Upload
arpitarp
View
10.229
Download
10
Tags:
Embed Size (px)
DESCRIPTION
Presentation on web's most dangerous attack - IP Spoofing.
Citation preview
NETWORK SECURITYNETWORK SECURITY
A PAPER ONA PAPER ON P PITFALLS AND ITFALLS AND PROBLEMS ENCOUNTERED PROBLEMS ENCOUNTERED ININ
IP-SPOOFINGIP-SPOOFING
Arpit GuptaArpit Gupta
Deepika ChugDeepika Chug
Bad Practices SpreadBad Practices SpreadIt is easy to see the faults of others but not so easy to It is easy to see the faults of others but not so easy to
see one’s own faultssee one’s own faultsIf I just open a bunch of ports in the firewall my
app will work.
I think I will wedge the computer room door
open. Much easier.
They have blocked my
favorite Web site. Lucky I
have a modem.
I think I will use my first name as a password.
Say, we run a network too. How do you
configure your firewalls?
Why do we need the
door locked?
Hey, nice modem.
What's the number of that line?
I can never think of a good password. What
do you use?
Understanding The Understanding The LandscapeLandscape
AuthorAuthor
National InterestNational Interest
Personal GainPersonal Gain
Personal FamePersonal Fame
CuriosityCuriosity
Script-KiddieScript-KiddieHobbyistHobbyistHackerHacker
ExpertExpertSpecialistSpecialist
VandalVandal
ThiefThief
SpySpy
TrespasserTrespasser
An Evolving ThreatAn Evolving Threat
National InterestNational Interest
Personal GainPersonal Gain
Personal FamePersonal Fame
CuriosityCuriosity
HobbyistHobbyistHackerHacker
ExpertExpertSpecialistSpecialist
Largest Largest area by area by volumevolume
Largest area by $ Largest area by $ lostlost
Script-KiddieScript-Kiddie
Largest segment Largest segment by by $ spent on $ spent on defensedefense
Fastest Fastest growingrowing g segmensegmentt
AuthorAuthorVandalVandal
ThiefThief
SpySpy
TrespasserTrespasser
IP -> Internet Protocol..IP -> Internet Protocol.. Spoofing -> Hiding..Spoofing -> Hiding..
It is a trick played on servers to fool the target It is a trick played on servers to fool the target computers into thinking that it is receiving data computers into thinking that it is receiving data from source other than the trusted host.from source other than the trusted host.
This Attack is actually a This Attack is actually a Trust-Relationship Exploitation.Trust-Relationship Exploitation.““Things are not what they seem and that is why Things are not what they seem and that is why the world gets conned”the world gets conned”
WHAT IS IP-SPOOFING ???WHAT IS IP-SPOOFING ???
AABB
CC
BB is on is on lineline
AA disguising his disguising his voice,makingvoice,making
it sound more like that ofit sound more like that of BB
If we now,replace the 3 people by computers and changeIf we now,replace the 3 people by computers and changethe term “voice” with “IP-Address” then you would knowthe term “voice” with “IP-Address” then you would knowwhat we mean by IP-SPOOFING…what we mean by IP-SPOOFING…
REAL LIFE EXAMPLE TO REAL LIFE EXAMPLE TO EXPLAIN WHAT IS EXPLAIN WHAT IS IP SPOOFING.IP SPOOFING.
IP IP SPOOFINGSPOOFING
HACKERHACKER
203.45.98.01
VICTIMVICTIM
202.14.12.10
FAKEFAKE
202.23.45.89
FAKEFAKE
202.23.45.89
Remote Remote HostHost
Datagram (Data Packets)
Trusted HostTrusted Host
Attacking Host Attacking Host
CC
BB
AA
CLIENTCLIENT HOSTHOST
AA
BB
CC
PACKETS DISCRIPTION:PACKETS DISCRIPTION:
SYN =client’s ISN (4894305)SYN =client’s ISN (4894305)ACK= 0ACK= 0
SYN= Host’s ISN (1896955367)SYN= Host’s ISN (1896955367)ACK= client’s ISN +1 (4894306) ACK= client’s ISN +1 (4894306)
ACK= ACK= Host’s ISN +1Host’s ISN +1(1896955368)(1896955368)
THE 3-WAY HANDSHAKE ..THE 3-WAY HANDSHAKE ..
