• Published on

  • View

  • Download

Embed Size (px)




<ul><li> 1. IP SPOOFING Attacks &amp; Defences By PRASAD R RAO</li></ul> <p> 2. Outline </p> <ul><li>Introduction </li></ul> <ul><li>IP Spoofing attacks </li></ul> <ul><li>IP Spoofing defences </li></ul> <ul><li>Conclusion </li></ul> <p> 3. </p> <ul><li>Introduction </li></ul> <p> 4. Types of spoofing </p> <ul><li>IP spoofing : Attacker uses IP address of another computer to acquire information or gain access. </li></ul> <ul><li>Email spoofing : Attacker sends email but makes it appear to come from someone else </li></ul> <ul><li>Web spoofing : Attacker tricks web browser into communicating with a different web server than the user intended. </li></ul> <p> 5. IP Spoofing </p> <ul><li>IP spoofing is the creation of tcp/ip packets with somebody elses IP address in the header. </li></ul> <ul><li>Routers use the destination IP address to forward packets, but ignore the source IP address. </li></ul> <ul><li>The source IP address is used only by the destination machine, when it responds back to the source. </li></ul> <ul><li>When an attacker spoofs someones IP address, the </li></ul> <ul><li>victims reply goes back to that address. </li></ul> <p> 6. </p> <ul><li>Since the attacker does not receive packets back, this is called aone-way attackorblind spoofing . </li></ul> <ul><li>To see the return packets, the attacker mustinterceptthem. </li></ul> <p> 7. IP Spoofing Attacks </p> <ul><li>Blind IP Spoofing </li></ul> <ul><li>Man in the middle attack </li></ul> <ul><li>Source routing </li></ul> <ul><li>ICMP attacks </li></ul> <ul><li>UDP attacks </li></ul> <ul><li>TCP attacks </li></ul> <p> 8. Blind IP Spoofing </p> <ul><li>Usually the attacker does not have access to the reply, abuse trust relationship between hosts.</li></ul> <ul><li>For example: Host C sends an IP datagram with the address of some other host (Host A) as the source address to Host B. Attacked host (B) replies to the legitimate host (A). </li></ul> <p> 9. Blind IP spoofing 10. Man in the middle attack </p> <ul><li>If an attacker controls a gateway that is in the delivery route, he can</li></ul> <ul><li>Sniff the traffic </li></ul> <ul><li>Intercept the traffic </li></ul> <ul><li>Modify traffic </li></ul> <ul><li>This is not easy in the internet because of hop by hop routing, unless source routing is used. </li></ul> <p> 11. 12. Source routing </p> <ul><li>Source routing is one of the IP options that allows the specification of an IP address that should be on theroutefor the packet delivery. </li></ul> <ul><li>This allows someone to use a spoofed return address, and still see the traffic by placing his machine in thepath . </li></ul> <p> 13. </p> <ul><li>Types of source routing: </li></ul> <ul><li>Loose source routing( LSR ): The sender specifies a list of some IP addresses that a packet must go through (it might go through more) </li></ul> <ul><li>Strict source routing( SSR ): The sender specifies the exact path a packet must take (if it is not possible the packet is dropped) </li></ul> <p> 14. </p> <ul><li>An attacker sends a packet to the destination with a spoofed address butspecifiesLSR and puts his IP address in the list. </li></ul> <ul><li>An attacker could use source routing to learn more about a network that he or she is targeting for attack</li></ul> <ul><li>The best way to protect againstsource </li></ul> <ul><li>routing spoofing is to simply disable sourcerouting at your routers. </li></ul> <p> 15. ICMP Echo Attacks </p> <ul><li>Map the hosts of a network :The attack sends ICMP echo datagram to all the hosts in a subnet, then he collects the replies and determines which hosts are alive .</li></ul> <ul><li>Denial of service attack (SMURF attack) :The attack sends spoofed (with victims IP address) ICMP Echo Requests to subnets, the victim will get ICMP Echo Replies from every machine.</li></ul> <p> 16. 17. ICMP Redirect attacks </p> <ul><li>ICMP redirect messages can be used to re-route traffic on specific routes or to a specific host that is not a router at all.</li></ul> <ul><li>The ICMP redirect attack is very simple: just send a spoofed ICMP redirect message that appears to come from the hosts default gateway. </li></ul> <p> 18. 19. After ICMP redirect attack 20. UDP attacks </p> <ul><li>UDP is a connectionless protocol .There is no error checking or guaranteed delivery. UDP packets are very simple and are mainly used for low overhead protocols.</li></ul> <ul><li>TCP is connection oriented and the TCP connection setup sequence number is hard to predicated . </li></ul> <ul><li>UDP traffic is more vulnerable for IP spoofing than TCP.</li></ul> <p> 21. 22. TCP Attacks </p> <ul><li>The attack aims at impersonating another host mostly during the TCP connection establishment phase . </li></ul> <ul><li>To spoof a TCP connection hacker needs to know via which algorithm the server generates its initial sequence</li></ul> <ul><li>The hacker needs this to supply the correct number in its final ACK message confirming the connection and in all subsequent data packets .</li></ul> <p> 23. 24. IP Spoofing defences </p> <ul><li>Dont rely on IP-based authentication. </li></ul> <ul><li>Use router filters to prevent packets from </li></ul> <ul><li>entering your network if they have a source </li></ul> <ul><li>address from inside it. </li></ul> <ul><li>Use router filters to prevent packets from leaving </li></ul> <ul><li>your network if they have a source address from </li></ul> <ul><li>outside it. </li></ul> <p> 25. </p> <ul><li>Use random initial sequence numbers. Prevents SN prediction . </li></ul> <p> 26. CONCLUSION </p> <ul><li>IP spoofing is less of a threat today due to the use of random sequence numbering. </li></ul> <ul><li>Many security experts are predicting a shift from IP spoofing attacks to application-related spoofing. </li></ul> <ul><li>Sendmailis one example, that when not properly configured allows anyone to send mail as president@whitehouse.gov. </li></ul> <p> 27. </p> <ul><li>Thanks!</li></ul>