INTRODUCTION

This paper describes the use oI IP spooIing as a method oI attacking a network in order
to gain unauthorized access. The attack is based on the Iact that Internet communication between
distant computers is routinely handled by routers which Iind the best route by examining the
destination address, but generally ignore the origination address. The origination address is only
used by the destination machine when it responds back to the source.

In a spooIing attack, the intruder sends messages to a computer indicating that the
message has come Irom a trusted system. To be successIul, the intruder must Iirst determine the
IP address oI a trusted system, and then modiIy the packet headers to that it appears that the
packets are coming Irom the trusted system.

In essence, the attacker is Iooling (spooIing) the distant computer into believing that they
are a legitimate member oI the network The goal oI the attack is to establish a connection that
will allow the attacker to gain root access to the host, allowing the creation oI a backdoor entry
path into the target system.

BRIEF HISTORY OF IP SPOOFING

In the April 1989 article entitled: 'Security Problems in the TCP/IP Protocol Suite ,
author S. M Bellovin oI AT & T Bell labs was among the Iirst to identiIy IP spooIing as a real
risk to computer networks. Bellovin describes how Robert Morris, creator oI the now inIamous
Internet Worm, Iigured out how TCP created sequence numbers and Iorged a TCP packet
sequence. This TCP packet included the destination address oI his 'victim and using an IP
spooIing attack Morris was able to obtain root access to his targeted system without a User ID or
password.

A common misconception is that "IP spooIing" can be used to hide your IP address while
surIing the Internet, chatting on-line, sending e-mail, and so Iorth. This is generally not true.
Forging the source IP address causes the responses to be misdirected, meaning you cannot create
a normal network connection. However, IP spooIing is an integral part oI many network attacks
that do not need to see responses (blind spooIing).

The concept oI IP spooIing, was initially discussed in academic circles in the 1980's.
While known about Ior sometime, it was primarily theoretical until Robert Morris, whose son
wrote the Iirst Internet Worm, discovered a security weakness in the TCP protocol known as
sequence prediction. Stephen Bellovin discussed the problem in-depth in Security Problems in
the TCP/IP Protocol Suite, a paper that addressed design problems with the TCP/IP protocol
suite. Another inIamous attack, Kevin Mitnick's Christmas Day crack oI Tsutomu Shimomura's
machine, employed the IP spooIing and TCP sequence prediction techniques. While the
popularity oI such cracks has decreased due to the demise oI the services they exploited,
spooIing can still be used and needs to be addressed by all security administrators.

HAT IS IP SPOOFING
An IP (Internet Protocol) address is the address that reveals the identity oI your Internet
service provider and your personal Internet connection. The address can be viewed during
Internet browsing and in all oI your correspondences that you send
IP spooIing hides your IP address by creating IP packets that contain bogus IP addresses
in an eIIort to impersonate other connections and hide your identity when you send inIormation.
IP spooIing is a common method that is used by spammers and scammers to mislead others on
the origin oI the inIormation they send.
HO DOES IT ORK
The Internet Protocol or IP is used Ior sending and receiving data over the Internet and
computers that are connected to a network. Each packet oI inIormation that is sent is identiIied
by the IP address which reveals the source oI the inIormation.
When IP spooIing is used the inIormation that is revealed on the source oI the data is not
the real source oI the inIormation. Instead the source contains a bogus IP address that makes the
inIormation packet look like it was sent by the person with that IP address. II you try to respond
to the inIormation, it will be sent to a bogus IP address unless the hacker decides to redirect the
inIormation to a real IP address.
HY IP SPOOFING IS USED
IP spooIing is used to commit criminal activity online and to breach network security.
Hackers use IP spooIing so they do not get caught spamming and to perpetrate denial oI service
attacks. These are attacks that involve massive amounts oI inIormation being sent to computers
over a network in an eIIort to crash the entire network. The hacker does not get caught because
the origin oI the messages cannot be determined due to the bogus IP address.
IP spooIing is also used by hackers to breach network security measures by using a
bogus IP address that mirrors one oI the addresses on the network. This eliminates the need Ior
the hacker to provide a user name and password to log onto the network.



IP SPOOFING PROTECTION
It is possible to protect a network against IP spooIing by using Ingress Iiltering which
uses packets to Iilter the inbound traIIic. The system has the capability to determine iI the
packets are coming Irom within the system or Irom an outside source.
Transmission Control Protocols can also be deployed through a number sequence that is
used to create a secure connection to other systems. This method can be enhanced by
disconnecting the source routing on the network to prevent hackers Irom exploiting some oI the
spooIing capabilities.
IP SPOOFING ITH NETORK
The reality oI the internet is actually quite diIIerent. First oI all, IP spooIing has been
around Ior decades, and has been the cause oI a lot oI quite nasty attacks to high proIile targets.

Most serious ISP's do not want to be related to IP spoofing attacks, and are
implementing measures to contain IP Spoofing attacks originating from their networks.

The containment measures are implemented on their Iirewalls and routers. The basic
logic oI this protection is this:
O A Firewall is aware oI the networks to which it connects so it can control source
addresses. For example, a demo Iirewall has 5 interIaces
A connecting to network 10.1.1.x
B connecting to network 10.2.1.x
C connecting to network 10.3.1.x
D connecting to network 10.4.1.x
'outside' connecting to the rest oI the world/internet
It is expected that any traIIic coming on interIace A will have a source address oI 10.1.1.x. II it
doesn't, it's most probably an IP spooIing attack and will be dropped. The only interIace that
cannot apply such logic is the 'outside' interIace, since it connects the Iirewall to the rest oI the
internet. But the outside interIace can have another protection, which protects against 'loop' IP
SpooIing attacks. That means that the 'outside' interIace cannot see incoming packets with source
addresses Irom a network that is on any oI the 'inside' interIaces.
O Routers have a bit more complex mechanism, since a router can have traIIic Irom
multiple networks arriving on any oI it's interIaces. They use uRPF (unicast Reverse Path
Forwarding) which analyzes whether the packet's source address comes Irom a network
that is known in the routing domain oI the router.

So in reality, most IP spooIing attempts will be destroyed on the ISP's network. But these
protection measures are not perIect, and there are networks which are still not controlling IP
spooIing. n aspiring hacker can do significant damage at networkssuch as
O University networks - apart Irom the large universities with dedicated IT staII, the
netadmins oI most universities are the teaching assistants oI computer science. And they
don't really make much oI an eIIort to control the traIIic on the network as long as the
university's servers and staII systems are protected. Universities are quite oIten
Autonomous Systems, so an IP SpooIing attack originating Irom an unprotected network
will travel on the Internet backbone.
O Smaller company networks - these networks are usually maintained by the 'one man
band' sysadmin, who really has too much on his/her's plate to think about spooIing
protection. The silver lining in such environment is that these companies are just a small
user oI a ISP, who is very capable oI blocking the IP SpooIing attack originating Irom the
small company network.
O ISP's in developing countries - much like small company networks, manned by
personnel who is not properly trained, understaIIed and overworked. And the bad news is
that these ISP's are also Autonomous Systems, so IP SpooIing attacks originating there
will most probably get out.
Please note that this article is not an invitation to start wreaking havoc on these networks, on
the contrary, it should serve as a reminder Ior their netadmins to implement the available and
quite simple protection measures.

IP SPOOFING ITH INTERNET PROTOCOL

The Internet Protocol, or IP, is the main protocol used to route inIormation across the
Internet. The role oI IP is to provide best-eIIort services Ior the delivery oI inIormation to its
destination. IP depends on upper-level TCP/IP suite layers to provide accountability and
reliability. The heart oI IP is the IP datagram, a packet sent over the Internet in a connectionless
manner. An IP datagram carries enough inIormation about the network to get Iorwarded to its
destination; it consists oI a header Iollowed by bytes oI data .

The header contains inIormation about the type oI IP datagram, how long the datagram
should stay on the network (or how many hops it should be Iorwarded to), special Ilags
indicating any special purpose the datagram is supposed to serve, the destination and source
addresses, and several other Iields, as shown in Figure 1.



