Hardware Address Spoofing

At the hardware layer, any network interface for a shared-media network will have a hardware interface address. As you read earlier in the discussion of sniffing, most network interfaces can be put into promiscuous mode and receive frames with any destination address. A much more serious problem occurs if the network interface can alter the source address and send data that appears to come from various source addresses. In the IEEE 802 standards for networking (of which Ethernet is a variant), each network interface has a 48-bit hardware address. It uses this hardware address to match the variety of destination addresses of the frames it sees. The interface copies frames with matching destination addresses into its internal buffer and notifies the operating system that they are available for further processing. Packets coming from the operating system to the interface do not typically specify a source address; the interface always puts its hardware address in the source field.

Most software does not typically control the source field of frames leaving an Ethernet interface. When another host examines a packet containing a hardware source address associated with an interface of a particular machine, it assumes that the packet originated on that machine and accepts it as authentic. An IEEE standards committee assigns each network interface manufacturer a unique 24-bit prefix for the 48-bit hardware address; the manufacturer assigns a unique 24-bit suffix to each interface it makes. Regardless, many interface cards are configurable and allow host software to specify a source address other than the one assigned by the manufacturer. This configurability makes it possible to use them to spoof the source address.

DECNet, for example, uses 16-bit identifiers and requires that the leading 32 bits of the hardware address be set to a fixed value to indicate that the packet is a DECNet packet. Any network interface that is compatible with DECNet can have its hardware source address altered in some way, either by software or switches on the interface board.

To see how common it is for a network interface to be able to spoof the source address, however, recall how a bridge works. A bridge not only puts its interfaces into promiscuous mode, but it also sets the hardware source address of packets sent out on its interfaces to match the hardware source address of the originating interface. A PC with two software configurable interfaces can be configured to be used as a bridge. Clearly, such software configurability has a variety of malicious uses. The drawbridge software mentioned in the previous section on hardware barriers to prevent sniffing is compatible with most Ethernet boards which means most Ethernet boards will permit source address spoofing.

As you can see, it is not safe to base the authenticity of a packet on the hardware source address. Unfortunately, there is very little you can do to protect yourself against such deviousness. One solution is to use digital signatures at the application layer. Currently, there are no protections in the IP network layer that will prevent a hardware address spoofer from disguising one machine as another. If the victim machine is trusted (for example, is allowed to NFS mount file systems from another machine), the spoofer will be able to take advantage of that trust and violate security without being detected. Hardware address spoofing is no longer the domain of hackers; several vendors make it easy for users—both good and bad—to change their hardware addresses. Changing your hardware address is no more difficult than changing your IP address. For this reason, host names, IP addresses, and hardware addresses are not sufficient to create any basis for trust on the Internet.

Countering hardware level spoofing is difficult because it is virtually undetectable without tracing the physical wiring. You need to trace the wiring to be certain no one has connected an unauthorized machine and you also need to check to see if the authorized machines are using the hardware address they should. The latter can be checked using sufficiently “intelligent” hubs in secure locations.

All machines not in physically secure locations can be connected to hubs in secure locations. Some “intelligent” hubs can be configured to accept or send packets or both to or from specific hardware addresses on each port they service. Thus, you can configure the hub to accept only packets with hardware addresses matching the manufacturer-assigned hardware address of the interface on the authorized machine. This interface should be connected to the wall plate on the far side of the wires connected to that port. Clearly, you are still relying on physical security to be sure that the hub, wires, and authorized machine remain as they should.

---

Note:  Devices that perform hardware address verifications cannot be categorized as “hubs” in the traditional sense and are probably actually specialized switches or bridges. However, they are marketed as “active hubs” or “filtering hubs.” Such hubs are available from 3Com, HP, and IBM.

---

ARP Spoofing

A more common form of spoofing that is accidental is ARP spoofing. ARP (Address Resolution Protocol) is part of Ethernet and some other similar protocols (such as token-ring) that associate hardware addresses with IP addresses. ARP is not part of IP but part of these Ethernet-like protocols; ARP supports IP and arbitrary network-layer protocols. When an IP datagram is ready to go out on such a network, the host needs to know the hardware destination address to associate with the given IP destination address. For local IP destinations, the hardware address to use will be the hardware address of the destination interface. For non-local destinations, the hardware address to use will be the hardware address of one of the routers on the local network.