A Seminar Report On

IP SPOOFING
In partial fulfillment of requirements for the degree of

Bachelor of Technology In Information Technology

SUBMITTED BY:

NAVNEET KUMAR
Under the Guidance of

Prof. N.C. SHARMA

(2011-2012) DEPARTMENT OF COMPUTER SCIENCE/INFORMATION TECHNOLOGY KRISHNA INSTITUTE OF MANAGEMENT & TECHNOLOGY MORDABAD

TABLE OF CONTENT
Chapter no. Page no. ACKNOWLEDGEMENT CERTIFICATE
1.

Title

INRODUCTION .
1.1

1
1 4

What is IP Spoofing.... Releated Terms. .

1.2

2.

TYPES OF ATTACKS.. 5
2.1 Blind IP Spoofing 2.2 Non-Blind IP Spoofing 2.3 Man-in-middle Attack 2.4 DOS Attack.

3.

EXAMPLE. 7 WHY IT IS POSSIBLE. 8 11 COUNTER MEASURES. CONCLUSION 36 37 REFERENCES ..

4.

5.

6.

7.

ACKNOWLEDGEMENT

The satisfaction that accompanies that the successful completion of any task would be incomplete without the mention of people whose cooperation made it possible, whose constant guidance and encouragement crown all efforts with success. I am grateful to my seminar project guide Prof. N.C. SHARMA and i3INDIA for the guidance, inspiration and constructive suggestions that help me in the preparation of this project.

Navneet Kumar
B.Tech 3rd year 0938113013

CERTIFICATE
This is to certify that the Seminar entitled IP SPOOFING has been submitted by NAVNEET KUMAR under my guidance in partial fulfillment of the degree of Bachelor of Technology in Information Technology of Krishna Institute Of Management & Technology, Moradabad during the academic year 2011-2012 (Semester-VI) .

Pr of. N.C. Sharma

Head Of Department Computer Science & Information Technology

CHAPTER - 1 INTRODUCTION

1.1 What is IP Spoofing?

In computer networking, the term IP address spoofing or IP spoofing refers to the creation of Internet Protocol (IP) packets with a forged source IP address, called spoofing, with the purpose of concealing the identity of the sender or impersonating another computing system. IP spoofing is a technique used to gain unauthorized access to computers, where by the attacker sends messages to a computer with a forging IP address indicating that the message is coming from a trusted host. IP address spoofing is the creation of IP packets using somebody elses IP source addresses. This technique is used for obvious reasons and is employed in several of the attacks discussed later.Examining the IP header, we can see that the first 12 bytes contain various information about the packet. The next 8 bytes, however, contains the source and destination IP addresses. Using one of several tools, an attacker can easily modify these addresses specifically the source address field. 192.168.0.5 IP source 10.0.0.23 IP destination

spoofed 172.16.0.6 10.0.0.23

Figure 1: Valid source IP address, illustrates a typical interaction between a workstation with a valid source IP address requesting web pages and the web server executing the requests. When the workstation requests a page from the web server

the request contains both the workstations IP address (i.e. source IP address 192.168.0.5) and the address of the web server executing the request (i.e. destination IP address 10.0.0.23). The web server returns the web page using the source IP address specified in the request as the destination IP address, 192.168.0.5 and its own IP address as the source IP address, 10.0.0.23.

Work station Server 192.168.0.5 10.0.0.23

Figure 2: Spoofed source IP address, illustrates the interaction between a workstation requesting web pages using a spoofed source IP address and the web server executing the requests. If a spoofed source IP address (i.e. 172.16.0.6) is used by the workstation, the web server executing the web page request will attempt to execute the request by sending information to the IP address of what it believes to be the originating system (i.e. the workstation at 172.16.0.6). The system at the spoofed IP address will receive unsolicited connection attempts from the web server that it will simply discard.

Work station 172.16.0.6

1.2 Related terms

TCP(Transmission Control Protocol)The Transmission Control Protocol (TCP) is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol (IP), and therefore the entire suite is commonly referred to as TCP/IP. TCP provides reliable, ordered delivery of a stream of bytes from a program on one computer to another program on another computer.TCP is the protocol that major Internet applications such as the World Wide Web, email, remote administration and file transfer rely on. Other applications, which do not require reliable data stream service, may use the User Datagram Protocol (UDP), which provides a datagram service that emphasizes reduced latency over reliability.TCP provides a communication service at an intermediate level between an application program and the Internet Protocol (IP). That is, when an application program desires to send a large chunk of data across the Internet using IP, instead of breaking the data into IP-sized pieces and issuing a series of IP requests, the software can issue a single request to TCP and let TCP handle the IP details.

IP(Internet Protocol)An Internet Protocol address (IP address) is a numerical label assigned to each device (e.g., computer, printer) participating in a computer network that uses the Internet Protocol for communication.An IP address serves two principal functions: host or network interface identification and location addressing. Its role has been characterized as follows: "A name indicates what we seek. An address indicates where it is. A route indicates how to get there.The designers of the Internet Protocol defined an IP address as a 32-bit number and this system, known as Internet Protocol Version 4 (IPv4), is still in use today. However, due to the enormous growth of the Internet and the predicted depletion of available addresses, a new addressing system (IPv6).IP addresses are binary numbers, but they are usually stored in text files and displayed in human-readable notations, such as 172.16.254.1 (for IPv4), and 2001:db8:0:1234:0:567:8:1 (for IPv6.The Internet Assigned Numbers Authority (IANA) manages the IP address space allocations globally and delegates five regional Internet registries (RIRs) to allocate IP address blocks to local Internet registries (Internet service providers) and other entities.

