Kanwarjeet

1001CS22

 Table of Contents :

History Introduction What is IP-SPOOFING? Spoofing attacks Detection Prevention Conclusion

History
The concept of IP spoofing, was initially discussed in academic circles in the 1980's. It was R. Morris who wrote first Internet WORM, discovered a security weakness in the TCP protocol known as Sequence Prediction. In the April 1989 article entitled: Security Problems in the TCP/IP Protocol Suite, author S. M Bellovin of AT & T Bell labs was among the first to identify IP spoofing as a real risk to Computer Networks. He discussed the In-depth problems of TCP/IP protocol suite.

Another infamous attack, Kevin Mitnick's Christmas Day crack of Tsutomu Shimomura's machine, employed the IP spoofing and TCP sequence prediction techniques.
While the popularity of such cracks has decreased due to the demise of the services they exploited, spoofing can still be used and needs to be addressed by all security administrators.

Introduction
The basic protocol for sending data over the Internet network and many other computer networks is the Internet Protocol ("IP"). The header of each IP packet contains, among other things, the numerical source and destination address of the packet. The source address is normally the address that the packet was sent from. IP depends on upper-level TCP/IP suite layers to provide accountability and reliability. The heart of IP is the IP datagram, a packet sent over the Internet in a connectionless manner.

CONTINUED A common misconception is that "IP spoofing" can be used to hide your IP address while surfing the Internet, chatting on-line, sending e-mail, and so forth. What is IP-SPOOFING ? "IP address spoofing" is a technique that involves replacing the IP address of an IP packet's sender with another machine's IP address IP spoofing is a used to gain unauthorized access to computers, where by the attacker sends messages to a computer with a forging IP address indicating that the message is coming from a trusted host.

IP SPOOFING _ BASIC OVERVIEW

Attacker puts an internal, or trusted, IP address as its source. The access control device (Firewall) sees the IP address as trusted and lets it through.

IP spoofing occurs when a hacker inside or outside a network impersonates the conversations of a trusted computer. Two general techniques are used during IP spoofing:

A hacker uses an IP address that is within the range of trusted IP addresses. A hacker uses an authorized external IP address that is trusted.
Uses for IP spoofing include the following : IP spoofing is usually limited to the injection of malicious data or commands into an existing stream of data. A hacker changes the routing tables to point to the spoofed IP address, then the hacker can receive all the network packets that are addressed to the spoofed address and reply just as any trusted user can.

 Problem with the Routers. Routers look at Destination addresses only. Authentication based on Source addresses only. To change source address field in IP header field is easy.

Spoofing Attacks:
1. Non-Blind Spoofing 2. Blind Spoofing 3. Man-In-The-Middle Attack(MITM)

4. Dos or DDOS Attack

Non-Blind Attack
This type of attack takes place when the attacker is on the same subnet as the victim. The sequence and acknowledgement numbers can be sniffed, eliminating the potential difficulty of calculating them accurately. The biggest threat of spoofing in this instance would be session hijacking. This is accomplished by corrupting the data stream of an established connection, then re-establishing it based on correct sequence and acknowledgement numbers with the attacker machine. Using this technique, an attacker could effectively bypass any authentication measures taken place to build the connection.

Impersonation
sender partner

Oh, my partner sent me a packet. Ill process this.

victim

Blind Attack
This is a more sophisticated attack, because the sequence and acknowledgement numbers are unreachable. In order to circumvent this, several packets are sent to the target machine in order to sample sequence numbers which is doable in older days. Once the pattern is found out,, it becomes easy for the attacker to create another set of spoofed packets, to collect the data being transferred. Several years ago, many machines used host-based authentication services (i.e. Rlogin). A properly crafted attack could add the requisite data to a system (i.e. a new user account), blindly, enabling full access for the attacker who was impersonating a trusted host.

sender

Oops, many packets are coming. But, who is the real source? victim

Man In The Middle Attack

This is also called Connection-Hijacking or Eavesdropping attack. In these attacks, a malicious party intercepts a legitimate communication between two friendly parties. The malicious host the control of flow of communication and can eliminate or alter the information sent by one of the original participants without the knowledge of either the original sender or the recipient. In this way, an attacker can fool a victim into disclosing confidential information by spoofing the identity of the original sender, who is presumably trusted by the recipient.

