How can we defend against IP spoofing?? · 2019-09-25 · →ingress filtering = filter out packets from invalid addresses before entering your network. network X. network Y (131.50.X.X)

https://produto.mercadolivre.com.br/MLB-1113814077-juniper-firewall-vpn-gateway-router-520-k9-link-giga-c-nf-_JM?quantity=1#redirectedFromSimilar

How can we defend against IP spoofing??

best defences against IP spoofing: egress & ingress filteringby gateway routers owned by organization & ISPs

network X(130.63.x.x)

egress filtering:block outgoing traffic

not sourced from network x(e.g., a packet carrying

network y IP address as ‘source’)

network y

network X’sgateway router

IPv4: Abusing Address Fields (cont.)

with egress filtering, ISPs could stop malicious packets with spoofedsource IPs from entering the Internet; first & very important step inattack prevention (at the very source!), but not always performed!

hacker

→ egress filtering = filter out packets from invalid addresses beforeleaving your network

ISP

IP source:8.8.8.8

Does network X have any benefit from Egress Filtering?!?!

What are potential cons of Egress Filtering?!?!


https://www.caida.org/projects/spoofer/

The geographic distribution of clients seen in the last year both to measure the extent of our testing coverage as well as to determine if any region of the world is more susceptible to spoofing. The value shown is the percentage of tested IP blocks (including those behind

a NAT) that show any evidence of spoofing.

How effective are ISPs at preventing spoofing??


best defences against IP spoofing: ingress & egress filteringby gateway routers→ ingress filtering = filter out packets from invalid addresses before

entering your network

network X network Y(131.50.X.X)

network Y’sgateway router

ingress filtering:block incoming traffic

sourced from anyinvalid network

(e.g., a packet carryingnetwork x IP address as ‘source’) victim

with ingress filtering, companies could stop malicious packets carryingsuspicious IPs (e.g., an internal IP) from entering their network

company

IP source:131.50.2.2

Ingress Filtering can eliminateonly certain

types of spoofed IP packets.

IP source:8.8.8.8


(1) broadcast addresses as destination→ e.g., host bits in destination IP set to one: X.X.X.255

Which other incoming IPs should be dropped??


(1) broadcast addresses as destination→ e.g., host bits in destination IP set to one: X.X.X.255→ used in Smurf Attack = reflected amplified DDoS attack

on a remote victim machine involving ICMP packets


reflector network

victim

IP destinationX.X.X.255

-----------------IP source:

victim

(1) broadcast addresses as destination→ e.g., host bits in destination IP set to one: X.X.X.255→ used in Smurf Attack = reflected amplified DDoS attack

on a remote victim machine involving ICMP packets→ side-effect of Smurf Attack = flooding of ‘reflector’ network




(2) multicast addresses as source: 224/4→ the source address for true multicast packets is always a unicast

IP address

(3) unassigned addresses reserved for future use: 240/4


IPv4: Abusing Options Fields• IP Header Length Field

IHL = indicates the length of the IP packet header in 32-bit(4 bytes) words, and must satisfy …

condition 1: (20 bytes) 5 ≤ IHL ≤ 15 (60 bytes)basic header header with options

→ IP options can be used to circumvent normalrouting (e.g., enforce loose/strict source routing)- IHL > 5 generally suspicious & should be dropped

condition 2: IHL * 4 ≤ total packet length

• IP Header Length Field IHL = indicates the length of the IP packet header in 32-bit

(4 bytes) words, and must satisfy …

IPv4: Abusing Options Fields (cont.)

→ if not satisfied, an error or a malicious modification ⇒ the packet should be dropped

IP Datagram Fields (cont.)

Options (cont.) (c) Strict Source Route option – used by source to predetermine route for datagram▪ source provides a list of IP addresses, i.e. sequence of routers,

that datagram must (is allowed) to visit on its way to destination

From “TCP/IP Protocol Suite” by B. Forouzan, 4/e, pp. 201

Router replaces IP of the next router to visit with its own IP. Location to ‘write over’ indicated by the byte pointer.

Result: receiving station obtains ‘Record Router’, which should be used by the destination to route responses back

Indicates the byte position that contains IP address of the next

router to visit.

