IP Spoofing Denial of Services

8/22/2019 IP Spoofing Denial of Services

1/39


2/39

AMIT PATELALOK KUMAR DUBEYCSE 3rd year


3/39

IP Spoofing is a technique used to gain unauthorized accessto computers.

IP: Internet Protocol

Spoofing: using somebody elses information

Exploits the trust relationships

Intruder sends messages to a computer with an IP addressof a trusted host.


4/39

WHAT IS IP-ADDRESSING SPOOFING IP SPOOFING-INTRODUCTION HISTORY BASIC CONCEPT WHAT MAKES IP SPOOFING EASY FOR ATTACKERS CLLASIFICATION OF IP SPOOFING MISCONCEPTION OF IP SPOOFING IMPACT DETECTION PREVENTION


5/39

IP-ADDRESSING It stands for internet protocol addressing , resides

in network layer.

Each system attached to the internet requires a 32-bit internet address value.

The first part of IP identifies the network on whicha host resides.

The second part identifies the particular host onthe given network.


6/39

IP-ADDRESSING ContinuedIP-Address Classes

Class A Addresses - IP Range (0-127)Class B Addresses - IP Range (128-191)

Class C Addresses - IP Range (192-223)

Class D Addresses - IP Range (224-239)Class E Addresses - IP Range (240-255)


7/39

SPOOFING A good -humored hoax

A light amusing satire

In the sense of internet fraudulent ,it refers to fool the

receiver by breaching the address of original sender


8/39

IP SPOOFING-INTRODUCTION IP address spoofing is the creation of IP packets using

somebody elses IP source addresses.

This technique is used for obvious reasons and is employed

in several of the attacks .

IP headers first 12 bytes contain various information about

the packet. The next 8 bytes, however, contains the source

and destination IP addresses. Using one of several tools, anattacker can easily modify these addresses specifically the

source address field.


9/39

HISTORY

* The concept of IP spoofing, was initially discussed in the 1980's. Robert

Morri discovered a security weakness in the TCP protocol known assequence prediction. Stephen Bellovin discussed the problem in-depth in

Security Problems in the TCP/IP Protocol Suite.

* Another infamous attack, Kevin Mitnick's Christmas Day crack ofTsutomu Shimomura's machine, employed the IP spoofing and TCP

sequence prediction techniques.


10/39

BASIC CONCEPT

Valid source IP address- illustrates a typicalinteraction between a workstation with a valid source IPaddress requesting web pages and the web server executingthe requests.

When the workstation requests a page from the web serverthe request contains both the workstations IP address and

the address of the web server executing the request . The web server returns the web page using the source IP

address specified in the request as the destination IPaddress, 192.168.0.5 and its own IP address as the source IPaddress, 10.0.0.23.


11/39

BASIC CONCEPT

VALID SOURCE IP-ADDRESS


12/39

BASIC CONCEPT

[Continued]

Spoofed source IP address- illustrates theinteraction between a workstation requesting web pages

using a spoofed source IP address and the web serverexecuting the requests. If a spoofed source IP address (i.e. 172.16.0.6) is used by the

workstation, the web server executing the web page requestwill attempt to execute the request by sending information

to the IP address of what it believes to be the originatingsystem (i.e. the workstation at 172.16.0.6). The system at the spoofed IP address will receive

unsolicited connection attempts from the web server that itwill simply discard.


13/39

BASIC CONCEPT

SPOOFED IP-ADDRESS


14/39

WHAT MAKES IP SPOOFING EASY FOR

ATTACKERS

Problem with the Routers.

Routers look at Destination addressesonly.

Authentication based on Sourceaddresses only.

To change source address field in IPheader field is easy.


15/39

CLASSIFICATION OF IP SPOOFING

BLIND SPOOFING NON-BLIND SPOOFING

DENIAL OF SERVICE (SMURF ATTACK)

MAN IN THE MIDDLE UDP ATTACK

TCP ATTACK


16/39

BLIND SPOOFING

* This attack may take place from outside where sequenceand acknowledgement numbers are unreachable. Attackers

usually send several packets to the target machine in orderto sample sequence numbers.

* Using the spoofing to interfere with a connection (orcreating one), that does not send packets along your cable.


17/39

BLIND SPOOFING

[Continued]

sender

victim

Oops, many packetsare coming. But, who

is the real source?


18/39

NON-BLIND SPOOFING

* This attack takes place when the attacker is on the samesubnet as the target that could see sequence and

acknowledgement of packets.

*Using the spoofing to interfere with a connection thatsends packets along your subnet.


19/39

NON-BLIND SPOOFING

[Continued]

sender

victim

partner

Oh, my partner sentme a packet. Ill

process this.