THE ATTACK IN THE ATTACK IN BRIEF ……BRIEF ……
1.1. The Target Host is Chosen .The Target Host is Chosen .2.2. A Pattern of Trust is discovered, along with A Pattern of Trust is discovered, along with the Trusted Host .the Trusted Host .3. Trusted Host is Disabled & the Target’s3. Trusted Host is Disabled & the Target’s TCP Sequence number is detected .TCP Sequence number is detected .4. Trusted Host is impersonated, the Sequence 4. Trusted Host is impersonated, the Sequence numbers guessed, & a connection attempt is numbers guessed, & a connection attempt is made to service , that only requires address-made to service , that only requires address- -based authentication .-based authentication .
-- ON SUCCESS THE ATTACKER ISSUES A SIMPLE -- ON SUCCESS THE ATTACKER ISSUES A SIMPLE COMMAND TO LEAVE A BACKDOOR --COMMAND TO LEAVE A BACKDOOR --
THE THE
ATTACKATTACK
HACKERHACKER
203.45.98.01
VICTIMVICTIM
202.14.12.10
FAKEFAKE
202.23.45.89
Remote Remote HostHost
Packets with IP Address of Trusted Host (FAKE)
Attacking Host Attacking Host
THE THE
ATTACKATTACK
VICTIMVICTIM
202.14.12.10
FAKEFAKE
202.23.45.89
Trusted HostTrusted Host
SYN / ACK PACKETS,
Remote Host Remote Host
As soon as we find the TRUSTED-HOST ( FAKE),our nextAs soon as we find the TRUSTED-HOST ( FAKE),our nextStep is to disable it. WHY ????Step is to disable it. WHY ????““-- FAKE must not at any time respond to the-- FAKE must not at any time respond to the SYN/ACK packet send by VICTIM -- “ SYN/ACK packet send by VICTIM -- “
How to do it ????How to do it ????
Use up all the memory of TRUSTED-HOST so Use up all the memory of TRUSTED-HOST so that it will not able to respond to the SYN/ACK that it will not able to respond to the SYN/ACK packet sent to it by the VICTIM .packet sent to it by the VICTIM .
So one very easy method of doing so is toSo one very easy method of doing so is toPerform the Perform the SYN Flooding Denial of Service AttackSYN Flooding Denial of Service Attack
TRUSTED HOST DISABLING..TRUSTED HOST DISABLING..
SYNSYN SYNSYN SYNSYN SYNSYN SYNSYN SYNSYN
QUEUE FULLQUEUE FULL
There is a upper limit of how many concurrent SYN request TCP can process for a given socket, this limit is called BACKLOG LIMIT
BB AA CC kk LL OO GG QQ UU EE UU EE
Backlog limit = length (Queue) Backlog limit = length (Queue)
SO what is SYN FLOODing ???SO what is SYN FLOODing ???
BLIND BLIND
ATTACKATTACK
FAKEFAKE
202.23.45.89
Trusted HostTrusted Host
SYN / ACK PACKETS,
VICTIMVICTIM
202.14.12.10
Remote HostRemote Host
HACKERHACKER
203.45.98.01
Attacking Host Attacking Host
THE THE
ATTACKATTACK
HACKERHACKER
203.45.98.01
VICTIMVICTIM
202.14.12.10
Remote HostRemote Host
SYN/ACK Packets acknowledging Trusted Host has received SYN/ACK Packets
Attacking Host Attacking Host
Detection
Detection
• Monitoring packets external interface source and destination IP addresses in your local domain.• Accounting logs between systems on your internal network. log entry on the victim machine showing a remote access• Detecting unusual activity
1.Packet Filtering1.Packet Filtering
2. Firewall 2. Firewall
3.Initial Sequence Number 3.Initial Sequence Number RandomizingRandomizing
Preventiv
Preventiv
e e Measures
Measures
Should arriving packet be allowed
in? Departing packet let out?
internal network connected to Internetinternal network connected to Internet
Router filter packets-by-packets, decision to Router filter packets-by-packets, decision to forward/drop packets based on: forward/drop packets based on: --Source IP address, destination IP address.--Source IP address, destination IP address. --TCP SYN and ACK bits.--TCP SYN and ACK bits.