Dos Or DDOS Attack

The fundamental technique behind a DoS attack is to make the target system busy. In a computer server, when a network packet is being received, all components (right from the network interface card or NIC to the application running under the OS) are participating to ensure successful delivery of that packet. The NIC must monitor the Ethernet frames meant for it, align data and pass it to the network card driver, which then adds its own intelligence and passes it to the OS, which takes it to the application. IP spoofing is almost always used in denial of service attacks (DoS), in which attackers are concerned with consuming bandwidth and resources by flooding the target with as many packets as possible in a short amount of time.

Continued..

In the distributed form of DoS attacks (called DDoS), the attacker first takes control of a large number of vulnerable hosts on the internet, and then uses them to simultaneously send a huge flood of packets to the victim, exhausting all of its resources. There are a large number of exploitable machines on the internet, which have weak security measures, for attackers to launch DDoS attacks, so that such attacks can be executed by an attacker with limited resources against the large, sophisticated sites. The attackers in DDoS attacks always modify the source addresses in the attack packets to hide their identity, and making it difficult to distinguish such packets from those sent by legitimate users. This idea, called IP address spoofing has been used in major DDoS attacks in the recent past, including the attacks on e-commerce giants like Yahoo, Amazon, Microsoft etc. These recent DDoS attack used highly sophisticated and automated tools which ironically are readily available over the Internet, to be downloaded and used by anyone, even computer novices, to attack any Web site. Network worms have been developed and are available for the automatic scanning, exploitation, deployment, and propagation process of the attack tools.

 The most common and obvious type of DoS attack occurs when an attacker "floods" a network with information. When you type a URL for a particular website into your browser, you are sending a request to that site's computer server to view the page. The server can only process a certain number of requests at once, so if an attacker overloads the server with requests, it can't process your request. This is a "denial of service" because you can't access that site An attacker can use spam email messages to launch a similar attack on your email account. Whether you have an email account supplied by your employer or one available through a free service such as Yahoo or Hotmail, you are assigned a specific quota, which limits the amount of data you can have in your account at any given time. By sending many, or large, email messages to the account, an attacker can consume your quota, preventing you from receiving legitimate messages.

Smurf Attack
Send ICMP ping packet with spoofed IP source address to a LAN which will broadcast to all hosts on the LAN Each host will send a reply packet to the spoofed IP address leading to denial of service

Detection of IP Spoofing If you monitor packets using network-monitoring software such as netlog etc look for a packet on your external interface that has both its source and destination IP addresses in your local domain. If you find one, you are currently under attack. Another way to detect IP spoofing is to compare the process accounting logs between systems on your internal network. If the IP spoofing attack has succeeded on one of your systems, you may get a log entry on the victim machine showing a remote access; on the apparent source machine, there will be no corresponding entry for initiating that remote access.

Prevention
Filtering at the Router - Implementing ingress and egress filtering on your border routers is a great place to start your spoofing defence. Additionally, this interface should not accept addresses with your internal range as the source, as this is a common spoofing technique used to circumvent firewalls. On the upstream interface, you should restrict source addresses outside of your valid range, which will prevent someone on your network from sending spoofed traffic to the Internet

CONTINUED

If your vendors router does not support filtering on the inbound side of the interface or if there will be a delay in incorporating the feature into your system, you may filter the spoofed IP packets by using a second router between your external interface and your outside connection. Configure this router to block, on the outgoing interface connected to your original router, all packets that have a source address in your internal network.

Filtering

Encryption and Authentication Implementing encryption and authentication will also reduce spoofing threats. Both of these features are included in Ipv6, which will eliminate current spoofing threats. Additionally, you should eliminate all host-based authentication measures, which are sometimes common for machines on the same subnet.

Summary/Conclusion
IP spoofing attacks is unavoidable

Understanding how and why spoofing attacks are used, combined with a few simple prevention methods, can help protect your network from these malicious cloaking and cracking techniques.

References:
Research paper Detecting and Preventing IP-spoofed Distributed DoS Attacks by Yao Chen1, Shantanu Das1, Pulak Dhar2, Abdul motaleb El Saddik1, and Amiya Nayak Introduction to IP Spoofing, Victor Velasco, November 21, 2000, www.sans.org/rr/threats/intro_spoofing.php

Web Spoofing. An Internet Con Game, http://bau2.uibk.ac.at/matic/spoofing.html

Internet Vulnerabilities Related to TCP/IP and T/TCP, ACM SIGCOMM, Computer Communication Review IP Spoofing: An Introduction by Matthew Tanase WIKIPEDIA

Google