CHAPTER 2 TYPES OF ATTACKS

2.1 Blind IP Spoofing
Blind Spoofing Attack is a type of attack using IP spoofing. This attack may take place from outside where sequence and acknowledgement numbers are unreachable. Attackers usually send several packets to the target machine in order to figure out sequence numbers, which is easy to do in older days. Since most OSs implement random sequence number generation today, it becomes more difficult to predict the sequence number accurately. If, however, the sequence number was compromised, data could be sent to the target. This is a more sophisticated attack, because the sequence and acknowledgement numbers are unreachable. In order to circumvent this, several packets are sent to the target machine in order to sample sequence numbers. While not the case today, machines in the past used basic techniques for generating sequence numbers. It was relatively easy to discover the exact formula by studying packets and TCP sessions. Today, most OSs implement random sequence number generation, making it difficult to predict them accurately. If, however, the sequence number was compromised, data could be sent to the target. Several years ago, many machines used host-based authentication services (i.e. Rlogin). A properly crafted attack could add the requisite data to a system (i.e. a new user account), blindly, enabling full access for the attacker who was impersonating a trusted host.

2.2 Non-Blind IP Spoofing

This type of attack takes place when the attacker is on the same subnet as the victim. The sequence and acknowledgement numbers can be sniffed, eliminating the potential difficulty of calculating them accurately. The biggest threat of spoofing in this instance would be session hijacking. This is accomplished by corrupting the datastream of an established connection, then re-establishing it based on correct sequence and acknowledgement numbers with the attack machine. Using this technique, an attacker could effectively bypass any authentication measures taken place to build the connection.

2.3 Man-In-Middle Attack

The term "Man-in-the-middle attack" (MITM attack) refers to the type of attack where the attacker intrudes into the communication between the endpoints on a network to inject false information and intercept the data transferred between them. Other Definitions In cryptography, the man-in-the-middle attack or bucket-brigade attack (often abbreviated MITM), sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection when in fact the entire conversation is controlled by the attacker. Man-in-the-Middle Attack (MITM) is a type of attack where a user gets between the sender and receiver of information and sniffs any information being sent. Attacks in which the attacker infiltrates unnoticed the communication channel between two partners and is thereby able to spy on or even modify their data exchanges.

In cryptography and computer security, the man-in-the-middle attack (often abbreviated MITM) is a form of active attack in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances (for example, an attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle).

A man-in-the-middle attack can succeed only when the attacker can impersonate each endpoint to the satisfaction of the otherit is an attack on mutual authentication. Most cryptographic protocols include some form of endpoint

authentication specifically to prevent MITM attacks. For example, SSL authenticates the server using a mutually trusted certification authority.

Suppose PINKY wishes to communicate with PINKU. Meanwhile, ATTACKER wishes to intercept the conversation to eavesdrop and possibly deliver a false message to PINKU. First, PINKY asks PINKU for his public key. If PINKU sends his public key to PINKY, but ATTACKER is able to intercept it, a man-in-themiddle attack can begin. ATTACKER sends a forged message to PINKY that claims to be from PINKU, but instead includes ATTACKER 's public key. PINKY, believing this public key to be PINKU 's, encrypts her message with ATTACKER 's key and sends the enciphered message back to PINKU. ATTACKER again intercepts, deciphers the message using her private key, possibly alters it if she wants, and re-enciphers it using the public key PINKU originally sent to PINKY. When PINKU receives the newly enciphered message, he believes it came from PINKY.

2.4 DOS Attack

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer or network resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person, or multiple people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers. The term is generally used relating to computer networks, but is not limited to this field; for example, it is also used in reference to CPU resource management.

One common method of attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or

responds so slowly as to be rendered effectively unavailable. Such attacks usually lead to a server overload. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.Denial-of-service attacks are considered violations of the IAB's Internet proper use policy, and also violate the acceptable use policies of virtually all Internet service providers. They also commonly constitute violations of the laws of individual nations.When the DoS Attacker sends many packets of information and requests to a single network adapter, each computer in the network would experience effects from the DoS attack.

CHAPTER 3 EXAMPLE

MITNICK AttackThe Kevin Mitnick/Tsutomu Shimomura affair is an incredible story that is still unwinding. The story riveted Americans when it broke early in 1995, and continues to play out today.