Layers above IP use the source address in an incoming packet to identiIy the sender. To
communicate with the sender, the receiving station sends a reply by using the source address in
the datagram. Because IP makes no eIIort to validate whether the source address in the packet
generated by a node is actually the source address oI the node, you can spooI the source address
and the receiver will think the packet is coming Irom that spooIed address.
Many programs Ior preparing spooIed IP datagram`s are available Ior Iree on the
Internet; Ior example, hping lets you prepare spooIed IP datagram`s with just a one-line
command, and you can send them to almost anybody in the world. You can spooI at various
network layers; Ior example, you can use ddress Resolution Protocol (ARP) spooIing to divert
the traIIic intended Ior one station to someone else.
The Simple Mail Transfer Protocol (SMTP) is also a target Ior spooIing; because SMTP
does not veriIy the sender's address, you can send any e-mail to anybody pretending to be
someone else. This article Iocuses on the various types oI attacks that involve IP spooIing on
networks, and the techniques and approaches that experts in the Iield suggest to contend with this
problem.
SpooIing IP datagram`s is a well-known problem that has been addressed in various
research papers. Most spooIing is done Ior illegitimate purposesattackers usually want to hide
their own identity and somehow damage the IP packet destination. This article discusses ways oI
spooIing IP datagram`s, various attacks that involve spooIed IP packets, and techniques to detect
spooIed packets and trace them back to their original source; spooIing concerns Ior IPv6 are
brieIly addressed.
SPOOFING AN IP DATAGRAM
IP packets are used in applications that use the Internet as their communications medium.
Usually they are generated automatically Ior the user, behind the scenes; the user just sees the
inIormation exchange in the application. These IP packets have the proper source and destination
addresses Ior reliable exchange oI data between two applications. The IP stack in the operating
system takes care oI the header Ior the IP datagram.
However, you can override this Iunction by inserting a custom header and inIorming the
operating system that the packet does not need any headers. You can use raw sockets in UNIX-
like systems to send spooIed IP datagrams, and you can use packet drivers such as inPcap on
indows . Some socket programming knowledge is enough to write a program Ior generating
craIted IP packets.
You can insert any kind oI header, so, Ior example, you can also create Transmission
Control Protocol (TCP) headers. II you do not want to program or have no knowledge oI
programming, you can use tools such as hping, sendip, and others that are available Ior Iree on
the Internet, with very detailed documentation to craIt any kind oI packet. Most oI the time, you
can send a spooIed address IP packet with just a one-line command.
HY SPOOF THE IP SOURCE ADDRESS?
What is the advantage oI sending a spooIed packet? It is that the sender has some kind oI
malicious intention and does not want to be identiIied. You can use the source address in the
header oI an IP datagram to trace the sender's location. Most systems keep logs oI Internet
activity, so iI attackers want to hide their identity, they need to change the source address. The
host receiving the spooIed packet responds to the spooIed address, so the attacker receives no
reply back Irom the victim host.
But iI the spooIed address belongs to a host on the same subnet as the attacker, then the
attacker can "sniII" the reply. You can use IP spooIing Ior several purposes; Ior some scenarios
an attacker might want to inspect the response Irom the target victim (called "nonblind
spooIing"), whereas in other cases the attacker might not care (blind spooIing). Following is a
discussion about reasons to spooI an IP packet.
SCANNING
An attacker generally wants to connect to a host to gather inIormation about open ports,
operating systems, or applications on the host. The replies Irom the victim host can help the
attacker in gathering inIormation about the system.
These replies might indicate open ports, the operating system, or several applications
running on open ports. For example, a response Ior connection at port 80 indicates the host might
be running a Web server. The hacker can then try to telnet to this port to see the banner and
determine the Web server version and type, and then try to exploit any vulnerability associated
with that Web server. In the scanning case, attackers want to examine the replies coming back
Irom the host, so they need to see the returned packet. II the spooIed address is actually an
address oI a host on the attacker's subnet, then the attacker can use a sniIIer to see the packets.
SEQUENCE-NUMBER PREDICTION
II you establish the connection between two hosts by using TCP, the packets exchanged
between the two parties carry sequence numbers Ior data and acknowledgments. The protocol
uses these numbers to determine out-oI-order and lost packets, thus ensuring the reliable delivery
to the application layer as promised by TCP. These numbers are generated pseudo-randomly in a
manner known to both the parties. An attacker might send several spooIed packets to a victim to
determine the algorithm generating the sequence numbers and then use that knowledge to
intercept an existing session. Again it is important Ior the attacker to be able to see the replies.
HI1ACKING AN AUTHORIZED SESSION
An attacker who can generate correct sequence numbers can send a reset message to one
party in a session inIorming that party that the session has ended. AIter taking one oI the parties
oIIline, the attacker can use the IP address oI that party to connect to the party still online and
perIorm a malicious act on it. The attacker can thus use a trusted communication link to exploit
any system vulnerability. Keep in mind that the party that is still online will send the replies back
to the legitimate host, which can send a reset to it indicating the invalid session, but by that time
the attacker might have already perIormed the intended actions. Such actions can range Irom
sniIIing a packet to presenting a shell Irom the online host to the attacker's machine.
DETERMINING THE STATE OF A FIREALL
A Iirewall is used to protect a network Irom Internet intruders. Packets entering a Iirewall
are checked against an ccess Control List (ACL). TCP packets sent by a source are
acknowledged by acknowledgment packets. II a packet seems like an acknowledgement to a
request or data Irom the local network, then a stateIul Iirewall also checks whether a request Ior
which this packet is carrying the acknowledgment was sent Irom the network. II there is no such
request, the packet is dropped, but a stateless Iirewall lets packets enter the network iI they seem
to carry an acknowledgment Ior a packet. Most probably the intended receiver sends some kind
oI response back to the spooIed address. Again, Ior this process to work, the attacker should be
able to see the traIIic returning to the host that has the spooIed addressand the attacker
generally knows how to use the returned packet to advantage.
DENIAL OF SERVICE
The connection setup phase in a TCP system consists oI a three-way handshake . This
handshake is done by using special bit combinations in the "Ilags" Iields. II host A wants to
establish a TCP connection with host B, it sends a packet with a SYN Ilag set. Host B replies
with a packet that has SYN and ACK Ilags set in the TCP header. Host A sends back a packet
with an ACK Ilag set, Iinishing the initial handshake. Then hosts A and B can communicate with
each other, as shown in Figure 2.

The three-way handshake must be completed in order to establish a connection.
Connections that have been initiated but not Iinished are called halI-open connections. A Iinite-
size data structure is used to store the state oI the halI-open connections. An attacking host can
send an initial SYN packet with a spooIed IP address, and then the victim sends the SYN-ACK
packet and waits Ior a Iinal ACK to complete the handshake. II the spooIed address does not
belong to a host, then this connection stays in the halI-open state indeIinitely, thus occupying the
data structure. II there are enough halI-open connections to Iill the state data structure, then the
host cannot accept Iurther requests, thus denying service to the legitimate connections (Figure 3).


