 04:09.630 We'll talk more about that next.