Mitnick was released on January 21, 2000 (having spent 5 years in jail) and Shimomura and John Markoff have reportedly profited handsomely from respectively apprehending him and telling the tale in a book and screenplay. Is Kevin Mitnick a dangerous criminal apprehended by an ingenious high-tech detective? Or a sad, if annoying, loner who was set up by shrewd manipulators cashing in on Internet hype? Random Access offers this page of resources, including reviews and links pertaining to the now-famous hack of Tsutomu Shimomura's computers and the subsequent pursuit and capture of Kevin Mitnick. Aside from the often-compelling reading offered by the 3 books on the subject and

other documents, the whole incident serves to highlight the Pandora's box of issues surrounding security and privacy in cyberspace. On September 13, 1998, hackers identifying themselves as HFG ("Hacking For Girlies") hacked the New York Times Home Page, citing Kevin Mitnick's plight. The story continues to unfold - this page is in progress and will continue to update.

The Attack
On Christmas Day, 1994, a hacker launched a sophisticated IP Spoofing attack against Tsutomu Shimomura's computers in San Diego. The attack was launched from toad.com in San Francisco, the Toad Hall computer owned by John Gilmore, a founding employee of Sun Microsystems. By an uncanny coincidence, Shimomura spent the day at Toad Hall with his friend Julia Menapace. Shimomura's pursuit of the hacker led to computers in Marin County where Shimomura's stolen files were found on The Well , Denver, San Jose and finally to Kevin Mitnick, the fugitive hacker, in Raleigh, North Carolina.

CHAPTER 4 WHY IT IS POSSIBLE ?

IP routing is hop by hop. Every IP packet is routed separately. The route of a IP packet is decided by all the routers the packet goes through.IP address spoofing is possible because routers only require inspection of the destination IP address in the packet to make routing decisions. The source IP address is not required by routers and an invalid source IP address will not affect the delivery of packets.That address is only used by the destination machine when it responds back to the source. It is possible because routers look at Destination addresses only.Source address field in IP header field is easy to change by the attacker.

CHAPTER 5 COUNTER MEASURES

5.1 Packet filteringThe router that connects a network to another network is known as a border router. One way to mitigate the threat of IP spoofing is by inspecting packets when they the leave and enter a network looking for invalid source IP addresses. If this type of filtering were performed on all border routers, IP address spoofing would be greatly reduced. Egress filtering checks the source IP address of packets to ensure they come from a valid IP address range within the internal network. When the router receives a packet that contains an invalid source address, the packet is simply discarded and does not leave the network boundary. Ingress filtering checks the source IP address of packets that enter the network to ensure they do not come from sources that are not permitted to access the network. At a minimum, all private, reserved, and internal IP addresses should be discarded by the router and not allowed to enter the network.

5.2 Smart FirewallBy limiting traffic to services that are offered in network using firewall can prevent from IP spoofing. Controlling access from and within the network also help in to do so. There are many free softwares as-ip chains, iptables that prevent some type of IP spoofing. Router with firewall built-in also available. Multiple layer of firewall should be activated to prevent from IP spoofing.

5.3 Smart RoutersSmart routers can detect IP addresses that are outside its domain. The best method of preventing the IP spoofing problem is to install a filtering router that restricts the input to your external interface (known as an input filter) by not allowing a packet through if it has a source address from your internal network. In

addition, you should filter outgoing packets that have a source address different from your internal network in order to prevent a source IP spoofing attack originating from your site.

5.4 Other methods Use an IDS that can detect potential denial of service attacks. Review your application's failover functionality. Make sure your application is capable of handling high volumes of traffic and that thresholds are in place to handle abnormally high loads. Stay current with patches and security updates. Filter incoming packets that appear to come from an internal IP address at your perimeter. Filter outgoing packets that appear to originate from an invalid local IP address. Smart servers can block IP ranges that appear to be conducting a DoS. If your vendors router does not support filtering on the inbound side of the interface or if there will be a delay in incorporating the feature into your system, you may filter the spoofed IP packets by using a second router between your external interface and your outside connection. Configure this router to block, on the outgoing interface connected to your original router, all packets that have a source address in your internal network

CHAPTER 6 CONCLUSION
IP Spoofing is an old school Hacker trick that continues to evolve. It can be used for a wide variety of purposes not only for unauthorized access. IP spoofing will continue to represent a threat as long as each layer continues to trust each other. Although there is no easy solution for the IP spoofing problem, you can apply

some simple proactive and reactive methods at the nodes. IP spoofing has been identified as a real risk to the Internet and computer network community. Since then, the Internet has suffered a huge number of large-scale attacks. There are many variants of IP spoofing used in an attack. In this paper, we aim to examine the attack methods, and to identify counter-measures. IP spoofing uses the idea of trust relationships. The attack is a "blind" one, meaning the attacker will be assuming the identity of a "trusted" host. From the perspective of the target host, it is simply carrying on a "normal" conversation with a trusted host. In reality, the host is conversing with an attacker who is busy forging IP packets. The data that the target sends back (destined for the trusted host) will go to the trusted host, which the attacker never sees them.

CHAPTER 7 REFERENCES

1. 2.

www.insecure.in/ip_spoofing.asp en.wikipedia.org/wiki/TCP

3.

www.faadooengineers.com/threads/ http://www.computerworld.com/s/article/9001021/The_t op_five_ways_to_prevent_IP_spoofing

4. Counter measures for IP SPOOFING

5. www.scribd.com/doc/6697535/Section1-Ip-Spoofing