Our network is
secure, right?
Oh sure, Don’t worry.
We have several firewalls
Initial Sequence Number (ISN) Initial Sequence Number (ISN) RandomizingRandomizing
ISN Incrementation
At every connection --incremented by At every connection --incremented by 64,00064,000
At every sec. – incremented by 128,000At every sec. – incremented by 128,000
Its value gets wrapped every 9.32hrs.Its value gets wrapped every 9.32hrs.
So,it’s easy for any genius to do the So,it’s easy for any genius to do the guesswork and calculate the correct guesswork and calculate the correct sequence numbersequence number
CONCLUSIONCONCLUSION
IP-Spoofing is an exploitation IP-Spoofing is an exploitation of trust-based relationship and can be of trust-based relationship and can be curbed effectively if proper measures curbed effectively if proper measures are used.Understanding how and why are used.Understanding how and why spoofing attacks are used , combined spoofing attacks are used , combined with a few simple prevention methods, with a few simple prevention methods, can help protect networks from these can help protect networks from these malicious cloaking and cracking malicious cloaking and cracking techniques.techniques.
Make your Network Make your Network SecureSecure
UDP
192.168.1.20
IP-Spoofing Software In Technical IP-Spoofing Software In Technical DiscussionDiscussion
ClientClient
ClientClient
Client/ServerClient/Server
Target
Victim
Hacker
Part 1 : Target is being attacked 192.168.1.2192.168.1.2
192.168.1.20
192.168.1.30
Target is being attacked With the UDP packets, whenNo measures were taken
UDP
192.168.1.20
UDP
192.168.1.20
IP-Spoofing Software In Technical DiscussionIP-Spoofing Software In Technical Discussion
ClientClient
ClientClient
Client/ServerClient/Server
Target
Victim
Hacker
Part 2 : Target is being attacked but the software is interface to this
192.168.1.2192.168.1.2
192.168.1.20
192.168.1.30
The s/w
IP-Spoofing Software In technical Discussion
Part 3: The s/w Role as an Interface
1)Scans all the Registered IP Addresses for theirAuthenticity.
myip log file
(List of registered clients)
While scanning these it also resolves The respective Mac Address at runtime.
2) (Maintains the list of spoofed Clients)
log file
IP-Spoofing Software In technical Discussion
Part 3.1: The s/w Role as an Interface
3) Maintains the list of Registered Clients whenever they communicate.
myhost log file
(List of registered clients)
4)The unauthorised user is blocked.
16 32
Source port Destination port
Length Checksum
Data
UDP HEADER
16 32 bits
Source port Destination port
Sequence number
Acknowledgement number
Offset Resrvd U A P R S F Window
Checksum Urgent pointer
Option + Padding
Data
TCP header structure
RESOURCES OF HELP::::
what is ethical hacking http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gc
i921117,00.html • CSS ethical hacking
http://css.sfu.ca/update/ethical-hacking.html• pros and cons of ethical hacking
http://www.cioupdate.com/trends/article.php/3303001• Prateek Mittal, Gautam Barua ‘Detection of ip-spoofing’http://www.iitg.ernet.in/engfac/cse/public_html/students/
mittal/ipspoofing_derm.htmlhttp://www.developerfusion/uk community of developer/how
can i use my ip address - code.htm• ‘IP Spoofing Demystified’,
http://datastronghold.com/articles/hacking-articles/IP spoofing.html
• ‘Blind part of IP Spoofing’, http://examples.orielly.com/networksa/tools/blind-
spoof.html• ‘Non-Blind part of IP Spoofing’,
http://www.datastronghold.com/security-articles/hacking-articles/-=-a-short-overview-of-ip-spoofing-part-1=-.html