SPOOFING

IP

Presented By:

What is spoofing? Introduction of IP spoofing IP Spoofing

Basic overview Examples

Mitnick Attack Session Hijack DoS/DDoS Attack

Defending Against the Threat Continuous Evolution

3

What Is Spoofing?

In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage. In networking, the term is used to describe a variety of ways in which hardware and software can be fooled. IP spoofing, for example, involves trickery that makes a message appear as if it came from an authorized IP address.

Types of spoofing:

URL spoofing Referrer spoofing Caller ID spoofing Email address spoofing

INTRODUCTION: IP spoofing

IP spoofing is a technique used to gain unauthorized access to computers, where by the attacker sends messages to a computer with a forging IP address indicating that the message is coming from a trusted host. Attacker puts an internal, or trusted, IP address as its source. The access control device sees the IP address as trusted and lets it through.

IP SPOOFING

IP spoofing occurs when a hacker inside or outside a network impersonates the conversations of a trusted computer.

The attack is based on the fact that Internet communication between distant computers is routinely handled by routers which find the best route by examining the destination address, but generally ignore the origination address.

The origination address is only used by the destination machine when it responds back to the source.

Basic Concept of IP Spoofing

A
10.10.10.1

www.carleton.ca
134.117.1.60

http://www.carleton.ca

10.10.10.1 134.117.1.60 Src_IP dst_IP

Any (>1024) Src_port

80 dst_port

spoofed
11.11.11.1 134.117.1.60 Src_IP dst_IP Any (>1024) Src_port 80 dst_port
8

IP Spoofing

Why IP Spoofing is easy?

Problem with the Routers. Routers look at Destination addresses only. Authentication based on Source addresses only. To change source address field in IP header field is easy.

10

Spoofing Attacks:
There are a few variations on the types of attacks that using IP spoofing. Spoofing is classified into :1.non-blind spoofing This attack takes place when the attacker is on the same subnet as the target that could see sequence and acknowledgement of packets.

Using the spoofing to interfere with a connection that sends packets along your subnet.
11

Spoofing Attacks:
impersonation

sender partner

Oh, my partner sent me a packet. Ill process this.

victim

12

IP Spoofing
Three-way handshake

Intruder

SYN(A) ACK(A+1) SYN(B) ACK(B+1)

A
trusted host

13

2. Blind spoofing This attack may take place from outside where sequence and acknowledgement numbers are unreachable. Attackers usually send several packets to the target machine in order to sample sequence numbers, which is doable in older days . Using the spoofing to interfere with a connection (or creating one), that does not send packets along your cable.
14

Spoofing Attacks:
flooding attack

sender

Oops, many packets are coming. But, who is the real source? victim

15

3.Man in the Middle Attack This is also called connection hijacking. In this attacks, a malicious party intercepts a legitimate communication between two hosts to controls the flow of communication and to eliminate or alter the information sent by one of the original participants without their knowledge.
16

Spoofing Attacks:
reflection
ip spoofed packet sender src: victim dst: reflector reflector

Oops, a lot of replies without any request

victim

17

4.Denial of Service Attack

conducting the attack, attackers spoof source IP addresses to make tracing and stopping the DoS as difficult as possible. When multiple compromised hosts are participating in the attack, all sending spoofed traffic, it is very challenging to quickly block the traffic.

IP spoofing is almost always used in denial of service attacks (DoS), in which attackers are concerned with consuming bandwidth and resources by flooding the target with as many packets as possible in a short amount of time. To effectively

18

SMURF ATTACK

Send ICMP ping packet with spoofed IP source address to a LAN which will broadcast to all hosts on the LAN Each host will send a reply packet to the spoofed IP address leading to denial of service

19

Misconception of IP Spoofing:

A common misconception is that "IP Spoofing" can be used to hide your IP address while surfing the Internet, chatting on-line, sending e-mail, and so forth.

This is generally not true. Forging the source IP address causes the responses to be misdirected, meaning you cannot create a normal network connection. However, IP spoofing is an integral part of many networks that do not need to see responses.
20

Detection of IP Spoofing:
1. If you monitor packets using networkmonitoring software such as netlog, look for a packet on your external interface that has both its source and destination IP addresses in your local domain. If you find one, you are currently under attack.

