Spoofing of LAN Traffic

Data that is transmitted over a LAN should not be altered in an unauthorized manner as a result of that transmission, either by the LAN itself, or by an intruder. LAN users should be able to have a reasonable expectation that the message sent, is received unmodified.

A modification occurs when an intentional or unintentional change is made to any part of the message including the contents and addressing information. Messages transmitted over the LAN need to contain some sort of addressing information that reports the sending address of the message and the receiving address of the message (along with other pieces of information).

Spoofing of LAN traffic involves:

  1. The ability to receive a message by masquerading as the legitimate receiving destination, or
  2. Masquerading as the sending machine and sending a message to a destination.

To masquerade as a receiving machine, the LAN must be persuaded into believing that the destination address is the legitimate address of the machine. (Receiving LAN traffic can also be done by listening to messages as they are broadcast to all nodes.)

Masquerading as the sending machine to deceive a receiver into believing the message was legitimately sent can be done by masquerading the address, or by means of a playback. A playback involves capturing a session between a sender and receiver, and then retransmitting that message (either with the header only, and new message contents, or the whole message).

The spoofing of LAN traffic or the modification of LAN traffic can occur by exploiting the following types of vulnerabilities:

  • Transmitting LAN traffic in plaintext
  • Lack of a date/time stamp (showing sending time and receiving time)
  • Lack of message authentication code mechanism or digital signature
  • Lack of real-time verification mechanism (to use against playback).

A LAN is a tool, used by an organization, to share information and transmit it from one location to another. A disruption of functionality occurs when the LAN cannot provide the needed functionality in an acceptable, timely manner. A disruption can interrupt one type of functionality or many.

A disruption of LAN functionalities can occur by exploiting the following types of vulnerabilities:

  • Inability to detect unusual traffic patterns (i.e. intentional flooding)
  • Inability to reroute traffic, handle hardware failures, etc
  • Configuration of LAN that allows for a single point of failure
  • Unauthorized changes made to hardware components (reconfiguring addresses on workstations, modifying router or hub configurations, etc.)
  • Improper maintenance of LAN hardware
  • Improper physical security of LAN hardware.