SeLLlng a Llme llmlL for halfopen connecLlons and Lhen eraslng Lhem afLer Lhe LlmeouL
can help wlLh Lhls problem buL Lhe aLLacker may keep conLlnuously sendlng Lhe packeLs 1he
aLLacked hosL wlll noL have space Lo accepL new lncomlng leglLlmaLe connecLlons buL Lhe
connecLlon LhaL was esLabllshed before Lhe aLLack wlll have no effecL ln Lhls Lype of aLLack Lhe
aLLacker has no lnLeresL ln examlnlng Lhe responses from Lhe vlcLlm When Lhe spoofed address
does belong Lo a connecLed hosL LhaL hosL sends a reseL Lo lndlcaLe Lhe end of Lhe handshake
FLOODING
In this type oI attack an attacker sends a packet with the source address oI the victim to
multiple hosts. Responses Irom other machines Ilood the victim. For example, iI an attacker uses
the IP address oI source A and sends a broadcast message to all the hosts in the network, then all
oI them will send a reply back to A, hence Ilooding it. The well-known Smurf and fraggle attacks
used this technique.
COUNTERMEASURES FOR IP SPOOFING
IP spooIing countermeasures include detecting spooIed IP packets and then tracing them
back to the originating source. Detection oI spooIed IP packets requires support oI routers, host-
based methods, and administrative controls, whereas tracing oI IP packets involves special trace
back equipment or trace back Ieatures in routers. The Iollowing section discusses both IP
spooIing detection and IP spooIing trace back techniques.
SPOOFED PACKET DETECTION
Detection oI a spooIed packet can start as early as at Layer 2. Switches with the IP
Source Guard Ieature|8| match the MAC address oI the host with a ynamic Host Configuration
Protocol (DHCP)-assigned dynamic or administratively assigned static IP address. Packets that
do not have the correct IP source address Ior that particular MAC address are dropped, thereby
limiting the ability oI hosts connected to such a switch to send a packet with their neighbor's
address. The IP Source Guard Ieature works very well Ior interIaces with a single IP address, but
one interIace can be assigned multiple IP addresses, and that may cause problems.
The same problems can occur with etwork ddress Translation (NAT), where hosts
might get diIIerent IP addresses several times. Routers work at Layer 3 in networks, and they
know which interIace a network is connected to and what network addresses can be expected to
come Irom that network.
II the outgoing packet Irom an interIace does not have the network address oI that
interIace, then the packet is spooIed and the router can stop that packet at that point; however, iI
the attacker is spooIing an IP address oI a host on the same network (most likely in the attacks
where they will be sniIIing the replies), then this technique is not really helpIul. The same logic
can be used Ior an incoming packet; iI a packet destined Ior an interIace has a source address oI
the same network as the interIace, then it is a spooIed packet. Routers can detect spooIed packets
only when the packets pass through them, and iI the target and attacker are both on the same
subnet then this technique does not work.
Hosts receiving a suspicious packet can also use certain techniques to determine whether
or not the IP address is spooIed. The Iirst (and easiest) one is to send a request to the address oI
the packet and wait Ior the response; most oI the time the spooIed addressees do not belong to
active hosts and hence no response is sent.
Another method is to check the Time to Live (TTL) value oI the packet, and then send a
request to the spooIed host. II the reply comes, you can compare the TTL oI both packets. Most
probably the TTL values will not match. But oI course it is also possible that these TTL values
are the same but the packet is coming Irom a diIIerent source, and conversely.
Packets generated by diIIerent operating systems diIIer slightly in values oI certain
Iields; Ior example, in Internet Control Message Protocol (ICMP) ping packets, you can
examine the data payload to determine the operating system. Windows Iills the packet with
letters oI the alphabet, whereas Linux puts numbers in the data portion. II the suspicious packet
does not have the same characteristics as the legitimate packet, that is evidence it was not sent
Irom the IP address that is in its source address Iield. You can also use IP identiIication numbers
to determine whether a packet is actually coming Irom the said source.
For legitimate packets the IP ID is close in value, but this method is not reliable because
the attacker can ping the said source and determine the IP ID that it is using, and then craIt
packets that will seem legitimate. In all these techniques we are trying to determine only whether
or not a packet is spooIed, and taking all these steps Ior all packets would be prohibitive Irom an
overhead standpoint. Thus you should either randomly check packets or determine some
suspicious activity that would trigger Iurther investigation Ior spooIed-packet detection. The next
section addresses measures you can take to trace a spooIed packet back to its real source.
TRACING SPOOFED IP PACKETS
IP trace back technology plays an important role in discovering the source oI spooIed
packets. Hop-by-hop trace back and logging oI suspicious packets in routers are the two main
methods Ior tracing the spooIed IP packets back to their source. When a node detects that it is a
victim oI Ilood attack, it can inIorm the Internet Service Provider (ISP). In Ilood attacks the ISP
can determine the router that is sending this stream to the victim, and then it can determine the
next router, and so on. It reaches either to the source oI the Ilood attack or the end oI its
administrative domain; Ior this case it can ask the ISP Ior the next domain to do the same thing.
This technique is useIul only iI the Ilood is ongoing.
As mentioned earlier, a router has an idea oI the IP addresses that should be arriving at its
interIaces. II it sees any packet that does not seem to belong to the address range Ior its interIace,
it can log the packet as suspicious. Appropriately timed broadcasts among diIIerent domains to
detect spooIed packets can help administrators oI diIIerent networks trace spooIed IP packets
back to their source.
IP SPOOFING AND IPV6
IP spooIing detection, or in other words validating the source address oI an IPv6 packet,
is a little more complicated than the process Ior IPv4. A host using IPv6 may potentially have
multiple addresses. Again the problem inside the Local Area Network is to associate the IPv6
address with the Layer 2 or MAC address. Among peers on the same network, you can use
eighbor iscovery or Secure eighbor iscovery (SEND) advertisements to veriIy the source
address in a packet. You can veriIy source addresses oI packets arriving Irom nodes outside the
network by using the uthentication Header (AH) in IPv6 datagrams. You can use agreed-upon
parameters between source and destination to calculate authentic]ts,ation inIormation on
header Iields that does not change during transit.
Although this process will not prevent someone Irom signing a spooIed address, it does
provide a means to authenticate the identity oI the source. IPv6 and IPv4 network
inter]ts,connections will likely Iace spooIing problems. IPv6 packets are usually
encapsulated in IPv4 packets to travel across the non-IPv6 supporting networks. The IPv6
interim mechanism "6to4" |10, 11| uses automatic IPv6-to-IPv4 tunneling to interconnect
networks using diIIerent IP versions. This mechanism uses 6to4 routers and 6to4 Relay Routers
that accept and decapsulate IPv4 traIIic Irom anywhere. There are no constraints on such
embedded packets. Relay routers act as bridges between IPv6 and 6to4 networks and can be
tricked into sending spooIed traIIic anywhere. Also, anyone can send tunneled spooIed traIIic to
a 6to4 router, and the router will believe that it is coming Irom a legitimate relay. There is no
simple way to prevent such attacks, and longer-term solutions are needed in both IPv6 and IPv4
networks.
IP SPOOFING (IP ADDRESS FORGERY OR A HOST FILE HI1ACK)
IP spooIing, also known as IP address Iorgery or a host Iile hijack, is a
hijackingtechnique in which a cracker masquerades as a trusted host to conceal his identity,
spooI a Web site, hijack browsers, or gain access to a network. Here's how it works: The hijacker
obtains the IP address oI a legitimate host and alters packet headers so that the legitimate host
appears to be the source.
When IP spooIing is used to hijack a browser, a visitor who types in the URL(UniIorm
Resource Locator) oI a legitimate site is taken to a Iraudulent Web page created by the hijacker.
For example, iI the hijacker spooIed the Library oI Congress Web site, then any Internet user
who typed in the URL www.loc.gov would see spooIed content created by the hijacker. II a user
interacts with dynamic content on a spooIed page, the highjacker can gain access to sensitive
inIormation or computer or network resources. He could steal or alter sensitive data, such as a
credit card number or password, or install malware. The hijacker would also be able to take
control oI a compromised computer to use it as part oI azombie army in order to send out spam.
Web site administrators can minimize the danger that their IP addresses will be spooIed
by implementing hierarchical or one-time passwords and data encryption/decryption techniques.
Users and administrators can protect themselves and their networks by installation and
implementating Iirewalls that block outgoing packets with source addresses that diIIer Irom the
IP address oI the user's computer or internal network. Related glossary terms: RSA algorithm
(Rivest-Shamir-Adleman), data key, greynet (or graynet), spam cocktail (or anti-spam cocktail),
Iingerscanning (Iingerprint scanning), munging, insider threat, authentication server, deIense in
depth, nonrepudiation
THE TOP FIVE AYS TO PREVENT IP SPOOFING
Computerworld - The term "spooIing" is generally regarded as slang, but reIers to the act
oI Iooling -- that is, presenting a Ialse truth in a credible way. There are several diIIerent types oI
spooIing that occur, but most relevant to networking is the IP spooI.
Most types oI spooIing have a common theme: a neIarious user transmits packets with an
IP address, indicating that the packets are originating Irom another trusted machine. The Iirst
step in spooIing is determining the IP address oI a host the intended target trusts.