options type / code

total length of options fields

(including the first three bytes)

in bytes


Example: misuses of IP source routing option

https://howdoesinternetwork.com/2014/source-based-routing

Attacks using source routing can have various forms, including:→ router/firewall avoidance→ discovery of network topology→ stealthy traffic monitoring→ carousel DoS attack

very ‘strict’firewall


Example: IP source routing – stealthy traffic monitoring

https://books.google.ca/books?id=DDRSCwAAQBAJ&pg=PA82&lpg=PA82&dq=strict+source+routing+IP+attack&source=bl&ots=P22Mzraff4&sig=1IlU2hv4OElx5yHAu-GmOfzoGBc&hl=en&sa=X&ved=2ahUKEwjcmZmV6_HcAhWC94MKHXKABeo4HhDoATALegQIAxAB#v=onepage&q&f=false

packet also carries strict/loose source routing

option, with the attacker’s IP as one of the routers on the

desired (reverse) path

Example: IP source routing – Carousel DoS attack on intermediate routers


Carousel Attack: adversary sends packets with routes composed of a series of loops→ uses more energy consumption than necessary → affects Wireless Sensor Networks (WSNs)

https://www.researchgate.net/publication/260603051_Routing_Layer_Based_Resource_Exhaustion_Attacks_in_Wireless_Ad_Hoc_Sensor_Networks/figures?lo=1

Required Route: A, B, C, A, B, C, A, B, C

• Total Length Field represents the length of the entire datagram (header +

payload) measured in bytes

IPv4: Abusing Length Fields (cont.)

→ 16 bit field ⇒ max value/size: 65535 bytes = 64 Kbytes

Ping Of Death: attacker sends IP packet > 64 Kbytes total → one single packet would cause the target systems to crash,

freeze up or restart → was very popular in late 90-ties, but versions of it are still around

Actual size of the packet is bigger

than the maximum value that can be

placed in the Total Length field.


Example: Ping Of Death using ICMP = Long ICMP attack

https://books.google.ca/books?id=VADbJowCwEQC&pg=PA335&lpg=PA335&dq=%22ping+of+death%22+hping+tool&source=bl&ots=UZ46uhW97v&sig=zpG-l5KECuYYU1FivyjDCt1KccI&hl=en&sa=X&ved=2ahUKEwisgqD0hfPcAhUI16wKHd7aC6s4FBDoATAAegQIABAB#v=onepage&q=%22ping%20of%20death%22%20&f=false

http://www.cs.vsb.cz/grygarek/SPS/projekty0405/IDS/ids.html

Ping of Death using Scapy:


https://uk.news.yahoo.com/millions-iphones-vulnerable-ping-death-wi-fi-attack-131758314.html?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_sig=AQAAACMzwD6-0v7FdZEro8j7jwHuKj1ULNrK2Z_-Eyl3KhuqMRVBm84ti2gNxPtpT_xG7JGtC6tDDzoIFJMY3yqOgaHTE5WYX5IMEe_kN6b3th1AavryXGEXbsQLz2QzK0M9y0kh2P6Wwiub3HdgtIGrIrJmGxXOf7TiqII6efj3Jc6p

https://searchsecurity.techtarget.com/answer/Ping-of-death-What-is-it-and-how-is-Apple-affected

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020227-ios-cef

Excluding Cisco 12000 Series Internet Routers, all Cisco devices running Cisco IOS® software that have Cisco Express Forwarding (CEF) enabled can leak information from previous packets that have been handled by the device. This can happen if the packet length described in the IP header is bigger than the physical packet size. Packets like these will be expanded to fit the IP length and, during that expansion, an information leak may occur. Please note that an attacker can only collect parts of some packets but not the whole session

Example: total length field causing information leakage

What if actual IP packet size ≤ total packet length ??

H data


IPv4: Abusing Fragmentation Fields• Identification Field

set by the sending host to aid in reassembly of fragmenteddatagrams

→ fragmentation is done by intermediate routers in cases when IP packet is longer than the MTU

• Identification Field set by the sending host to aid in reassembly of fragmented

datagrams→ should be unique for each set {source IP, destination IP, protocol}

IPv4: Abusing Fragmentation Fields (cont.)

→ this value is determined at IP layer on protocol-dependent basis→ in older systems this value was simply incremented by 1 – BAD!→ in newer systems this value is randomly generated (collisions can

occur, but not likely)


Example: possible attacks in case of sequential IP ID

(1) Remote Traffic Analysis: Sequential IP IDs expose the number ofpackets sent by a host over a given period. This can be used to estimateWeb site traffic, determine when people log on, etc.

https://www.freehaven.net/anonbib/cache/remote-traffic-pets12.pdf

Bob ping’s Alice in the evening.IP-ID = X

Bob ping’s Alice next morning.IP-ID = Y

What if Y-X = 1 ??

Example: possible attacks in case of sequential IP ID


(2) Load Balancer Demultiplexing: Large sites often use load balancingequipment so that a single address maps to a small farm of servers. By noting the IP-ID values, you can often determine how many machines arebehind the load balancer and which one you are connected with. The ID fields in the following hping execution make it obvious that beta.search.microsoft.comis handled by two machines behind a load balancer (207.46.197.115).

Documents

How can we defend against IP spoofing?? · 2019-09-25 · →ingress filtering = filter out packets from invalid addresses before entering your network. network X. network Y (131.50.X.X)