IP Spoofing

IP Spoofing, CS265 1

IP SpoofingIP SpoofingBao HoBao Ho

ToanTai VuToanTai Vu

CS 265 - Security EngineeringCS 265 - Security EngineeringSpring 2003Spring 2003

San Jose State UniversitySan Jose State University

IP Spoofing, CS265 2

Presentation OutlinePresentation Outline Introduction, BackgroundIntroduction, Background Attacks with IP SpoofingAttacks with IP Spoofing Counter MeasuresCounter Measures SummarySummary

IP Spoofing, CS265 3

IP SpoofingIP Spoofing IP Spoofing is a technique used to gain IP Spoofing is a technique used to gain

unauthorized access to computers.unauthorized access to computers.– IP: Internet ProtocolIP: Internet Protocol– Spoofing: using somebdody else’s informationSpoofing: using somebdody else’s information

Exploits the trust relationshipsExploits the trust relationships Intruder sends messages to a computer with Intruder sends messages to a computer with

an IP address of a trusted host.an IP address of a trusted host.

IP Spoofing, CS265 4

IP / TCPIP / TCP IP is connectionless, unreliableIP is connectionless, unreliable

TCP connection-orientedTCP connection-oriented

TCP/IP handshakeTCP/IP handshake

A B: SYN; my number is XB A: ACK; now X+1 SYN; my number is YA B: ACK; now Y+1

IP Spoofing, CS265 5

A blind AttackA blind AttackHost I cannot see what Host V send backHost I cannot see what Host V send back

IP Spoofing, CS265 6

IP Spoofing StepsIP Spoofing Steps Selecting a target host (the victim)Selecting a target host (the victim) Identify a host that the target “trust”Identify a host that the target “trust” Disable the trusted host, sampled the target’s TCP Disable the trusted host, sampled the target’s TCP

sequencesequence The trusted host is impersonated and the ISN The trusted host is impersonated and the ISN

forged.forged. Connection attempt to a service that only requires Connection attempt to a service that only requires

address-based authentication.address-based authentication. If successfully connected, executes a simple If successfully connected, executes a simple

command to leave a backdoor.command to leave a backdoor.

IP Spoofing, CS265 7

IP Spoofing AttacksIP Spoofing Attacks

Man in the middleMan in the middle

RoutingRouting

Flooding / SmurfingFlooding / Smurfing

IP Spoofing, CS265 8

AttacksAttacksMan - in - the - middle:Man - in - the - middle:

Packet sniffs on link between the two Packet sniffs on link between the two endpoints, and therefore can pretend to be endpoints, and therefore can pretend to be one end of the connection.one end of the connection.

IP Spoofing, CS265 9

AttacksAttacks

Routing re-direct: Routing re-direct: redirects routing redirects routing information from the original host to the information from the original host to the attacker’s host.attacker’s host.

Source routing: Source routing: The attacker redirects The attacker redirects individual packets by the hacker’s host.individual packets by the hacker’s host.

IP Spoofing, CS265 10

AttacksAttacks

Flooding: SYN flood fills up the receive queue Flooding: SYN flood fills up the receive queue from random source addresses.from random source addresses.

Smurfing: ICMP packet spoofed to originate Smurfing: ICMP packet spoofed to originate from the victim, destined for the broadcast from the victim, destined for the broadcast address, causing all hosts on the network to address, causing all hosts on the network to respond to the victim at once. respond to the victim at once.

IP Spoofing, CS265 11

IP-Spoofing FactsIP-Spoofing Facts IP protocol is inherently weakIP protocol is inherently weak Makes no assumption about sender/recipientMakes no assumption about sender/recipient Nodes on path do not check sender’s identityNodes on path do not check sender’s identity There is no way to completely eliminate IP There is no way to completely eliminate IP

spoofingspoofing Can only reduce the possibility of attackCan only reduce the possibility of attack

IP Spoofing, CS265 12

IP-SpoofingIP-SpoofingCounter-measuresCounter-measures

No insecure authenticated servicesNo insecure authenticated services Disable commands like pingDisable commands like ping Use encryptionUse encryption Strengthen TCP/IP protocolStrengthen TCP/IP protocol FirewallFirewall IP tracebackIP traceback

IP Spoofing, CS265 13

No insecure authenticated No insecure authenticated servicesservices

r* services are hostname-based or IP-basedr* services are hostname-based or IP-based Other more secure alternatives, i.e., sshOther more secure alternatives, i.e., ssh Remove binary filesRemove binary files Disable in inet, xinetDisable in inet, xinet Clean up .rhost files and /etc/host.equivClean up .rhost files and /etc/host.equiv No application with hostname/IP-basedNo application with hostname/IP-based

authentication, if possibleauthentication, if possible

IP Spoofing, CS265 14

Disable ping commandDisable ping command ping command has rare useping command has rare use Can be used to trigger a DOS attack by Can be used to trigger a DOS attack by

flooding the victim with ICMP packetsflooding the victim with ICMP packets This attack does not crash victim, but consume This attack does not crash victim, but consume

network bandwidth and system resourcesnetwork bandwidth and system resources Victim fails to provide other services, and halts Victim fails to provide other services, and halts

if runs out of memoryif runs out of memory

IP Spoofing, CS265 15

DOS using PingDOS using Ping

IP Spoofing, CS265 16

Use EncryptionUse Encryption Encrypt traffic, especially TCP/IP packets and Encrypt traffic, especially TCP/IP packets and

Initial Sequence NumbersInitial Sequence Numbers

Kerberos is free, and is built-in with OSKerberos is free, and is built-in with OS

Limit session timeLimit session time

Digital signature can be used to identify the Digital signature can be used to identify the sender of the TCP/IP packet.sender of the TCP/IP packet.