21

Detection of IP Spoofing:
2. Another way to detect IP spoofing is to compare the process accounting logs between systems on your internal network. If the IP spoofing attack has succeeded on one of your systems, you may get a log entry on the victim machine showing a remote access; on the apparent source machine, there will be no corresponding entry for initiating that remote access.
22

Source Address Validation : Check the source IP address of IP packets

filter invalid source address filter close to the packets origin as possible filter precisely as possible

If no networks allow IP spoofing, we can eliminate these kinds of attacks

23

close to the origin

You are spoofing!
You are spoofing! You are spoofing! srcip: 0.0.0.0 RT.b

srcip: 0.0.0.0
10.0.0.0/23

RT.a

srcip: 0.0.0.0

srcip: 10.0.0.1
Hmm, this looks ok...but..

srcip: 10.0.0.1 You are spoofing!

You are spoofing!

10.0.3.0/24 srcip: 10.0.0.1

we can check and drop the packets which have unused address everywhere, but used space can be checked before aggregation
24

Prevention of IP Spoofing:
To prevent IP spoofing happen in your network, the following are some common practices:
1- Avoid using the source address authentication. Implement cryptographic authentication system-wide.

2- Configuring your network to reject packets from the Net that claim to originate from a local address.
3- Implementing ingress and egress filtering on the border routers and implement an ACL (access control list) that blocks private IP addresses on your downstream interface. If you allow outside connections from trusted hosts, enable encryption sessions at the router.
25

IP Spoofing The Reset

Sucker - Alice

2. SYN ACK Sure, what do you want to talk about?

1. SYN Lets have a conversation

3. RESET Umm.. I have no idea why you are talking to me

Victim - Bob

4. No connection Guess I need to take Bob out of the picture

Attacker - Eve

26

Mitnick Attack Why it worked

Mitnick abused the trust relationship between the server and workstation He flooded the server to prevent communication between it and the workstation Used math skillz to determine the TCP sequence number algorithm (ie add 128000) This allowed Mitnick to open a connection without seeing the workstations outgoing sequence numbers and without the server interrupting his attack
27

IP Spoofing - Session Hijack

IP spoofing used to eavesdrop/take control of a session. Attacker normally within a LAN/on the communication path between server and client. Not blind, since the attacker can see traffic from both server and client.

28

Session Hijack
2. Eve can monitor traffic between Alice and Bob without altering the packets or sequence numbers.

Alice

Im Bob!

Bob Im Alice!
3. At any point, Eve can assume the identity of either Bob or Alice through the Spoofed IP address. This breaks the pseudo connection as Eve will start modifying the sequence numbers
29

1. Eve assumes a man-in-themiddle position through some mechanism. For example, Eve could use Arp Poisoning, social engineering, router hacking etc...

Eve

IP Spoofing DoS/DDoS

Denial of Service (DoS) and Distributed Denial of Service (DDoS) are attacks aimed at preventing clients from accessing a service. IP Spoofing can be used to create DoS attacks

30

DoS Attack

The attacker spoofs a large number of requests from various IP addresses to fill a Services queue. With the services queue filled, legitimate users cannot use the service.

31

DoS Attack
Server
Service Requests
Flood of Requests from Attacker

Interweb
Server queue full, legitimate requests get dropped

Fake IPs

Service Requests

Attacker

Legitimate Users
32

DDoS Attack

Many other types of DDoS are possible. DoS becomes more dangerous if spread to multiple computers.

33

DDoS Attack
Queue Full

Server (already DoSd)

SYN ACK

1. Attacker makes large number of SYN connection requests to target servers on behalf of a DoSd server

Interweb
SYN ACK SYN ACK

SYN SYN

SYN ACK SYN

SYN

2. Servers send SYN ACK to spoofed server, which cannot respond as it is already DoSd. Queues quickly fill, as each connection request will have to go through a process of sending several SYN ACKs before it times out

Attacker

Target Servers
34

Difficulties for attacker:

TCP sequence numbers One way communication Adherence to protocols for other layers

35

IP Spoofing Defending

IP spoofing can be defended against in a number of ways: As mentioned, other protocols in the Architectural model may reveal spoofing.

TCP sequence numbers are often used in this manner New generators for sequence numbers are a lot more complicated than add 128000 Makes it difficult to guess proper sequence numbers if the attacker is blind

Smart routers can detect IP addresses that are outside its domain. Smart servers can block IP ranges that appear to be conducting a DoS.

36

IP Spoofing continues to evolve

IP spoofing is still possible today, but has to evolve in the face of growing security. New issue of Phrack includes a method of using IP spoofing to perform remote scans and determine TCP sequence numbers

This allows a session Hijack attack even if the Attacker is blind

37

IP Spoofing Basic Overview

Basically, IP spoofing is lying about an IP address. Normally, the source address is incorrect. Lying about the source address lets an attacker assume a new identity.

38

39