AIter that, the attacker can change the headers oI packets to make it seem like the
transmissions are originating Irom the trusted machine.
What sorts oI attacks are launched through IP spooIing? To name a Iew:
O Blind spoofing: In this type oI attack, a cracker outside the perimeter oI the local network
transmits multiple packets to his intended target to receive a series oI sequence numbers,
which are generally used to assemble packets in the order in which they were intended --
Packet 1 is to be read Iirst, then Packet 2, 3 and so on.
The cracker is blind to how transmissions take place on this network, so he needs
to coax the machine into responding to his own requests so he can analyze the
sequence numbers.
By taking advantage oI knowing the sequence number, the cracker can IalsiIy his
identity by injecting data into the stream oI packets without having to have
authenticated himselI when the connection was Iirst established. (Generally,
current operating systems employ random sequence number generation, so it's
more diIIicult Ior crackers to predict the correct sequence number.)
O Nonblind spoofing: In this type oI attack, the cracker resides on the same subnet as his
intended target, so by sniIIing the wire Ior existing transmissions, he can understand an entire
sequence/acknowledge cycle between his target and other hosts (hence the cracker isn't
"blind" to the sequence numbers).
nce the sequence is known, the attacker can hijack sessions that have already
been built by disguising himselI as another machine, bypassing any sort oI
authentication that was previously conducted on that connection.
O Denial-of-service attack: To keep a large-scale attack on a machine or group oI machines
Irom being detected, spooIing is oIten used by the maleIactors responsible Ior the event to
disguise the source oI the attacks and make it diIIicult to shut it oII.
SpooIing takes on a whole new level oI severity when multiple hosts are sending
constant streams oI packet to the DoS target. In that case, all the transmissions are
generally spooIed, making it very diIIicult to track down the sources oI the storm.
O Man-in-the-middle attack: Imagine two hosts participating in normal transmissions
between each other. In a man-in-the-middle attack, a malicious machine intercepts the
packets sent between these machines, alters the packets and then sends them on to the
intended destination, with the originating and receiving machines unaware their
communications have been tampered with; this is where the spooIing element enters the
equation.
Typically, this type oI attack is used to get targets to reveal secure inIormation and
continue such transmissions Ior a period oI time, all the while unaware that the
machine in the middle oI the transmission is eavesdropping the whole time.
SpooIing, while mostly negative, has some more or less legitimate applications. Satellite
Internet access is one. Packets going to orbit and coming back have a relatively long latency,
and there are a lot oI protocols in common use that don't take well to this delay.
Satellite providers may spooI these protocols, including IP, so that each end oI a packet Ilow
receives acknowledgment packets without much delay.
Also, since VPN applications are particularly prone to problems with latency, special
soItware Irom these providers generally perIorms more "accepted" spooIing.
But the bad kind oI spooIing can be controlled. There are Iive things, among others, that you
can do to help prevent IP spooIing and its related attacks Irom aIIecting your network:
1. Use authentication based on key exchange between the machines on your network;
something like IPsec will signiIicantly cut down on the risk oI spooIing.
2. Use an access control list to deny private IP addresses on your downstream interIace.
3. Implement Iiltering oI both inbound and outbound traIIic.
4. ConIigure your routers and switches iI they support such conIiguration, to reject packets
originating Irom outside your local network that claim to originate Irom within.
5. Enable encryption sessions on your router so that trusted hosts that are outside your
network can securely communicate with your local hosts.
IP spooIing is a diIIicult problem to tackle, because it is related to the IP packet structure. IP
packets can be exploited in several ways. Because attackers can hide their identity with IP
spooIing, they can make several network attacks. Although there is no easy solution Ior the IP
spooIing problem, you can apply some simple proactive and reactive methods at the nodes, and
use the routers in the network to help detect a spooIed packet and trace it back to its originating
source.





TECHNICAL DISCUSSION
To completely understand how these attacks can take place, one must examine the
structure oI the TCP/IP protocol suite. A basic understanding oI these headers and network
exchanges is crucial to the process.

INTERNET PROTOCOL - IP
Internet protocol (IP) is a network protocol operating at layer 3 (network) oI the SI
model. It is a connectionless model, meaning there is no inIormation regarding transaction state,
which is used to route packets on a network. Additionally, there is no method in place to ensure
that a packet is properly delivered to the destination.

Examining the IP header, we can see that the Iirst 12 bytes (or the top 3 rows oI the
header) contain various inIormation about the packet. The next 8 bytes (the next 2 rows),
however, contains the source and destination IP addresses. Using one oI several tools, an attacker
can easily modiIy these addresses speciIically the 'source address Iield. It's important to note
that each datagram is sent independent oI all others due to the stateless nature oI IP. Keep this
Iact in mind as we examine TCP in the next section.





TRANSMISSION CONTROL PROTOCOL - TCP
IP can be thought oI as a routing wrapper Ior layer 4 (transport), which contains the
Transmission Control Protocol (TCP). Unlike IP, TCP uses a connection-oriented design. This
means that the participants in a TCP session must Iirst build a connection - via the 3-way
handshake (SYN-SYN/ACK-ACK) - then update one another on progress - via sequences and
acknowledgements. This 'conversation, ensures data reliability, since the sender receives an
K Irom the recipient aIter each packet exchange.

As you can see above, a TCP header is very diIIerent Irom an IP header. We are
concerned with the Iirst 12 bytes oI the TCP packet, which contain port and sequencing
inIormation. Much like an IP datagram, TCP packets can be manipulated using soItware. The
source and destination ports normally depend on the network application in use (Ior example,
HTTP via port 80). What's important Ior our understanding oI spooIing are the sequence and
acknowledgement numbers. The data contained in these Iields ensures packet delivery by
determining whether or not a packet needs to be resent. The sequence number is the number oI
the Iirst byte in the current packet, which is relevant to the data stream.
The acknowledgement number, in turn, contains the value oI the next expected sequence number
in the stream. This relationship conIirms, on both ends, that the proper packets were received.
It`s quite diIIerent than IP, since transaction state is closely monitored.




CONSEQUENCES OF THE TCP/IP DESIGN
Now that we have an overview oI the TCP/IP Iormats, let's examine the consequences.
bviously, it's very easy to mask a source address by manipulating an IP header. This technique
is used Ior obvious reasons and is employed in several oI the attacks discussed below. Another
consequence, speciIic to TCP, is sequence number prediction, which can lead to session
hijacking or host impersonating. This method builds on IP spooIing, since a session, albeit a Ialse
one, is built. We will examine the ramiIications oI this in the attacks discussed below.
SPOOFING ATTACKS
There are a Iew variations on the types oI attacks that successIully employ IP spooIing.
Although some are relatively dated, others are very pertinent to current security concerns.
NON-BLIND SPOOFING
This type oI attack takes place when the attacker is on the same subnet as the victim. The
sequence and acknowledgement numbers can be sniIIed, eliminating the potential diIIiculty oI
calculating them accurately. The biggest threat oI spooIing in this instance would be session
hijacking. This is accomplished by corrupting the datastream oI an established connection, then
re-establishing it based on correct sequence and acknowledgement numbers with the attack
machine. Using this technique, an attacker could eIIectively bypass any authentication measures
taken place to build the connection.
BLIND SPOOFING
This is a more sophisticated attack, because the sequence and acknowledgement numbers
are unreachable. In order to circumvent this, several packets are sent to the target machine in
order to sample sequence numbers. While not the case today, machines in the past used basic
techniques Ior generating sequence numbers. It was relatively easy to discover the exact Iormula
by studying packets and TCP sessions. Today, most Ss implement random sequence number
generation, making it diIIicult to predict them accurately. II, however, the sequence number was
compromised, data could be sent to the target. Several years ago, many machines used host-
based authentication services (i.e. Rlogin). A properly craIted attack could add the requisite data
to a system (i.e. a new user account), blindly, enabling Iull access Ior the attacker who was
impersonating a trusted host.







