NETWORK SECURITYNETWORK SECURITY

A PAPER ONA PAPER ON P PITFALLS AND ITFALLS AND PROBLEMS ENCOUNTERED PROBLEMS ENCOUNTERED ININ

IP-SPOOFINGIP-SPOOFING

Arpit GuptaArpit Gupta

Deepika ChugDeepika Chug

Bad Practices SpreadBad Practices SpreadIt is easy to see the faults of others but not so easy to It is easy to see the faults of others but not so easy to

see one’s own faultssee one’s own faultsIf I just open a bunch of ports in the firewall my

app will work.

I think I will wedge the computer room door

open. Much easier.

They have blocked my

favorite Web site. Lucky I

have a modem.

I think I will use my first name as a password.

Say, we run a network too. How do you

configure your firewalls?

Why do we need the

door locked?

Hey, nice modem.

What's the number of that line?

I can never think of a good password. What

do you use?

Understanding The Understanding The LandscapeLandscape

AuthorAuthor

National InterestNational Interest

Personal GainPersonal Gain

Personal FamePersonal Fame

CuriosityCuriosity

Script-KiddieScript-KiddieHobbyistHobbyistHackerHacker

ExpertExpertSpecialistSpecialist

VandalVandal

ThiefThief

SpySpy

TrespasserTrespasser

An Evolving ThreatAn Evolving Threat

National InterestNational Interest

Personal GainPersonal Gain

Personal FamePersonal Fame

CuriosityCuriosity

HobbyistHobbyistHackerHacker

ExpertExpertSpecialistSpecialist

Largest Largest area by area by volumevolume

Largest area by $ Largest area by $ lostlost

Script-KiddieScript-Kiddie

Largest segment Largest segment by by $ spent on $ spent on defensedefense

Fastest Fastest growingrowing g segmensegmentt

AuthorAuthorVandalVandal

ThiefThief

SpySpy

TrespasserTrespasser

IP -> Internet Protocol..IP -> Internet Protocol.. Spoofing -> Hiding..Spoofing -> Hiding..

It is a trick played on servers to fool the target It is a trick played on servers to fool the target computers into thinking that it is receiving data computers into thinking that it is receiving data from source other than the trusted host.from source other than the trusted host.

This Attack is actually a This Attack is actually a Trust-Relationship Exploitation.Trust-Relationship Exploitation.““Things are not what they seem and that is why Things are not what they seem and that is why the world gets conned”the world gets conned”

WHAT IS IP-SPOOFING ???WHAT IS IP-SPOOFING ???

AABB

CC

BB is on is on lineline

AA disguising his disguising his voice,makingvoice,making

it sound more like that ofit sound more like that of BB

If we now,replace the 3 people by computers and changeIf we now,replace the 3 people by computers and changethe term “voice” with “IP-Address” then you would knowthe term “voice” with “IP-Address” then you would knowwhat we mean by IP-SPOOFING…what we mean by IP-SPOOFING…

REAL LIFE EXAMPLE TO REAL LIFE EXAMPLE TO EXPLAIN WHAT IS EXPLAIN WHAT IS IP SPOOFING.IP SPOOFING.

IP IP SPOOFINGSPOOFING

HACKERHACKER

203.45.98.01

VICTIMVICTIM

202.14.12.10

FAKEFAKE

202.23.45.89

FAKEFAKE

202.23.45.89

Remote Remote HostHost

Datagram (Data Packets)

Trusted HostTrusted Host

Attacking Host Attacking Host

CC

BB

AA

CLIENTCLIENT HOSTHOST

AA

BB

CC

PACKETS DISCRIPTION:PACKETS DISCRIPTION:

SYN =client’s ISN (4894305)SYN =client’s ISN (4894305)ACK= 0ACK= 0

SYN= Host’s ISN (1896955367)SYN= Host’s ISN (1896955367)ACK= client’s ISN +1 (4894306) ACK= client’s ISN +1 (4894306)

ACK= ACK= Host’s ISN +1Host’s ISN +1(1896955368)(1896955368)

THE 3-WAY HANDSHAKE ..THE 3-WAY HANDSHAKE ..

