Introduction Ip Spoofing 959

Please download to get full document.

View again

of 9
5 views
PDF
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Document Description
Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Introduction to IP Spoofing This paper describes the use of IP spoofing as a method of attacking a network in order to gain unauthorized access. The attack is based on the fact that Internet communication between distant computers is routinely handled by routers which find the best route by examin
Document Share
Documents Related
Document Tags
Document Transcript
  Interested in learningmore about security? SANS InstituteInfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Introduction to IP Spoofing This paper describes the use of IP spoofing as a method of attacking a network in order to gain unauthorizedaccess. The attack is based on the fact that Internet communication between distant computers is routinelyhandled by routers which find the best route by examining the destination address, but generally ignore thesrcination address. The srcination address is only used by the destination machine when it responds back tothe source. Copyright SANS InstituteAuthor Retains Full Rights       A      D     ©     S   A    N    S     I   n   s   t    i   t   u   t  e     2    0    0   3 ,     A   u   t    h  o   r    r  e   t   a    i   n   s     f   u    l    l    r    i  g      h   t   s  Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46  © SANS Institute 2003,As part of the Information Security Reading Room.Author retains full rights. Introduction to IP Spoofing  Victor VelascoNovember 21, 2000  Introduction This paper describes the use of IP spoofing as a method of attacking a network in orderto gain unauthorized access. The attack is based on the fact that Internet communicationbetween distant computers is routinely handled by routers which find the best route byexamining the destination address, but generally ignore the srcination address. Thesrcination address is only used by the destination machine when it responds back to thesource.In a spoofing attack, the intruder sends messages to a computer indicating that themessage has come from a trusted system. To be successful, the intruder must firstdetermine the IP address of a trusted system, and then modify the packet headers to that itappears that the packets are coming from the trusted system.In essence, the attacker is fooling (spoofing) the distant computer into believing that theyare a legitimate member of the network The goal of the attack is to establish aconnection that will allow the attacker to gain root access to the host, allowing thecreation of a backdoor entry path into the target system. Brief History of IP Spoofing In the April 1989 article entitled: “ Security Problems in the TCP/IP Protocol Suit  e” ,author S. M Bellovin of AT & T Bell labs was among the first to identify IP spoofing as areal risk to computer networks. Bellovin describes how Robert Morris, creator of the nowinfamous Internet Worm, figured out how TCP created sequence numbers and forged aTCP packet sequence. This TCP packet included the destination address of his “victim”and using an IP spoofing attack Morris was able to obtain root access to his targetedsystem without a User ID or password.A common misconception is that IP spoofing can be used to hide your IP address whilesurfing the Internet, chatting on-line, sending e-mail, and so forth. This is generally nottrue. Forging the source IP address causes the responses to be misdirected, meaning youcannot create a normal network connection. However, IP spoofing is an integral part of many network attacks that do not need to see responses (blind spoofing). Recent Attacks using IP Spoofing Since the initial Internet worm, a number if attacks have been made using thisvulnerability samples include; ã Man–in-the-middle: packet sniffs on link between the two endpoints, and can pretendto be one end of the connection     ©     S   A    N    S     I   n   s   t    i   t   u   t  e     2    0    0   3 ,     A   u   t    h  o   r    r  e   t   a    i   n   s     f   u    l    l    r    i  g      h   t   s  Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46  © SANS Institute 2003,As part of the Information Security Reading Room.Author retains full rights. ã Routing re-direct : redirects routing information form the original host to thehacker’s host (a variation on the man-in the-middle attack) ã Source routing: redirects individual packets by the hacker’s host ã Blind spoofing: predicts responses from a host, allowing commands to be sent, butdoes not get immediate feedback  ã Flooding; SYN flood fills up the receive queue from random source addresses;smurf/fraggle spoofs victims address, causing everyone to respond to the victim. Details of an Attack IP spoofing in brief consists of several interim steps; ã Selecting a target host ( or victim). ã The trust relationships are reviewed to identify a host that has a “trust” relationshipwith the target host. ã The trusted host is then disabled and the target’s TCP sequence numbers are sampled. ã The trusted host is then impersonated, the sequence numbers forged (after beingcalculated) . ã A connection attempt is made to a service that only requires address-basedauthentication (no user id or password). ã If a successful connection is made, the attacker executes a simple command to leave abackdoor. Attack directed against Root The attack is generally made from the root account of the attacker against the rootaccount of the target host. The reason being that gaining root access to the target willallow the attacker to fully manipulate the system. This would include the loading of Trojan horses, backdoors and possible modification of data. Going through all this effortto only gain user access is less than value added for a malicious attacker. IP Spoofing is a Blind attack An IP spoofing attack is made in the “blind”, meaning that the attacker will be assumingthe identity of a “trusted” host. From the perspective of the target host, it is simplycarrying on a “normal” conversation with a trusted host. In truth, they are conversingwith an attacker who is busy forging IP –address packets. The IP datagrams containing     ©     S   A    N    S     I   n   s   t    i   t   u   t  e     2    0    0   3 ,     A   u   t    h  o   r    r  e   t   a    i   n   s     f   u    l    l    r    i  g      h   t   s  Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46  © SANS Institute 2003,As part of the Information Security Reading Room.Author retains full rights. the forged IP addresses will reach the target intact, IP being a connectionless-orientedprotocol which requires no handshaking. Each datagram is sent without concern for theother end).However, the datagrams that the target sends back (destined for the trusted host) will endup in the bit bucket, the attacker will never see them. The routers between the target andattacker know the destination address of the datagrams, that being the “trusted” host,since this is where they originally came from and where they should be returned. Oncethe datagrams are routed there, and the information is demultiplexed on its way up theprotocol stack, and once it reaches TCP, it will be discarded.The reason for this is that a TCP connection request is initiated by a client via a SYN flagtoggled on within the TCP header. Normally a server will respond to this request via theSYN/ACK to the 32 bit source address located within the IP header. Upon receipt of theSYN/ACK, the client sends an ACK to the server (completing the three way handshake)and data transfer in the form of datagrams can commence. TCP will only support alimited number of concurrent SYN requests for a particular socket. This limit applies toboth complete and incomplete connections. If this backlog limit is reached, TCP willsilently dump all incoming SYN requests until the pending connections can be dealt with.So an attacker must be very smart and ‘know” what the target has been sent and “know”what type of response the server is looking for. The attacker cannot “see” what the targethost sends, but based on the handshaking procedure, an attacker can predict what thetarget host will send in response. Knowing both what has been sent and what theresponse will be eliminates the need to actually “see” the response. This allows theattacker to work in the “blind” and manipulate the system. Host disabling To impersonate the trusted host, the attacker must first disable and make certain that nonetwork traffic gets to the trusted host. The primary method used is called SYN flooding.As described in the previous section, TCP will silently dump all incoming SYN requestsuntil the pending connections can be dealt with.The attacking host sends multiple SYN requests to the target (in this instance the trustedhost) to load up the TCP queue with pending connections. The attacking host must alsoensure that the source IP-address is spoofed and select a different, currently unreachablehost, as this is where the target TCP will be sending it’s response. The reason that it mustbe unreachable is to prevent any host from receiving the SYN/ACKS sent by the systemunder attack. This would result in a RST (resend) being sent back to the system underattack, foiling the attack.The target responds with SYN/ACKS to the spoofed IP address and once the queue limitis reached, all other requests to this TCP port will be ignored. This effectively disablesthe “trusted host” and allows the attacker to proceed with impersonating the “trustedhost”.
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks
SAVE OUR EARTH

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!

x