LABELS: IP HACK

The term IP (Internet Protocol) address spooIing reIers to the creation oI IP packets with
a Iorged (spooIed) source IP address with the purpose oI concealing the identity oI the sender or
impersonating another computing system.

HY IT ORKS?
IP-SpooIing works because trusted services only rely on network address based
authentication. Since IP is easily duped, address Iorgery is not diIIicult. The main reason is
security weakness in the TCP protocol known as sequence number prediction. Every computer
connected to Network have its unique IP address. When Person A sends an email to person B,
The mail is assigned with the header which contains the IP`s oI sender and Receiver so that mail
can go to the same person B and not to someone else.
This is how Iake IP is created and attack oI spooIing


Now in a private network Ior security reasons limited mails are accepted Irom reserved
IP`s. In Simple word only internal communication can be worked. Person Irom outside can`t
send mail in that network. So iI attacker wants send the mail inside, He will spooI the IP. He Iirst
will sniIIs the data packets in the internal communication and steal some internal email. Then he
will perIorm changing in header oI the mail. he will change content oI the mail and send this
mail to network again. System can`t provide security against this because it have internal Iake IP.
MAN IN THE MIDDLE ATTACK
Both types oI spooIing are Iorms oI a common security violation known as a man in the
middle (MITM) attack. In these attacks, a malicious party intercepts a legitimate communication
between two Iriendly parties. The malicious host then controls the Ilow oI communication and
can eliminate or alter the inIormation sent by one oI the original participants without the
knowledge oI either the original sender or the recipient. In this way, an attacker can Iool a victim
into disclosing conIidential inIormation by 'spooIing the identity oI the original sender, who is
presumably trusted by the recipient.
DENIAL OF SERVICE ATTACK
IP spooIing is almost always used in what is currently one oI the most diIIicult attacks to
deIend against denial oI service attacks, or DoS. Since crackers are concerned only with
consuming bandwidth and resources, they need not worry about properly completing handshakes
and transactions. Rather, they wish to Ilood the victim with as many packets as possible in a
short amount oI time. In order to prolong the eIIectiveness oI the attack, they spooI source IP
addresses to make tracing and stopping the DoS as diIIicult as possible. When multiple
compromised hosts are participating in the attack, all sending spooIed traIIic, it is very
challenging to quickly block traIIic.
MISCONCEPTIONS OF IP SPOOFING
While some oI the attacks described above are a bit outdated, such as session hijacking
Ior host-based authentication services, IP spooIing is still prevalent in network scanning and
probes, as well as denial oI service Iloods. However, the technique does not allow Ior
anonymous Internet access, which is a common misconception Ior those unIamiliar with the
practice. Any sort oI spooIing beyond simple Iloods is relatively advanced and used in very
speciIic instances such as evasion and connection hijacking.
DEFENDING AGAINST SPOOFING
There are a Iew precautions that can be taken to limit IP spooIing risks on your network,
such as:
FILTERING AT THE ROUTER
Implementing ingress and egress Iiltering on your border routers is a great place to start
your spooIing deIense. You will need to implement an ACL (access control list) that blocks
private IP addresses on your downstream interIace. Additionally, this interIace should not accept
addresses with your internal range as the source, as this is a common spooIing technique used to
circumvent Iirewalls. n the upstream interIace, you should restrict source addresses outside oI
your valid range, which will prevent someone on your network Irom sending spooIed traIIic to
the Internet.
ENCRYPTION AND AUTHENTICATION
Implementing encryption and authentication will also reduce spooIing threats. Both oI
these Ieatures are included in Ipv6, which will eliminate current spooIing threats. Additionally,
you should eliminate all host-based authentication measures, which are sometimes common Ior
machines on the same subnet. Ensure that the proper authentication measures are in place and
carried out over a secure (encrypted) channel.IP SpooIing is a problem without an easy solution,
since it`s inherent to the design oI the TCP/IP suite. Understanding how and why spooIing
attacks are used, combined with a Iew simple prevention methods, can help protect your network
Irom these malicious cloaking and cracking techniques.
TCP/IP SUITE EAKNESS
Communication on the Internet is based on the Transmission Control Protocol/Internet
Protocol (TCP/IP) protocol suite. The TCP/IP protocol suite was developed in the mid-1970s as
part oI research by the DeIense Advanced Research Projects Agency (DARPA). With the
introduction oI personal computers as standalone devices, the strategic importance oI
interconnected networks was quickly realized. The strategic importance oI networks was Iirst
realized in the development oI local-area networks (LANs) that shared printers and hard drives.
The importance oI networks increased in a second phase with the development oI worldwide
applications such as e-mail and Iile transIers.
The globalization oI business caused web applications to be developed to support
customers and clients all over the world with a Iocus on increasing eIIiciency and productivity
Ior organizations. Now TCP/IP is seen as the de jure standard Ior Internet communication,
enabling millions oI users to communicate globally. Computer systems in general communicate
with each other by sending streams oI data (bytes), as displayed in Figure 1.
Figure 1. Internet Communication

NOTE
A byte is a sequence oI 8 bits, which is oIten represented as a decimal number Irom 0 to
255. Bytes are used by computer systems to communicate with each other. Multiple bytes
characterize a data stream oI inIormation. Errors in a data stream are detected by a checksum,
which is a mathematic/arithmetic sum oI a sequence oI numbers.
This section presents a brieI overview oI the IP protocol and TCP protocol characteristics
and then examines some oI the TCP/IP weaknesses. Readers should not expect a Iull description
oI the TCP/IP protocol suite, but rather inIormation relevant to a discussion oI the weaknesses.
Figure 2 maps the TCP/IP protocol stack to the SI model and serves as a Iramework Ior the
discussion.
Figure 2. TCP/IP Protocol Mapped to the OSI Model


As you can see Irom Figure 2, Iour layers oI the TCP/IP protocol stack map to seven
layers oI the SI model.

IP
The IP layer oI the TCP/IP stack corresponds to the SI network layer. IP is a
connectionless protocol providing routing oI datagrams in a best-eIIort manner. The Iollowing
sections present topics that will help you to Iurther understand the design weaknesses oI the
protocol.The IP datagram is a combination oI a number oI bytes (IP header) that preIixes the data
received Irom the transport (and higher) layer. Figure 3 shows the complete IP header Iormat,
but only the relevant Iields are discussed.
Figure 3. IP Datagram Format



IP addressing (both the source IP address and the destination IP address) is used to
identiIy the end stations involved in the transport oI datagrams Ior communication.
End stations with source IP addresses and destination IP addresses on the same segment
have direct delivery oI packets. When source and destination end stations are not on the same
network, there can be multiple paths. Path selection and decision is made by specialized
computer systems whose primary Iunction is routing network traIIic. These systems are reIerred
to as routers Ior the remainder oI this book.
IP Iragmentation oIIset is used to keep track oI the diIIerent parts oI a datagram. Splitting
larger datagrams may be necessary as they travel Irom one router to the next router in a small
packet network, Ior example, because oI interIace hardware limitations. The inIormation or
content in the oIIset Iield is used at the destination to reassemble the datagrams. All such
Iragments have the same IdentiIication Iield value, and the Iragmentation oIIset indicates the
position oI the current Iragment in the context oI the original packet. Also important to keep in
mind is the existence oI the IP ptions Iield. This makes the IP header variable in length. Table 1
illustrates all the Iields oI the IP Header.
Table 1. IP Header Fields
1 Version

Indicates the Iormat oI the Internet header (4 bits)
2 Internet Header Length (IHL)

SpeciIies the length oI the Internet header in 32-
bit words (4 bits)
3 Type oI Service

Provides an indication oI the abstract parameters
oI the quality oI service desired (8 bits)
4 Total Length

SpeciIies the length oI the datagram, measured in
octets (16 bits)
5 IdentiIication

Value assigned by the sender to aid in assembling
the Iragments (16 bits)
6 Flags Various control Ilags (3 bits)

7 Fragment IIset |Indicates where in the datagram this Iragment
belongs (13 bits)
8 Time to Live Indicates the maximum time the datagram is
allowed to remain in the Internet system(8bits)

