IP SPOOFINGAttacks & Defences
ByPRASAD R RAO
Outline
Introduction IP Spoofing attacks IP Spoofing defences Conclusion
Introduction
Types of spoofing
IP spoofing: Attacker uses IP address of another computer to acquire information or gain access.
Email spoofing: Attacker sends email but makes it appear to come from someone else
Web spoofing: Attacker tricks web browser into communicating with a different web server than the user intended.
IP Spoofing
IP spoofing is the creation of tcp/ip packets with somebody else’s IP address in the header.
Routers use the destination IP address to forward packets, but ignore the source IP address.
The source IP address is used only by the destination machine, when it responds back to the source.
When an attacker spoofs someone’s IP address, the
victim’s reply goes back to that address.
Since the attacker does not receive packets back, this is called a one-way attack or blind spoofing.
To see the return packets, the attacker must intercept them.
IP Spoofing Attacks
Blind IP Spoofing Man in the middle attack Source routing ICMP attacks UDP attacks TCP attacks
Blind IP Spoofing
Usually the attacker does not have access to the reply, abuse trust relationship between hosts.
For example: Host C sends an IP datagram with the address of some other host (Host A) as the source address to Host B. Attacked host (B) replies to the legitimate host (A).
Blind IP spoofing
Man in the middle attack
If an attacker controls a gateway that is in the delivery route, he can
Sniff the traffic Intercept the traffic Modify traffic
This is not easy in the internet because of hop by hop routing, unless source routing is used.
Source routing
Source routing is one of the IP options that allows the specification of an IP address that should be on the route for the packet delivery.
This allows someone to use a spoofed return address, and still see the traffic by placing his machine in the path.
Types of source routing: Loose source routing (LSR): The sender specifies a
list of some IP addresses that a packet must go through (it might go through more)
Strict source routing (SSR): The sender specifies the exact path a packet must take (if it is not possible the packet is dropped)
An attacker sends a packet to the destination with a spoofed address but specifies LSR and puts his IP address in the list.
An attacker could use source routing to learn more about a network that he or she is targeting for attack
The best way to protect against source
routing spoofing is to simply disable source routing at your routers.
ICMP Echo Attacks
Map the hosts of a network :The attack sends ICMP echo datagram to all the hosts in a subnet, then he collects the replies and determines which hosts are alive.
Denial of service attack (SMURF attack) :The attack sends spoofed (with victim‘s IP address) ICMP Echo Requests to subnets, the victim will get ICMP Echo Replies from every machine.
ICMP Redirect attacks
ICMP redirect messages can be used to re-route traffic on specific routes or to a specific host that is not a router at all.
The ICMP redirect attack is very simple: just send a spoofed ICMP redirect message that appears to come from the host‘s default gateway.
After ICMP redirect attack
UDP attacks
UDP is a connectionless protocol .There is no error checking or guaranteed delivery. UDP packets are very simple and are mainly used for low overhead protocols.
TCP is connection oriented and the TCP connection setup sequence number is hard to predicated .
UDP traffic is more vulnerable for IP spoofing than TCP.
TCP Attacks
The attack aims at impersonating another host mostly during the TCP connection establishment phase.
To spoof a TCP connection hacker needs to know via which algorithm the server generates its initial sequence
The hacker needs this to supply the correct number in its final ACK message confirming the connection and in all subsequent data packets.
IP Spoofing defences
Don’t rely on IP-based authentication. Use router filters to prevent packets from
entering your network if they have a source
address from inside it. Use router filters to prevent packets from leaving
your network if they have a source address from
outside it.
Use random initial sequence numbers. Prevents SN prediction.
CONCLUSION
IP spoofing is less of a threat today due to the use of random sequence numbering.
Many security experts are predicting a shift from IP spoofing attacks to application-related spoofing.
Sendmail is one example, that when not properly configured allows anyone to send mail as [email protected].
Thanks!
Recommended
