IP Spoofing - An Introduction

Please download to get full document.

View again

of 5
9 views
PDF
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Document Description
IP Spoofing: An Introduction Matthew Tanase 2003-03-11 IP Spoofing: An Introduction by Matthew Tanase last updated March 11, 2003 Criminals have long employed the tactic of masking their true identity, from disguises to aliases to caller-id blocking. It should come as no surprise then, that criminals who conduct their nefarious activities on networks and computers should employ such techniques. IP spoofing is one of the most common forms of on-line camouflage. In IP spoofing, an attacker gain
Document Share
Documents Related
Document Tags
Document Transcript
  IP Spoofing: An Introduction   Matthew Tanase  2003-03-11  IP Spoofing: An Introduction by Matthew Tanase  last updated March 11, 2003Criminals have long employed the tactic of masking their true identity, from disguises to aliasesto caller-id blocking. It should come as no surprise then, that criminals who conduct theirnefarious activities on networks and computers should employ such techniques. IP spoofing isone of the most common forms of on-line camouflage. In IP spoofing, an attacker gainsunauthorized access to a computer or a network by making it appear that a malicious messagehas come from a trusted machine by “spoofing” the IP address of that machine. In this article,we will examine the concepts of IP spoofing: why it is possible, how it works, what it is used forand how to defend against it. History The concept of IP spoofing, was initially discussed in academic circles in the 1980's. While knownabout for sometime, it was primarily theoretical until Robert Morris, whose son wrote thefirstInternet Worm, discovered a security weakness in the TCP protocol known assequenceprediction. Stephen Bellovin discussed the problem in-depth inSecurity Problems in the TCP/IPProtocol Suite, a paper that addressed design problems with the TCP/IP protocol suite. Anotherinfamous attack, Kevin Mitnick'sChristmas Daycrack of Tsutomu Shimomura's machine,employed the IP spoofing and TCP sequence prediction techniques. While the popularity of suchcracks has decreased due to the demise of the services they exploited, spoofing can still be usedand needs to be addressed by all security administrators. Technical Discussion To completely understand how these attacks can take place, one must examine the structure of the TCP/IP protocol suite. A basic understanding of these headers and network exchanges iscrucial to the process. Internet ElL6.939368290.98697EnL7.597668290.98697EsL6.7382talrElL4.86    Examining the IP header, we can see that the first 12 bytes (or the top 3 rows of the header)contain various information about the packet. The next 8 bytes (the next 2 rows), however,contains the source and destination IP addresses. Using one of several tools, an attacker caneasily modify these addresses – specifically the “source address” field. It's important to notethat each datagram is sent independent of all others due to the stateless nature of IP. Keep thisfact in mind as we examine TCP in the next section. Transmission Control Protocol – TCP IP can be thought of as a routing wrapper for layer 4 (transport), which contains theTransmission Control Protocol (TCP). Unlike IP, TCP uses a connection-oriented design. Thismeans that the participants in a TCP session must first build a connection - via the 3-wayhandshake (SYN-SYN/ACK-ACK) - then update one another on progress - via sequences andacknowledgements. This “conversation”, ensures data reliability, since the sender receives anOK from the recipient after each packet exchange. Page 2 of 5IP Spoofing: An Introduction04/10/2008http://www.securityfocus.com/print/infocus/1674    As you can see above, a TCP header is very different from an IP header. We are concerned withthe first 12 bytes of the TCP packet, which contain port and sequencing information. Much likean IP datagram, TCP packets can be manipulated using software. The source and destinationports normally depend on the network application in use (for example, HTTP via port 80). What'simportant for our understanding of spoofing are the sequence and acknowledgement numbers.The data contained in these fields ensures packet delivery by determining whether or not apacket needs to be resent. The sequence number is the number of the first byte in the currentpacket, which is relevant to the data stream. The acknowledgement number, in turn, containsthe value of the next expected sequence number in the stream. This relationship confirms, onboth ends, that the proper packets were received. It’s quite different than IP, since transactionstate is closely monitored. Consequences of the TCP/IP Design Now that we have an overview of the TCP/IP formats, let's examine the consequences.Obviously, it's very easy to mask a source address by manipulating an IP header. This techniqueis used for obvious reasons and is employed in several of the attacks discussed below. Anotherconsequence, specific to TCP, is sequence number prediction, which can lead tosessionhijackingor host impersonating. This method builds on IP spoofing, since a session, albeit afalse one, is built. We will examine the ramifications of this in the attacks discussed below. Spoofing Attacks There are a few variations on the types of attacks that successfully employ IP spoofing. Althoughsome are relatively dated, others are very pertinent to current security concerns. Non-Blind Spoofing This type of attack takes place when the attacker is on the samesubnetas the victim. Thesequence and acknowledgement numbers can be sniffed, eliminating the potential difficulty of calculating them accurately. The biggest threat of spoofing in this instance would be session Page 3 of 5IP Spoofing: An Introduction04/10/2008http://www.securityfocus.com/print/infocus/1674  hijacking. This is accomplished by corrupting the datastream of an established connection, thenre-establishing it based on correct sequence and acknowledgement numbers with the attackmachine. Using this technique, an attacker could effectively bypass any authentication measurestaken place to build the connection. Blind Spoofing This is a more sophisticated attack, because the sequence and acknowledgement numbers areunreachable. In order to circumvent this, several packets are sent to the target machine in orderto sample sequence numbers. While not the case today, machines in the past used basictechniques for generating sequence numbers. It was relatively easy to discover the exactformula by studying packets and TCP sessions. Today, most OSs implement random sequencenumber generation, making it difficult to predict them accurately. If, however, the sequencenumber was compromised, data could be sent to the target. Several years ago, many machinesused host-based authentication services (i.e. Rlogin). A properly crafted attack could add therequisite data to a system (i.e. a new user account), blindly, enabling full access for the attackerwho was impersonating a trusted host. Man In the Middle Attack Both types of spoofing are forms of a common security violation known as aman in the middle(MITM) attack. In these attacks, a malicious party intercepts a legitimate communicationbetween two friendly parties. The malicious host then controls the flow of communication andcan eliminate or alter the information sent by one of the srcinal participants without theknowledge of either the srcinal sender or the recipient. In this way, an attacker can fool avictim into disclosing confidential information by “spoofing” the identity of the srcinal sender,who is presumably trusted by the recipient. Denial of Service Attack IP spoofing is almost always used in what is currently one of the most difficult attacks to defendagainst – denial of service attacks, or DoS. Since crackers are concerned only with consumingbandwidth and resources, they need not worry about properly completing handshakes andtransactions. Rather, they wish to flood the victim with as many packets as possible in a shortamount of time. In order to prolong the effectiveness of the attack, they spoof source IPaddresses to make tracing and stopping the DoS as difficult as possible. When multiplecompromised hosts are participating in the attack, all sending spoofed traffic, it is verychallenging to quickly block traffic. Misconceptions of IP Spoofing While some of the attacks described above are a bit outdated, such as session hijacking forhost-based authentication services, IP spoofing is still prevalent in network scanning and probes,as well as denial of service floods. However, the technique does not allow for anonymousInternet access, which is a common misconception for those unfamiliar with the practice. Anysort of spoofing beyond simple floods is relatively advanced and used in very specific instancessuch as evasion and connection hijacking. Defending Against Spoofing Page 4 of 5IP Spoofing: An Introduction04/10/2008http://www.securityfocus.com/print/infocus/1674
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks
SAVE OUR EARTH

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!

x