9 Protocol Indicates the next level protocol used (8 bits)

10 Header Checksum A checksum on the header (16 bits)

11 Source Address The source IP address (32 bits)

12 Destination Address The destination IP address (32 bits)



NOTE
RFC 791 Internet Protocol, provides additional inIormation on the IP protocol.
In current network designs, more Ilexibility is oIIered to the users. Mobile IP, Ior
instance, maintains network transport layer connections Ior network hosts moving Irom one
point oI attachment to another. ThereIore, the mobile end station uses two IP addresses: one
home address, which is static, and a second address, which is the care-oI address.
TCP
The TCP or transport layer oI the TCP/IP stack corresponds to the SI transport layer.
TCP is a connection-oriented protocol providing delivery oI segments in a reliable manner. Some
TCP characteristics are highlighted in the next section because they might be used to exploit
some vulnerability in the TCP/IP protocol suite.
The TCP segment is a combination oI a number oI bytes (TCP header) that preIixes the
data received Irom the upper layers. Figure 4 shows the complete TCP header Iormat, but as with
the discussion oI the IP header, only the relevant Iields are covered in this chapter.
Figure 4. TCP Segment Format





TCP uses port or socket numbers to pass inIormation to the upper layers. This mechanism
enables the protocol to multiplex communication between diIIerent processes in the end stations.
In other words, the port numbers keep track oI the diIIerent conversations crossing the network
at the same time. Port numbers assigned by the operating system are also called sockets.
Table 2 shows some examples of well-known port numbers.
Application layer >>Port Number
FTP -~ 21
Telnet -~ 23
SMTP -~ 25
HTTP -~ 80
HTTPS ~ 443
NTE
The port numbers are divided into three ranges: the Well-Known Ports, the Registered
Ports, and the Private Ports. All these ports can be Iound at the Internet Assigned Number
Authority (IANA) website at http://www.iana.org/assignments/port-numbers.
An established connection between two end stations can be uniquely identiIied by Iour
parameters: source and destination IP addresses and source and destination port numbers. It is
important to understand the underlying mechanism in order to conIigure extended access lists on
routers to implement pass/block Iiltering decisions based on these numbers. Firewalls can also be
conIigured to Iilter based on TCP ports.
Data exchange using TCP does not happen until a three-way handshake has been
successIully completed. The connection needs to be initialized or established Iirst on sequence
numbers. These numbers are used in multiple packet transmissions Ior reordering and to ensure
that no packets are missing. The Acknowledgment number deIines the next expected TCP octet
and is used Ior reliability oI the transmission. The sequence number in combination with the
Acknowledgment number serves as a ruler Ior the sliding window mechanism. This sliding
window mechanism uses the window Iield to deIine the size oI the receiving buIIers. In other
words, the window Iield is used to deIine the number oI octets that the sender is willing to
accept.

NOTE
RFC 793 Transmission Control Protocol, and RFC 3168The Addition oI Explicit
Congestion NotiIication (ECN) to IP, provide additional inIormation on the TCP protocol.
TCP/IP SECURITY ISSUES
Now that you understand some parameters oI the TCP/IP protocol stack, it is easy to
understand that the TCP/IP suite has many design weaknesses. Most oI its weaknesses are likely
because the development oI the protocol dates Irom the mid-1970s. Vendors oI network
equipment and operating systems have made code improvements over time to disable many oI
the attacks that are described in the Iollowing sections.
IP ADDRESS SPOOFING
In this type oI attack, the attacker replaces the IP address oI the sender, or in some rare
cases the destination, with a diIIerent address. IP spooIing is normally used to exploit a target
host. In other cases, it is used to start a denial-oI-service (DoS) attack. As shown in Figure 5, in a
DoS attack, an attacker modiIies the IP packet to mislead the target host into accepting the
original packet as a packet sourced at a trusted host. The attacker must know the IP address oI
the trusted host to modiIy the packet headers (source IP address) so that it appears that the
packets are coming Irom that host.
Figure 5. DoS Attack Using IP Spoofing


For all DoS attacks launched against a host (the web server oI Company XYZ in Figure 5), the
attacker is not interested in retrieving eIIective data or inIormation Irom the intended victim. The
attacker has only one goal: to deny the use oI service that the web server provides to valid users
without being revealed. ThereIore, the return address or source IP address can be spooIed.
In Figure 5, the attacker has the IP address 168.12.25.5 and is connected to the Internet.
For normal traIIic interaction between a workstation with a valid source IP address (168.12.25.5)
and the web server (132.12.25.1), the packet is constructed with a source IP address oI
168.12.25.5 and a destination IP address oI 132.12.25.1. The web server returns the web page
using the source IP address speciIied in the request as the destination IP address, 168.12.25.5,
and its own IP address as the source IP address, 132.12.25.1.
Let`s now assume that a DoS attack is launched Irom the attacker`s workstation on
Company XYZ`s web server using IP spooIing. Imagine that a spooIed IP address oI 156.12.25.4
is used by the workstation, which is a valid host. Company XYZ`s web server executes the web
page request by sending the inIormation or data to the IP address oI what it believes to be the
originating end station (156.12.25.4). This workstation receives the unwanted connection
attempts Irom the web server, but it simply discards the received data. It`s becoming clear that
multiple simultaneous attacks oI this sort deny the use oI service that the web server provides to
valid users. As you can imagine, locating the origin oI the attacker launching the DoS attack is
very complex when IP address spooIing is used.
COVERT CHANNELS
A covert or clandestine channel can be best described as a pipe or communication
channel between two entities that can be exploited by a process or application transIerring
inIormation in a manner that violates the system`s security speciIications.
More speciIically Ior TCP/IP, in some instances, covert channels are established, and data can be
secretly passed between two end systems. Let`s take Internet Control Message Protocol (ICMP)
as an example. In the Iollowing types oI circumstances, ICMP messages are sent to provide error
and control mechanisms:
Testing connectivity/reachability using datagramsecho and Echo-Reply messages
Reporting unreachable destinations Ior datagramsDestination Unreachable message
Reporting buIIer capacity problems Ior Iorwarding datagramsSource Quench message
Reporting route changes in the path Ior datagramsRedirect messages
ICMP resides at the Internet layer oI the TCP/IP protocol suite and is implemented in all
TCP/IP hosts. Based on the speciIications oI the ICMP Protocol, an ICMP Echo Request
message should have an 8-byte header and a 56-byte payload. The ICMP Echo Request packet
should not carry any data in the payload. However, these packets are oIten used to carry secret
inIormation. The ICMP packets are altered slightly to carry secret data in the payload. This
makes the size oI the packet larger, but no control exists in the protocol stack to deIeat this
behavior. The alteration oI ICMP packets gives intruders the opportunity to program specialized
client-server pairs. These small pieces oI code export conIidential inIormation without alerting
the network administrator. Blocking ICMP packets that exceed a certain limit size is the only
solution to protect against this vulnerability.
An example oI a tool that uses this covert channel technique is Loki. The concept oI the Loki
tool is simple: It is a client-server application that tunnels arbitrary inIormation in the data
portion oI ICMPECH and ICMPECH REPLY packets. Loki exploits the covert channel
that exists inside oI ICMPECH traIIic. Figure 6 illustrates this tool.
Figure 6. Loki Tool

In general, covert channels are prevalent in nearly all the underlying protocols oI the TCP/IP
protocol suite.
IP FRAGMENT ATTACKS