20/39

DENIAL OF SERVICE ATTACK

* In DOS, attackers are concerned with consumingbandwidth and resources by flooding the target with as

many packets as possible in a short amount of time.

* When multiple compromised hosts are participating in theattack, all sending spoofed traffic, it is very challenging to

quickly block traffic.


21/39

SMURF ATTACK

Send ICMP ping packet with spoofed IP source addressto a LAN which will broadcast to all hosts on the LAN.

Each host will send a reply packet to the spoofed IPaddress leading to denial of service

This attack does not crash victim, but consume

network bandwidth and system resources

Victim fails to provide other services, and halts if runsout of memory


22/39

SMURF ATTACK

[REFLECTION]

sender

ip spoofed packet

victim

reflector

src: victim

dst: reflector

Oops, a lot ofreplies without any

request


23/39

MAN IN THE MIDDLE ATTACK

This is also called connection hijacking.

In these attacks, a malicious party intercepts alegitimate communication between two friendlyparties

The malicious host then controls the flow ofcommunication and can eliminate or alter theinformation .


24/39

UDP ATTACK

UDP is an unreliable transport layer protocol. It relieson IP, it is connectionless.

And its checksum is optional. Therefore, the delivery,integrity, non-duplication and ordering are notguaranteed.

UDP traffic is more vulnerable for IP spoofing thanTCP .


25/39

TRUSTEDCLIENT SERVER

ATTACKER

2.UDP REPLY FROMSERVER

1.SPOOFED UDPREQUEST


26/39

TCP ATTACK

It is hard to do IP spoofing on TCP.

The attack aims at impersonating another host mostlyduring the TCP connection establishment phase.

It can be realized on the specific OS.


27/39

TCP ATTACK

[Continued]

TCP is connection oriented and the TCP connectionsetup sequence number is hard to predicated.

Therefore UDP traffic is more vulnerable for IPspoofing than TCP.


28/39

MISCONCEPTION OF IP SPOOFING

* A common misconception is that "IP Spoofing" can beused to hide your IP address while surfing the Internet,

chatting on-line, sending e-mail, and so forth.

* This is generally not true. Forging the source IP addresscauses the responses to be misdirected, meaning youcannot create a normal network connection.

* However, IP spoofing is an integral part of many networksthat do not need to see responses.


29/39

IMPACT

Current intruder activity in spoofing source IPaddresses can lead to unauthorized remote root accessto systems behind a filtering-router firewall.

After gaining root access and taking over existing

terminal and login connections, intruders can gainaccess to remote hosts.


30/39

DETECTION

1. If you monitor packets using network-

monitoring software such as netlog, look fora packet on your external interface that hasboth its source and destination IP addresses

in your local domain. If you find one, youare currently under attack.


31/39

DETECTION

[Continued] 2. Another way to detect IP spoofing is to compare

the process accounting logs between systems onyour internal network. If the IP spoofing attackhas succeeded on one of your systems, you may geta log entry on the victim machine showing aremote access; on the apparent source machine,

there will be no corresponding entry for initiatingthat remote access.


32/39

PREVENTION

1- Avoid using the source address

authentication. Implement cryptographicauthentication system-wide.

2- Configuring your network to reject packets

from the Net that claim to originate from alocal address.


33/39

PREVENTION

[Continued] 3- Implementing ingress and egress filtering on

the border routers and implement an ACL (accesscontrol list) that blocks private IP addresses on

your downstream interface.

4-If you allow outside connections from trustedhosts, enable encryption sessions at the router.


34/39

PREVENTION

[Continued]

* If your vendors router does not support filtering on theinbound side of the interface or if there will be a delay in

incorporating the feature into your system.

* you may filter the spoofed IP packets by using a secondrouter between your external interface and your outside

connection.

* Configure this router to block, on the outgoing interfaceconnected to your original router, all packets that have a

source address in your internal network.


35/39

PREVENTION [ PACKET FILTERING]

10.10.10.0

10.10.0.0

if src_addr is

from 10.10.0.0

then forward

else drop

if src_addr is from

10.10.0.0

then drop

else forward


36/39

PACKET FILTERING

[Continued]

In Linux, packet filtering can be enabled

using the following command:

* echo 2 >

/proc/sys/net/ipv4/conf/*/rp_filter


37/39

CONCLUSION

IP Spoofing is a problem without an easy solution,since its inherent to the design of the TCP/IP suite.

Understanding how and why spoofing attacks areused, combined with a few simple prevention

methods, can help protect your network from thesemalicious cloaking and cracking techniques.


38/39

??


39/39

Documents

IP Spoofing Denial of Services