IP Spoofing, CS265 17

Strengthen TCP/IP protocolStrengthen TCP/IP protocol Use good random number generators to Use good random number generators to

generate ISNgenerate ISN Shorten time-out value in TCP/IP requestShorten time-out value in TCP/IP request Increase request queue sizeIncrease request queue size Cannot completely prevent TCP/IP half-open-Cannot completely prevent TCP/IP half-open-

connection attackconnection attack Can only buy more time, in hopeCan only buy more time, in hope that the that the

attack will be noticed.attack will be noticed.

IP Spoofing, CS265 18

FirewallFirewall Limit traffic to services that are offeredLimit traffic to services that are offered Control access from within the networkControl access from within the network Free software: ipchains, iptablesFree software: ipchains, iptables Commercial firewall softwareCommercial firewall software Packet filters: router with firewall built-inPacket filters: router with firewall built-in Multiple layer of firewallMultiple layer of firewall

IP Spoofing, CS265 19

Network layout with Network layout with FirewallFirewall

IP Spoofing, CS265 20

IP Trace-backIP Trace-back To trace back as close to the attacker’s To trace back as close to the attacker’s

location as possiblelocation as possible Limited in reliability and efficiencyLimited in reliability and efficiency Require cooperation of many other network Require cooperation of many other network

operators along the routing pathoperators along the routing path Generally does not receive much attention Generally does not receive much attention

from network operatorsfrom network operators

IP Spoofing, CS265 21

Summary/ConclusionSummary/Conclusion

IP spoofing attacks is unavoidable.IP spoofing attacks is unavoidable.

Understanding how and why spoofing attacks Understanding how and why spoofing attacks are used, combined with a few simple are used, combined with a few simple prevention methods, can help protect your prevention methods, can help protect your network from these malicious cloaking and network from these malicious cloaking and cracking techniques.cracking techniques.

IP Spoofing, CS265 22

ReferencesReferences IP-spoofing Demystified (Trust-Relationship Exploitation),IP-spoofing Demystified (Trust-Relationship Exploitation), Phrack Magazine ReviewPhrack Magazine Review, Vol. 7, No. , Vol. 7, No.

4848,, pp. 48-14, pp. 48-14, www.networkcommand.com/docs/ipspoof.txtwww.networkcommand.com/docs/ipspoof.txt Security Enginerring: A Guide to Building Dependable Distributed SystemsSecurity Enginerring: A Guide to Building Dependable Distributed Systems , Ross Anderson, pp. , Ross Anderson, pp.

371371 Introduction to IP Spoofing, Victor Velasco, November 21, 2000, Introduction to IP Spoofing, Victor Velasco, November 21, 2000,

www.sans.org/rr/threats/intro_spoofing.phpwww.sans.org/rr/threats/intro_spoofing.php A Large-scale Distributed Intrusion Detection Framework Based on Attack Strategy Analysis,A Large-scale Distributed Intrusion Detection Framework Based on Attack Strategy Analysis,

Ming-Yuh Huang, Thomas M. Wicks, Ming-Yuh Huang, Thomas M. Wicks, Applied Research and TechnologyApplied Research and Technology, The Boeing Company, The Boeing Company Internet Vulnerabilities Related to TCP/IP and T/TCP, Internet Vulnerabilities Related to TCP/IP and T/TCP, ACM SIGCOMMACM SIGCOMM, Computer Communication , Computer Communication

ReviewReview IP Spoofing, IP Spoofing, wwwwww..linuxgazettelinuxgazette..comcom/issue63//issue63/sharmasharma..htmlhtml Distributed System: Concepts and DesignDistributed System: Concepts and Design, Chapter 7, by Coulouris, Dollimore, and Kindberg, Chapter 7, by Coulouris, Dollimore, and Kindberg FreeBSD IP Spoofing, FreeBSD IP Spoofing, wwwwww..securityfocussecurityfocus..comcom/advisories/2703/advisories/2703 IP Spoofing Attacks and Hijacked Terminal Connections, IP Spoofing Attacks and Hijacked Terminal Connections, www.cert.org/advisories/CA-1995-www.cert.org/advisories/CA-1995-

01.html01.html Network support for IP trace-back, Network support for IP trace-back, IEEE/ACM Transactions on NetworkingIEEE/ACM Transactions on Networking, Vol. 9, No. 3, June , Vol. 9, No. 3, June

20012001 An Algebraic Approach to IP Trace-back, An Algebraic Approach to IP Trace-back, ACM Transactions on Information and System ACM Transactions on Information and System

SecuritySecurity, Vol. 5, No. 2, May 2002, Vol. 5, No. 2, May 2002 Web Spoofing. An Internet Con Game, Web Spoofing. An Internet Con Game, httphttp://bau2.://bau2.uibkuibk.ac.at/.ac.at/maticmatic/spoofing./spoofing.htmhtm

IP Spoofing, CS265 23

Questions / AnswersQuestions / Answers