The TCP/IP protocol suite, or more speciIically IP, allows the Iragmentation oI packets.
As discussed in the previous sections, IP Iragmentation oIIset is used to keep track oI the
diIIerent parts oI a datagram. The inIormation or content in this Iield is used at the destination to
reassemble the datagrams. All such Iragments have the same IdentiIication Iield value, and the
Iragmentation oIIset indicates the position oI the current Iragment in the context oI the original
packet.
Many access routers and Iirewalls do not perIorm packet reassembly. In normal
operation, IP Iragments do not overlap, but attackers can create artiIicially Iragmented packets to
mislead the routers or Iirewalls. Usually, these packets are small and almost impractical Ior end
systems because oI data and computational overhead.
Let`s go into a little more detail. The ingeniously constructed second Iragment oI a
packet can have an oIIset value that is less than the length oI the data in the Iirst Iragment. Upon
packet reassembly at the end station, the second Iragment overrides several bytes oI the Iirst
Iragment. These malIormed IP packets cause the operating system at the end station to Iunction
improperly or even to crash.
A good example oI an IP Iragmentation attack is the Ping oI Death attack. The Ping oI
Death attack sends Iragments that, when reassembled at the end station, create a larger packet
than the maximum permissible length.
ne oI the uses oI this attack is to get past intrusion detection system (IDS) sensors. The
individual Iragments do not match any known signature, but aIter the overlap addresses
overwrite some data, the result is an attack that can be recognized. A decent IP Iiltering code and
conIiguration are required at the access router and Iirewalls to be assured that these attacks are
blocked. These devices need to enIorce a minimum Iragment oIIset Ior Iragments that have
nonzero oIIsets so that overlaps can be prevented.
TCP FLAGS

As discussed previously, data exchange using TCP does not happen until a three-way
handshake has been successIully completed. This handshake uses diIIerent Ilags to inIluence the
way TCP segments are processed. There are 6 bits in the TCP header that are oIten called Ilags.
In Figure 4, six diIIerent Ilags are part oI the TCP header: Urgent pointer Iield (URG),
Acknowledgment Iield (ACK), Push Iunction (PSH), Reset the connection (RST), Synchronize
sequence numbers (SYN), and sender is Iinished with this connection (FIN).
Figure 7 illustrates this three-way handshake in a little more detail, elaborating on some oI the
Ilags used.






Figure 7. Three-ay Handshake Using TCP Flags

Bob wants to start talking with Alice, so he initiates the TCP session with the SYN bit
(Ilag) set in the Iirst TCP segment. II Alice is happy to talk to Bob, she responds with the SYN
Ilag and ACK Ilag set to 1. II she is unwilling to talk to Bob, she responds with an RST (reset)
Ilag set to 1.
Abuse oI the normal operation or settings oI these Ilags can be used by attackers to
launch DoS attacks. This causes network servers or web servers to crash or hang. Table 3
illustrates some invalid combinations oI these parameters.








Table 3. TCP Flags

SYN FIN PSH RST Validity
-
1 1 0 0 Illegal combinations
1 1 1 0 Illegal combinations
1 1 0 1 Illegal combinations
1 1 1 1 Illegal combinations
-
The attacker`s ultimate goal is to write special programs or pieces oI code that are able to
construct these illegal combinations resulting in an eIIicient DoS attack.
SYN FLOOD
The TCP/IP protocol suite relies on the use oI multiple timers during the liIetime oI a
session. These timers include the Connection Establishment timer, the FINWAIT timer, and the
KEEPALIVE timer. The Iollowing list elaborates on the three-way handshake mechanism
presented in Figure 7:
Connection Establishment timer Starts aIter SYN is sent during the initial connection
setup (step 1 oI the three-way handshake).
FINWAIT timer Starts aIter FIN is sent and the originator is waiting Ior an
acknowledgement to terminate the session.
KEEPALIVE timer Counter restarts aIter every segment oI data is transmitted. This
timer is used to periodically probe the remote end.
All these timers are critical Ior proper and accurate data transmission using TCP/IP. These
timers (or lack oI certain timers) are oIten used and exploited by attackers to disable services or
even to enter systems. For instance, aIter step 2 oI the three-way handshake, no limit is set on the
time to wait aIter receiving a SYN. The attacker initiates many connection requests to the web
server oI Company XYZ (almost certainly with a spooIed IP address).
The SYNACK packets (Step 2) sent by the web server back to the originating source IP
address are not replied to. This leaves a TCP session halI-open on the web server. Multiple
packets cause multiple TCP sessions to stay open.
Based on the hardware limitations oI the server, a limited number oI TCP sessions can stay
open, and as a result, the web server reIuses Iurther connection establishments attempts Irom any
host as soon as a certain limit is reached. These halI-open connections need to be completed or
timed out beIore new connections can be established.
This vulnerability can be exploited by the attacker to actually remove a host Irom the
network Ior several seconds. In the meantime, this temporarily disabled platIorm can be used to
deposit another exploit or to install a backdoor.
CLOSING A CONNECTION BY FIN

These types oI attacks can be best described as connection-killing attacks. In normal
operation, the sender sets the TCP FIN Ilag indicating that no more data will be transmitted and
the connection can be closed down. This is a Iour-way handshake mechanism, with both sender
and receiver expected to send an acknowledgement on a received FIN packet. During an attack
that is trying to kill connections, a spooIed FIN packet is constructed. This packet also has the
correct sequence number, so the packets are seen as valid by the targeted host. These sequence
numbers are easy to predict. This process is reIerred to as TCP sequence number prediction,
whereby the attacker either sniIIs the current Sequence and Acknowledgment (SEQ/ACK)
numbers oI the connection or can algorithmically predict these numbers.
nce the packet is constructed and sent, the receiving host believes the spooIed sender
has no more data to be transmitted. Any other packets received are ignored as Ialse and dropped.
The remaining packets Ior completing the Iour-way handshake are provided by the spooIed
sender. Similar connection-killing attacks are launched using the RST Ilag.
Connection Hijacking
TCP connections can be hijacked by unauthorized users without much diIIiculty. In
Figure 8, an authorized user (Employee X) sends HTTP requests over a TCP session with the
web server.
Figure 8. Connection Hijacking

The web server accepts the packets Irom Employee X only when the packet has the
correct SEQ/ACK numbers. As seen previously, these numbers are important Ior the web server
to distingish between diIIerent sessions and to make sure it is still talking to Employee X.
Imagine that the cracker starts sending packets to the web server spooIing the IP address oI
Employee X, using the correct SEQ/ACK combination. The web server accepts the packet and
increments the ACK number.
In the meantime, Employee X continues to send packets but with incorrect SEQ/ACK
numbers. As a result oI sending unsynchronized packets, all data Irom Employee X is discarded
when received by the web server. The attacker pretends to be Employee X using the correct
numbers. This Iinally results in the cracker hijacking the connection, whereby Employee X is
completely conIused and the web server replies assuming the cracker is sending correct
synchronized data.
The Iollowing steps outline the diIIerent phases oI a connection-hijacking attack, as
shown in Figure 8:
Step 1. The attacker examines the traIIic Ilows with a network monitor and notices
traIIic Irom Employee X to a web server.
Step 2. The web server returns or echoes data back to the origination station
(Employee X).
Step 3. Employee X acknowledges the packet.
Step 4. The cracker launches a spooIed packet to the server.
Step 5. The web server responds to the cracker. The cracker starts veriIying
SEQ/ACK numbers to double-check success. At this time, the cracker takes
over the session Irom Employee X, which results in a session hanging Ior
Employee X.
Step 6. The cracker can start sending traIIic to the web server.
Step 7. The web server returns the requested data to conIirm delivery with the correct
ACK number.
Step 8. The cracker can continue to send data (keeping track oI the correct SEQ/ACK
numbers) until eventually setting the FIN Ilag to terminate the session.
TCP Connecting Hijacking is one oI the Man-in-the-Middle attacks. With
this attack, an attacker can allow normal authentication to proceed between
the two hosts, and then seize control oI the connection. There are two
possible ways to do this: one is during the TCP three-way handshake, and the
other is in the middle oI an established connection. Connection hijacking
exploits a 'desynchronized state in TCP communication. When two hosts
are desynchronized enough, they will discard (ignore) packets Irom each
other. An attacker can then inject Iorged packets with the correct sequence
numbers (and potentially modiIy or add commands to the communication).
This requires the attacker to be located on the communication path between
the two hosts so that he may eavesdrop, in order to replicate packets being
sent.
TCP Connection Hijacking allows attackers to view and change private inIormation.
TCP CONNECTION HI1ACKING MITIGATION
The Connection Hijacking (Man-In-The-Middle) attacks rely upon IP spooIing. By
utilizing IPsec VPN at the network layer and by using session and user (or host) authentication
and data encryption technologies at the application layer and at the data link layer, the risk oI IP
SpooIing and then Connection Hijacking will be reduced signiIicantly.
NOTE
SniIIing Internet traIIic is not necessarily easily accomplished. Most hijacking attacks
require access to the local wire or the broadcast domain. An excellent tool to monitor the local
wire is Ethereal. These connection-hijacking attacks oIten occur unnoticed. The Employee X
session hangs, but most Internet users reconnect the session and observe this incident as a
network problem. Luckily, it is true that not all session hangs are caused by connection-hijacking
attacks but involve diIIerent causes.
RECENT ATTACKS USING IP SPOOFING
Since the initial Internet worm, a number iI attacks have been made using this include

