Upload
goro
View
72
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Joshua White Director of CyOON Research and Development “Cyber Operations for Optical Networks” [email protected] Everis Inc http://www.EverisInc.com (315)-370-1535. CyberPatriot Advanced Topics: IP Spoofing Overview. Company Background IP Spoofing Overview Why Is It So Easy - PowerPoint PPT Presentation
Citation preview
CyberPatriot Advanced Topics: IP Spoofing Overview
Joshua WhiteDirector of CyOON Research and Development “Cyber Operations for Optical Networks”[email protected]
Everis Inchttp://www.EverisInc.com(315)-370-1535
Company Background IP Spoofing Overview Why Is It So Easy Types Of IP Spoofing Detection Techniques Prevention Techniques Conclusions
Agenda
IP Spoofing Overview
IP spoofing is a technique used to gain unauthorized access to computers/networks
The attacker sends messages to a computer using a forged IP address indicating that the message is coming from a trusted host
IP Spoofing Overview (2)
IP Spoofing Occurs When An Individual Inside Or Outside Of A Network Impersonates The Conversations Of A Trusted Node
Most Spoofing Attacks Fall Under Two Techniques: Using An IP Address Within The Range Of Trusted IP's Using An Authorized External IP Address That Is Trusted.
For Government And Enterprise Instances A Third Technique Exists: Using An IP Address Other Than Your Own To Place Blame On
Another Country Or Individual. This IP Address Is Neither Trusted or Untrusted, It Simply Is Not Truthful.
IP Spoofing Overview (3)
Considering The AAA Model For Secure Protocols, (RFC-2906) Some Example Uses Of IP Spoofing To Perpetrate Attacks Against It Are:
Injection of Malicious Data Or Code Into An Existing Data Stream (Authentication)
A Hacked Routing Table Set For The Attacker To Receive And Send From A Spoofed IP Would Allowing Them To Completely Replace The Legitimate Source. (Authorization)
DoS or Other Attacks Can Be Covered Up By Using A Spoofed IP Address To Shirk Responsibility For The Action. Thus Breaking The Rules Of Non-Repudiation (Accountability)
Why Is It So Easy?
IP Spoofing Is Easy Due To A Number Of Reasons Routers Forward Traffic Based On The Destination Address
(RFC-1812) Some Security Mechanisms Allow For IP As The Sole Means Of
Authentication (RFC-5406) Actually Changing The Source IP In a Packet Is Extremely Easy To
Do (LibPal, PacketForge, Etc.)
Types Of IP Spoofing
Everis Engineers Define IP Spoofing Attacks As Falling Under Three Categories:
Blind The Attacker Has Some Real-Time Knowledge Of The
Network, Such As Packet Sequence Identifiers. Used Heavily In Replay Attacks
Non-Blind The Attacker Has Has No Knowledge Or Access To Real-Time
Network Information Used Heavily In DoS and Probing
Infinite Knowledge The Attacker Is Sitting (Sniffing) A Live Session And HiJacks It
Using Both Spoofed IP, MAC, Authentication, Etc. Used Heavily In MITM Attacks
Advanced IP Spoofing Attacks
A Number Of Very Advanced Attacks Can Be Accomplished Through The Use Of IP Spoofing The Simplest Example Is SMURFING:
SMURF Attack A LAN Is Sent An ICMP Broadcast Packet With A Spoofed
Source Address. All Computers On The LAN Reply To The Owner Of The Real Address That Was Spoofed, Thus Overwhelming It (D-DoS)
Detection
There's No Sure Fire Way To Detect IP Spoofing Though Some Rule Of Thumb Exist:
If An Internal IP Address Shows Up In A Log File As Coming In Through An External Interface Then It's Probably Been Spoofed
If An Advanced Attack Is Happening On Your Network, You Can Make The Assumption That The Attacker Is Covering Their Tracks By Spoofing The Source Identifier
Prevention
There Are No Full Proof Prevention Mechanisms However To Better Protect Yourself:
Do Not Allow Authenticated Access Without Some Layered Mechanism Such As:
CHAP LEAP KERBEROS Etc.
Do Not Allow Certain Ranges Of IP's To Pass In/Out Of Your Border Gateway
For Instance Don't Allow The Internal Range Of IP's Access From The External Interface
Conclusion
Their Exists A Need For Mechanism Which Prevent/Detect/Traceback IP Spoofing Attacks
These Mechanisms Should Focus On Fixing The Problems In The AAA Security Model
Everis Is Currently Focused On Fixing The Non-Repudiation Aspect (Accountability) Which Is Broken By Not Being Able To Accurately Identify Who A Perpetrator Is.
Thanks
12
Thanks to:
Central NY ISSA for providing time to the CyberPatriot documentation project
www.issa.org Everis Inc. for hosting, technical support, experienced
staff and more www.everisinc.com
Griffiss Institute for providing space and support• http://www.griffissinstitute.org/
Rome AFRL for their support of STEM• http://www.wpafb.af.mil/afrl/ri/