If there's a device on your network that is pretending to be a completely different device, we refer to that as spoofing. For example, if an attacker creates a fake web server, which has a similar look and feel to the original, but it's under the control of the attacker, that is spoofing. You may notice some spoofing that's happening on your own system.
If you look through your spam folder, you'll probably see email addresses that say they're from a particular person. But in reality, those email addresses are spoofed. You might also see spoofing on your mobile phone. You might have an incoming call, and you'll notice that call is in your local area. But when you answer the call, it's from an organization that is outside of your area or maybe in a different country.
That caller spoofed a local phone number so that you would be more comfortable in answering that call. And we even demonstrated how spoofing can be used to create an on-path attack. where the attacker can sit in the middle of a conversation, and they use spoofing as a method to be able to create that path. In a previous video, we talked about ARP poisoning, and the attacker uses IP spoofing to be able to accomplish this poisoning. With a normal ARP communication, a device that's looking for another will send out a broadcast with the IP address that it's looking for, hoping to get a MAC address in return.
The device receiving that broadcast will send back a response that says, you found the right IP address, and here is the MAC address of my device. That information is then saved by the original workstation into an ARP cache so that it knows exactly where to send this traffic for all subsequent communication. An attacker can take advantage of ARP spoofing by sending that ARP response again, but instead of sending it with the attacker's IP address, the attacker sends it by.
spoofing the IP address of the router. You'll notice that although the router's IP address is spoofed, the MAC address that is being sent matches the MAC address of the attacker's workstation. The device receiving that spoofed response doesn't realize that it's been spoofed. It just assumes that the MAC address has changed for that IP address, removes the original information in the cache, and replaces it with the spoofed IP address. Anytime you see a device using an IP address of a third party device, that is IP address spoofing.
This is a device that's trying to pretend to be someone that it doesn't happen to be. These situations could be legitimate. For example, load balancers use spoofed IP addresses to pretend that they are an IP address, but in reality, there are different IP addresses providing that service. But in the case of an attacker, this IP addressing may not be legitimate.
They may be performing ARP. poisoning, like the example we just saw, or they may be doing DNS amplification or performing a distributed denial of service using that spoofed IP address. You can often configure firewall rules or access control lists to look for situations where IP address spoofing might be occurring and block that traffic from entering or leaving your network. Not only can attackers change or modify the IP address so that they can spoof another device, their MAC address and perform MAC spoofing. This is the media access control address.
Sometimes you'll hear this referred to as the burned-in address. It's the address that is associated with the ROM that's on your network interface card. And although it's burned into the ROM of that device, many of the drivers for the network interface card allow you to modify that address to be anything you'd like.
As with IP address spoofing, MAC spoofing could be legitimate or not legitimate. legitimate uses may be that an internet provider is expecting a certain MAC address from your device so you have to modify your MAC address to work properly on the internet provider's network. There might also be applications that are looking for a particular MAC address as part of a security control so you may have to modify your MAC address so the application will work properly. But attackers also know that MAC addresses are often used for access control lists. And if they can modify their MAC address, they may be able to circumvent the existing security.
So on your network, you might have firewalls or other security devices using MAC-based access control lists, or you might have wireless devices that are allowing or disallowing communication through the network based on the MAC address of the sending device. These MAC filters make it very difficult to know if the information that's being sent is from the legitimate device or device that's being spoofed. There's no way to tell just based on the MAC address whether this is a MAC address that's burned in or whether it's one that someone has modified. Since this type of spoofing is only useful on a local subnet, part of the security to prevent this from occurring is limiting the scope or access of devices onto your local network.