THE ATTACK IN THE ATTACK IN BRIEF ……BRIEF ……

1.1. The Target Host is Chosen .The Target Host is Chosen .2.2. A Pattern of Trust is discovered, along with A Pattern of Trust is discovered, along with the Trusted Host .the Trusted Host .3. Trusted Host is Disabled & the Target’s3. Trusted Host is Disabled & the Target’s TCP Sequence number is detected .TCP Sequence number is detected .4. Trusted Host is impersonated, the Sequence 4. Trusted Host is impersonated, the Sequence numbers guessed, & a connection attempt is numbers guessed, & a connection attempt is made to service , that only requires address-made to service , that only requires address- -based authentication .-based authentication .

-- ON SUCCESS THE ATTACKER ISSUES A SIMPLE -- ON SUCCESS THE ATTACKER ISSUES A SIMPLE COMMAND TO LEAVE A BACKDOOR --COMMAND TO LEAVE A BACKDOOR --

THE THE

ATTACKATTACK

HACKERHACKER

203.45.98.01

VICTIMVICTIM

202.14.12.10

FAKEFAKE

202.23.45.89

Remote Remote HostHost

Packets with IP Address of Trusted Host (FAKE)

Attacking Host Attacking Host

THE THE

ATTACKATTACK

VICTIMVICTIM

202.14.12.10

FAKEFAKE

202.23.45.89

Trusted HostTrusted Host

SYN / ACK PACKETS,

Remote Host Remote Host

As soon as we find the TRUSTED-HOST ( FAKE),our nextAs soon as we find the TRUSTED-HOST ( FAKE),our nextStep is to disable it. WHY ????Step is to disable it. WHY ????““-- FAKE must not at any time respond to the-- FAKE must not at any time respond to the SYN/ACK packet send by VICTIM -- “ SYN/ACK packet send by VICTIM -- “

How to do it ????How to do it ????

Use up all the memory of TRUSTED-HOST so Use up all the memory of TRUSTED-HOST so that it will not able to respond to the SYN/ACK that it will not able to respond to the SYN/ACK packet sent to it by the VICTIM .packet sent to it by the VICTIM .

So one very easy method of doing so is toSo one very easy method of doing so is toPerform the Perform the SYN Flooding Denial of Service AttackSYN Flooding Denial of Service Attack

TRUSTED HOST DISABLING..TRUSTED HOST DISABLING..

SYNSYN SYNSYN SYNSYN SYNSYN SYNSYN SYNSYN

QUEUE FULLQUEUE FULL

There is a upper limit of how many concurrent SYN request TCP can process for a given socket, this limit is called BACKLOG LIMIT

BB AA CC kk LL OO GG QQ UU EE UU EE

Backlog limit = length (Queue) Backlog limit = length (Queue)

SO what is SYN FLOODing ???SO what is SYN FLOODing ???

BLIND BLIND

ATTACKATTACK

FAKEFAKE

202.23.45.89

Trusted HostTrusted Host

SYN / ACK PACKETS,

VICTIMVICTIM

202.14.12.10

Remote HostRemote Host

HACKERHACKER

203.45.98.01

Attacking Host Attacking Host

THE THE

ATTACKATTACK

HACKERHACKER

203.45.98.01

VICTIMVICTIM

202.14.12.10

Remote HostRemote Host

SYN/ACK Packets acknowledging Trusted Host has received SYN/ACK Packets

Attacking Host Attacking Host

Detection

Detection

• Monitoring packets external interface source and destination IP addresses in your local domain.• Accounting logs between systems on your internal network. log entry on the victim machine showing a remote access• Detecting unusual activity

1.Packet Filtering1.Packet Filtering

2. Firewall 2. Firewall

3.Initial Sequence Number 3.Initial Sequence Number RandomizingRandomizing

Preventiv

Preventiv

e e Measures

Measures

Should arriving packet be allowed

in? Departing packet let out?

internal network connected to Internetinternal network connected to Internet

Router filter packets-by-packets, decision to Router filter packets-by-packets, decision to forward/drop packets based on: forward/drop packets based on: --Source IP address, destination IP address.--Source IP address, destination IP address. --TCP SYN and ACK bits.--TCP SYN and ACK bits.

