Академический Документы
Профессиональный Документы
Культура Документы
Bao Ho ToanTai Vu
CS 265 - Security Engineering Spring 2003 San Jose State University
IP Spoofing, CS265 1
Presentation Outline
Introduction, Background Attacks with IP Spoofing Counter Measures Summary
IP Spoofing, CS265
IP Spoofing
Exploits the trust relationships Intruder sends messages to a computer with an IP address of a trusted host.
IP Spoofing, CS265
IP / TCP
IP is connectionless, unreliable
TCP connection-oriented
A B: SYN; my number is X B A: ACK; now X+1 SYN; my number is Y A B: ACK; now Y+1
TCP/IP handshake
IP Spoofing, CS265 4
A blind Attack
Host I cannot see what Host V send back
IP Spoofing, CS265
IP Spoofing Steps
Selecting a target host (the victim) Identify a host that the target trust Disable the trusted host, sampled the targets TCP sequence The trusted host is impersonated and the ISN forged. Connection attempt to a service that only requires address-based authentication. If successfully connected, executes a simple command to leave a backdoor.
IP Spoofing, CS265 6
IP Spoofing Attacks
Flooding / Smurfing
IP Spoofing, CS265 7
Attacks
Man - in - the - middle:
Packet sniffs on link between the two endpoints, and therefore can pretend to be one end of the connection.
IP Spoofing, CS265
Attacks
Routing re-direct:
redirects routing information from the original host to the attackers host.
Source routing:
IP Spoofing, CS265
Attacks
Flooding: SYN flood fills up the receive queue from random source addresses. Smurfing: ICMP packet spoofed to originate from the victim, destined for the broadcast address, causing all hosts on the network to respond to the victim at once.
IP Spoofing, CS265
10
IP-Spoofing Facts
IP Spoofing, CS265
11
Counter-measures
IP-Spoofing
Use encryption
Strengthen TCP/IP protocol Firewall IP traceback
IP Spoofing, CS265
12
r* services are hostname-based or IP-based Other more secure alternatives, i.e., ssh Remove binary files Disable in inet, xinet Clean up .rhost files and /etc/host.equiv
No application with hostname/IP-based authentication, if possible
IP Spoofing, CS265
13
This attack does not crash victim, but consume network bandwidth and system resources
Victim fails to provide other services, and halts if runs out of memory
IP Spoofing, CS265
14
IP Spoofing, CS265
15
Use Encryption
Digital signature can be used to identify the sender of the TCP/IP packet.
IP Spoofing, CS265 16
Use good random number generators to generate ISN Shorten time-out value in TCP/IP request Increase request queue size Cannot completely prevent TCP/IP half-openconnection attack
Can only buy more time, in hope that the attack will be noticed.
IP Spoofing, CS265
17
Firewall
IP Spoofing, CS265
18
IP Spoofing, CS265
19
IP Trace-back
Require cooperation of many other network operators along the routing path
Generally does not receive much attention from network operators
IP Spoofing, CS265
20
Summary/Conclusion
IP spoofing attacks is unavoidable. Understanding how and why spoofing attacks are used, combined with a few simple prevention methods, can help protect your network from these malicious cloaking and cracking techniques.
IP Spoofing, CS265
21
References
IP-spoofing Demystified (Trust-Relationship Exploitation), Phrack Magazine Review, Vol. 7, No. 48, pp. 4814, www.networkcommand.com/docs/ipspoof.txt Security Enginerring: A Guide to Building Dependable Distributed Systems, Ross Anderson, pp. 371 Introduction to IP Spoofing, Victor Velasco, November 21, 2000, www.sans.org/rr/threats/intro_spoofing.php A Large-scale Distributed Intrusion Detection Framework Based on Attack Strategy Analysis, Ming-Yuh Huang, Thomas M. Wicks, Applied Research and Technology, The Boeing Company Internet Vulnerabilities Related to TCP/IP and T/TCP, ACM SIGCOMM, Computer Communication Review IP Spoofing, www.linuxgazette.com/issue63/sharma.html Distributed System: Concepts and Design, Chapter 7, by Coulouris, Dollimore, and Kindberg FreeBSD IP Spoofing, www.securityfocus.com/advisories/2703 IP Spoofing Attacks and Hijacked Terminal Connections, www.cert.org/advisories/CA-1995-01.html Network support for IP trace-back, IEEE/ACM Transactions on Networking, Vol. 9, No. 3, June 2001 An Algebraic Approach to IP Trace-back, ACM Transactions on Information and System Security, Vol. 5, No. 2, May 2002 Web Spoofing. An Internet Con Game, http://bau2.uibk.ac.at/matic/spoofing.htm
IP Spoofing, CS265
22
Questions / Answers
IP Spoofing, CS265
23