IP Spoofing

Bao Ho ToanTai Vu
CS 265 - Security Engineering Spring 2003 San Jose State University
IP Spoofing, CS265 1

Presentation Outline
Introduction, Background Attacks with IP Spoofing Counter Measures Summary

IP Spoofing, CS265

IP Spoofing

IP Spoofing is a technique used to gain unauthorized access to computers.

IP: Internet Protocol Spoofing: using somebdody elses information

Exploits the trust relationships Intruder sends messages to a computer with an IP address of a trusted host.

IP Spoofing, CS265

IP / TCP

IP is connectionless, unreliable
TCP connection-oriented
A B: SYN; my number is X B A: ACK; now X+1 SYN; my number is Y A B: ACK; now Y+1

TCP/IP handshake
IP Spoofing, CS265 4

A blind Attack
Host I cannot see what Host V send back

IP Spoofing, CS265

IP Spoofing Steps

Selecting a target host (the victim) Identify a host that the target trust Disable the trusted host, sampled the targets TCP sequence The trusted host is impersonated and the ISN forged. Connection attempt to a service that only requires address-based authentication. If successfully connected, executes a simple command to leave a backdoor.
IP Spoofing, CS265 6

IP Spoofing Attacks

Man in the middle Routing

Flooding / Smurfing
IP Spoofing, CS265 7

Attacks
Man - in - the - middle:
Packet sniffs on link between the two endpoints, and therefore can pretend to be one end of the connection.

IP Spoofing, CS265

Attacks

Routing re-direct:

redirects routing information from the original host to the attackers host.

Source routing:

The attacker redirects individual

packets by the hackers host.

IP Spoofing, CS265

Attacks

Flooding: SYN flood fills up the receive queue from random source addresses. Smurfing: ICMP packet spoofed to originate from the victim, destined for the broadcast address, causing all hosts on the network to respond to the victim at once.

IP Spoofing, CS265

10

IP-Spoofing Facts

IP protocol is inherently weak Makes no assumption about sender/recipient

Nodes on path do not check senders identity

There is no way to completely eliminate IP spoofing Can only reduce the possibility of attack

IP Spoofing, CS265

11

Counter-measures

IP-Spoofing

No insecure authenticated services Disable commands like ping

Use encryption
Strengthen TCP/IP protocol Firewall IP traceback

IP Spoofing, CS265

12

No insecure authenticated services

r* services are hostname-based or IP-based Other more secure alternatives, i.e., ssh Remove binary files Disable in inet, xinet Clean up .rhost files and /etc/host.equiv
No application with hostname/IP-based authentication, if possible

IP Spoofing, CS265

13

Disable ping command

ping command has rare use

Can be used to trigger a DOS attack by flooding the victim with ICMP packets

This attack does not crash victim, but consume network bandwidth and system resources
Victim fails to provide other services, and halts if runs out of memory

IP Spoofing, CS265

14

DOS using Ping

IP Spoofing, CS265

15

Use Encryption

Encrypt traffic, especially TCP/IP packets and Initial Sequence Numbers

Kerberos is free, and is built-in with OS Limit session time

Digital signature can be used to identify the sender of the TCP/IP packet.
IP Spoofing, CS265 16

Strengthen TCP/IP protocol

Use good random number generators to generate ISN Shorten time-out value in TCP/IP request Increase request queue size Cannot completely prevent TCP/IP half-openconnection attack
Can only buy more time, in hope that the attack will be noticed.

IP Spoofing, CS265

17

Firewall

Limit traffic to services that are offered

Control access from within the network Free software: ipchains, iptables Commercial firewall software Packet filters: router with firewall built-in

Multiple layer of firewall

IP Spoofing, CS265

18

Network layout with Firewall

IP Spoofing, CS265

19

IP Trace-back

To trace back as close to the attackers location as possible

Limited in reliability and efficiency

Require cooperation of many other network operators along the routing path
Generally does not receive much attention from network operators

IP Spoofing, CS265

20

Summary/Conclusion

IP spoofing attacks is unavoidable. Understanding how and why spoofing attacks are used, combined with a few simple prevention methods, can help protect your network from these malicious cloaking and cracking techniques.

IP Spoofing, CS265

21

References

IP-spoofing Demystified (Trust-Relationship Exploitation), Phrack Magazine Review, Vol. 7, No. 48, pp. 4814, www.networkcommand.com/docs/ipspoof.txt Security Enginerring: A Guide to Building Dependable Distributed Systems, Ross Anderson, pp. 371 Introduction to IP Spoofing, Victor Velasco, November 21, 2000, www.sans.org/rr/threats/intro_spoofing.php A Large-scale Distributed Intrusion Detection Framework Based on Attack Strategy Analysis, Ming-Yuh Huang, Thomas M. Wicks, Applied Research and Technology, The Boeing Company Internet Vulnerabilities Related to TCP/IP and T/TCP, ACM SIGCOMM, Computer Communication Review IP Spoofing, www.linuxgazette.com/issue63/sharma.html Distributed System: Concepts and Design, Chapter 7, by Coulouris, Dollimore, and Kindberg FreeBSD IP Spoofing, www.securityfocus.com/advisories/2703 IP Spoofing Attacks and Hijacked Terminal Connections, www.cert.org/advisories/CA-1995-01.html Network support for IP trace-back, IEEE/ACM Transactions on Networking, Vol. 9, No. 3, June 2001 An Algebraic Approach to IP Trace-back, ACM Transactions on Information and System Security, Vol. 5, No. 2, May 2002 Web Spoofing. An Internet Con Game, http://bau2.uibk.ac.at/matic/spoofing.htm

IP Spoofing, CS265

22

Questions / Answers

IP Spoofing, CS265

23