Our network is

secure, right?

Oh sure, Don’t worry.

We have several firewalls

Initial Sequence Number (ISN) Initial Sequence Number (ISN) RandomizingRandomizing

ISN Incrementation

At every connection --incremented by At every connection --incremented by 64,00064,000

At every sec. – incremented by 128,000At every sec. – incremented by 128,000

Its value gets wrapped every 9.32hrs.Its value gets wrapped every 9.32hrs.

So,it’s easy for any genius to do the So,it’s easy for any genius to do the guesswork and calculate the correct guesswork and calculate the correct sequence numbersequence number

CONCLUSIONCONCLUSION

IP-Spoofing is an exploitation IP-Spoofing is an exploitation of trust-based relationship and can be of trust-based relationship and can be curbed effectively if proper measures curbed effectively if proper measures are used.Understanding how and why are used.Understanding how and why spoofing attacks are used , combined spoofing attacks are used , combined with a few simple prevention methods, with a few simple prevention methods, can help protect networks from these can help protect networks from these malicious cloaking and cracking malicious cloaking and cracking techniques.techniques.

Make your Network Make your Network SecureSecure

UDP

192.168.1.20

IP-Spoofing Software In Technical IP-Spoofing Software In Technical DiscussionDiscussion

ClientClient

ClientClient

Client/ServerClient/Server

Target

Victim

Hacker

Part 1 : Target is being attacked 192.168.1.2192.168.1.2

192.168.1.20

192.168.1.30

Target is being attacked With the UDP packets, whenNo measures were taken

UDP

192.168.1.20

UDP

192.168.1.20

IP-Spoofing Software In Technical DiscussionIP-Spoofing Software In Technical Discussion

ClientClient

ClientClient

Client/ServerClient/Server

Target

Victim

Hacker

Part 2 : Target is being attacked but the software is interface to this

192.168.1.2192.168.1.2

192.168.1.20

192.168.1.30

The s/w

IP-Spoofing Software In technical Discussion

Part 3: The s/w Role as an Interface

1)Scans all the Registered IP Addresses for theirAuthenticity.

myip log file

(List of registered clients)

While scanning these it also resolves The respective Mac Address at runtime.

2) (Maintains the list of spoofed Clients)

log file

IP-Spoofing Software In technical Discussion

Part 3.1: The s/w Role as an Interface

3) Maintains the list of Registered Clients whenever they communicate.

myhost log file

(List of registered clients)

4)The unauthorised user is blocked.

16 32

Source port Destination port

Length Checksum

Data

UDP HEADER

16 32 bits

Source port Destination port

Sequence number

Acknowledgement number

Offset Resrvd U A P R S F Window

Checksum Urgent pointer

Option + Padding

Data

TCP header structure

RESOURCES OF HELP::::

what is ethical hacking http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gc

i921117,00.html • CSS ethical hacking

http://css.sfu.ca/update/ethical-hacking.html• pros and cons of ethical hacking

http://www.cioupdate.com/trends/article.php/3303001• Prateek Mittal, Gautam Barua ‘Detection of ip-spoofing’http://www.iitg.ernet.in/engfac/cse/public_html/students/

mittal/ipspoofing_derm.htmlhttp://www.developerfusion/uk community of developer/how

can i use my ip address - code.htm• ‘IP Spoofing Demystified’,

http://datastronghold.com/articles/hacking-articles/IP spoofing.html

• ‘Blind part of IP Spoofing’, http://examples.orielly.com/networksa/tools/blind-

spoof.html• ‘Non-Blind part of IP Spoofing’,

http://www.datastronghold.com/security-articles/hacking-articles/-=-a-short-overview-of-ip-spoofing-part-1=-.html