Manin-the-middle: packet sniIIs on link between the two endpoints, and can pretend to
be one end oI the connection

Routing re-direct : redirects routing inIormation Iorm the original host to the hacker`s
host (a variation on the man-in the-middle attack)

Source routing: redirects individual packets by the hacker`s host

Blind spooIing: predicts responses Irom a host, allowing commands to be sent, but does
not get immediate Ieedback

Flooding; SYN Ilood Iills up the receive queue Irom random source address
smurI/Iraggle spooIs victims address, causing everyone to respond to the victim.

DETAILS OF AN ATTACK

IP spooIing in brieI consists oI several interim steps;

Selecting a target host ( or victim).

The trust relationships are reviewed to identiIy a host that has a 'trust relationship with
the target host.

The trusted host is then disabled and the target`s TCP sequence numbers are sampled.

The trusted host is then impersonated, the sequence numbers Iorged (aIter being
calculated) .

A connection attempt is made to a service that only requires address-based authentication
(no user id or password).

II a successIul connection is made, the attacker executes a simple command to leave a
backdoor.`

ATTACK DIRECTED AGAINST ROOT

The attack is generally made Irom the root account oI the attacker against the root
account oI the target host. The reason being that gaining root access to the target will allow the
attacker to Iully manipulate the system. This would include the loading oI Trojan horses,
backdoors and possible modiIication oI data. Going through all this eIIort to only gain user
access is less than value added Ior a malicious attacker.

IP SPOOFING IS A BLIND ATTACK

An IP spooIing attack is made in the 'blind, meaning that the attacker will be assuming
the identity oI a 'trusted host. From the perspective oI the target host, it is simply carrying on a
'normal conversation with a trusted host. In truth, they are conversing with an attacker who is
busy Iorging IP address packets. The IP datagrams containing the Iorged IP addresses will
reach the target intact, IP being a connectionless-oriented protocol which requires no
handshaking. Each datagram is sent without concern Ior the other end).

However, the datagram`s that the target sends back (destined Ior the trusted host) will end
up in the bit bucket, the attacker will never see them. The routers between the target and attacker
know the destination address oI the datagram`s, that being the 'trusted host, since this is where
they originally came Irom and where they should be returned. nce the datagram`s are routed
there, and the inIormation is demultiplexed on its way up the Protocol stack, and once it reaches
TCP, it will be discarded.

The reason Ior this is that a TCP connection request is initiated by a client via a SYN Ilag
toggled on within the TCP header. Normally a server will respond to this request via the
SYN/ACK to the 32 bit source address located within the IP header. Upon receipt oI the
SYN/ACK, the client sends an ACK to the server (completing the three way handshake) and data
transIer in the Iorm oI datagram`s can commence.

TCP will only support a limited number oI concurrent SYN requests Ior a particular
socket. This limit applies to both complete and incomplete connections. II this backlog limit is
reached, TCP will silently dump all incoming SYN requests until the pending connections can be
dealt with. So an attacker must be very smart and know what the target has been sent and
'know what type oI response the server is looking Ior.

The attacker cannot 'see what the target host sends, but based on the handshaking
procedure, an attacker can predict what the target host will send in response. Knowing both what
has been sent and what the response will be eliminates the need to actually 'see the response.
This allows the attacker to work in the 'blind and manipulate the system.

HOST DISABLING

To impersonate the trusted host, the attacker must Iirst disable and make certain that no
network traIIic gets to the trusted host. The primary method used is called SYN Ilooding. As
described in the previous section, TCP will silently dump all incoming SYN requests until the
pending connections can be dealt with. The attacking host sends multiple SYN requests to the
target (in this instance the trusted host) to load up the TCP queue with pending connections.

The attacking host must also ensure that the source IP-address is spooIed and select a
diIIerent, currently unreachable host, as this is where the target TCP will be sending it`s
response. The reason that it must be unreachable is to prevent any host Irom receiving the
SYN/ACKS sent by the system under attack. This would result in a RST (resend) being sent
back to the system under attack, Ioiling the attack. The target responds with SYN/ACKS to the
spooIed IP address and once the queue limit is reached, all other requests to this TCP port will be
ignored. This eIIectively disables the 'trusted host and allows the attacker to proceed with
impersonating the 'trusted host.


PACKET SEQUENCE SAMPLING AND PREDICTION

The attacker must next determine where in the 32 bit sequence number space the targets
TCP is located. The attacker then connects to a TCP port on the target (quite oIten SMTP) just
prior to starting an attack and completes the three-way handshake, making sure that the initial
sequence number (ISN) is recorded. This process is repeated several times to determine the
Round Trip Time (RTT) and the Iinal ISN retained. The RTT is necessary to predict the next
ISN. The attacker uses the baseline ISN (Irom the last connect) and knows that the sequence
numbers are incremented 128,000/second and 64,000 per connection. The attacker can average
the time to travel to the host ( the RTT) and then proceed on to the next phase oI the attack,
sending a packet with a spooIed ISN. When the spooIed segment reaches the target, three
separate actions may be taken, based on the accuracy oI the prediction

II the sequence number is exactly where TCP expects it do be, the incoming data will be
placed on the next available slot in the receive buIIer.

II the sequence number is less that expected number the byte is treated as a
retransmission and the packet is discarded.

II the sequence is greater than expected but within the bounds oI the receive window, it
held by TCP pending arrival oI the missing bytes.

II the sequence number is greater than expected and out oI the bounds oI the receive
window the segment is dropped and TCP responds with a segment that contains the
expected sequence number.

IMPERSONATING THE TRUSTED HOST

II everything goes according to the plan, the SYN/ACK will be dropped by the
incapacitated 'trusted host. The attacker must then wait to give the 'trusted host (under attack)
time to send the SYN/ACK (remember that the attacker cannot see this segment). Then the
attacker sends an ACK to the target server with the predicted sequence number (plus one, to
accommodate the ACK). II the calculations are correct, the target server will accept the ACK.
The target server has then been compromised and data transIer can start.

SYSTEM COMPROMISE

AIter initial compromise, most attackers will install a backdoor to make it much easier to
get into the system in the Iuture. nce compromised the attacker can use it to mount additional
attacks or extract data and other inIormation.

DEFENSE

The simplest solution is to not rely upon address-based authentication. By disabling all
the r* commands and by removing all .rhosts Iiles and clearing out the /etc/hosts.equiv Iile on
UNIX systems. This makes remote users use other type oI remote connection such as telnet, ssh,
or skey. Another possible solution is encrypting all network traIIic to avoid source and host
destinations Irom being compromised. The Iinal recommended solution, one proposed by
Bellovin in 1989 was to use random initial sequence numbering. This solution has been adopted
by a number oI UNIX based operating systems in response to the increasing number oI these
type attacks during the past decade.

CONCLUSION

IP spooIing is less oI a threat today due to the patches to the Unix perating system and
the widespread use oI random sequence numbering. Many security experts are predicting a shiIt
Irom IP spooIing attacks to application-related spooIing in which hackers can exploit a weakness
in a particular service to send and receive inIormation under Ialse identities. Send mail is one
example, that when not properly conIigured allows anyone to send mail as
presidentwhitehouse.gov. As Security proIessionals, we must remain current with the
perating Systems that we use in our day to day activities. A steady stream oI changes and new
challenges is assured as the hacker community continues to seek out vulnerabilities and
weaknesses in our systems and our networks.