IP Spoofing Attack Dr. Neminath Hubballi IIT Indore © Neminath Hubballi.

IP Spoofing AttackIP Spoofing AttackDr. Neminath HubballiDr. Neminath Hubballi

IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi

OutlineOutline

IntroductionIntroduction IP address spoofing IP address spoofing ICMP spoofingICMP spoofing ARP spoofingARP spoofing DNS spoofingDNS spoofing Email spoofingEmail spoofing Defense mechanismsDefense mechanisms


What is Spoofing

Dictionary.com says – “to communicate electronically under a false identity”

More conventional definition hoax or trick (someone)

Ex. Caller ID spoofing was prevalent in purchase scams Required specific equipment to accomplish

such spoofing


Why Spoofing Works in NetworksWhy Spoofing Works in Networks

Computer networks are designed with trust Computer networks are designed with trust relationshiprelationship

Design goal was get it working Design goal was get it working Security was never a concern Security was never a concern Design was not intended for today’s use casesDesign was not intended for today’s use cases We are best in reacting to situationsWe are best in reacting to situations Spoofing is possible almost in every layer of Spoofing is possible almost in every layer of

TCP/IP stackTCP/IP stack


IP Address SpoofingIP Address Spoofing

IP spoofing is the creation of IP packets using somebody else’s IP address as source address of a IP packet

Absence of state information makes IP Absence of state information makes IP protocol vulnerable to spoofingprotocol vulnerable to spoofing Peer is not authenticatedPeer is not authenticated


Normal Interaction

Source IP Destination IP

200.1.1.1 100.1.1.1

200.1.1.1 100.1.1.1


100.1.1.1 200.1.1.1


Interaction Under Spoofing


150.1.1.1 100.1.1.1

200.1.1.1 100.1.1.1


100.1.1.1 150.1.1.1

150.1.1.1 IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi

Interaction Under Spoofing


150.1.1.2 100.1.1.1

200.1.1.1 100.1.1.1


100.1.1..1 150.1.1.2

I have no way forward


When attacker uses a non existing IP address as source address

IP Address SpoofingIP Address Spoofing

By spoofing address attacker conceals By spoofing address attacker conceals identityidentity

Make it appear that it has come from a Make it appear that it has come from a different sourcedifferent source

IP address spoofing is used in many cyber IP address spoofing is used in many cyber attacksattacks

There are some legitimate use casesThere are some legitimate use cases Website performance testingWebsite performance testing NATNAT


Why Spoof IP AddressWhy Spoof IP Address

For the same reason why thieves wear For the same reason why thieves wear black dress, helmet and do their work in black dress, helmet and do their work in nightnight

IP address acts as a source of sender’s IP address acts as a source of sender’s identityidentity

Many systems keep logs of your activitiesMany systems keep logs of your activities IP address are part of loggingIP address are part of logging


Non Blind IP Spoofing

10.0.0.15

10.0.0.2

10.0.0.3

10.0.0.4

10.0.0.1

10.0.0.6

10.0.0.7

when the attacker is on the same subnet as the victim

SEQ and ACK can be sniffedIIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi

Attacker

Target

Blind IP Spoofing

when the attacker is on the different subnet perhaps different networks

SEQ and ACK can not be sniffed that easily

Target

Attacke

r


IP Address Spoofing in RealityIP Address Spoofing in Reality


IP Address Spoofing-ImplicationsIP Address Spoofing-Implications

Many network services use host names or Many network services use host names or address for identification and authenticationaddress for identification and authentication

Host wanting service prepare a message and Host wanting service prepare a message and send it to a remote service. Receiver either send it to a remote service. Receiver either allows or disallows the service allows or disallows the service

Many services are vulnerable to IP spoofingMany services are vulnerable to IP spoofing RPC (http://seclists.org/bugtraq/1995/Jan/182RPC (http://seclists.org/bugtraq/1995/Jan/182 ) NFSNFS X window systemX window system Any service using IP address as authentication Any service using IP address as authentication

methodmethod


IP Spoofing Derivative AttacksIP Spoofing Derivative Attacks Man in the middle attack: Allows sniffing packets in betweenMan in the middle attack: Allows sniffing packets in between Routing redirect: Send a packet advertising a false better route to reach Routing redirect: Send a packet advertising a false better route to reach

a destinationa destination Source routing: Insert attacker host in the list Source routing: Insert attacker host in the list

Strict: Packet has to traverse only through the addresses mentionedStrict: Packet has to traverse only through the addresses mentioned Loose: In addition to the list mentioned, packet can traverse Loose: In addition to the list mentioned, packet can traverse

additional routersadditional routers Smurf attack: send ICMP packet to a broadcast address with spoofed Smurf attack: send ICMP packet to a broadcast address with spoofed

addressaddress SYN flooding: Send too many TCP connections with spoofed source SYN flooding: Send too many TCP connections with spoofed source

addressaddress Sequence number predictionSequence number prediction Session hijackingSession hijacking Determining the state of firewallDetermining the state of firewall

Stateful firewalls remember historyStateful firewalls remember history Denial of serviceDenial of service


How Easy it is to Spoof IP AddressHow Easy it is to Spoof IP Address

Little programming is enough !Little programming is enough ! Raw socket programming in UNIXRaw socket programming in UNIX You will find examples of raw socket programs here You will find examples of raw socket programs here

http://www.pdbuchan.com/rawsock/rawsock.htmlhttp://www.pdbuchan.com/rawsock/rawsock.html WinPacp in windowsWinPacp in windows

Several open source tools are availableSeveral open source tools are available Hping – seems not actively maintained now Hping – seems not actively maintained now Scapy – it does many things- packet manipulation, Scapy – it does many things- packet manipulation,

capture, spoof etc. capture, spoof etc.


Defenses Against IP Address Defenses Against IP Address Spoofing Spoofing

No complete solution existsNo complete solution exists Ingress filtering-drop packets coming from outside with Ingress filtering-drop packets coming from outside with

source IP addresses used inside network source IP addresses used inside network Egress filtering-any packet having source IP address not Egress filtering-any packet having source IP address not

in the network are droppedin the network are dropped Avoiding trust relationship based on IP addressAvoiding trust relationship based on IP address Unicast Reverse Path Forwarding – discard IP packet Unicast Reverse Path Forwarding – discard IP packet

that lack verifiable IP source addressthat lack verifiable IP source address Idea is simple a reverse path to the source IP address of an Idea is simple a reverse path to the source IP address of an

incoming packet is using the same interface incoming packet is using the same interface Strict- same interfaceStrict- same interface Loose- if any path exists to the source its okLoose- if any path exists to the source its ok


Defenses Against IP Address Defenses Against IP Address SpoofingSpoofing

Anti-Spoofing with IP sourceguard Anti-Spoofing with IP sourceguard Layer 2 security featureLayer 2 security feature Restricts IP traffic on un-trusted layer 2 ports to achieve with an Restricts IP traffic on un-trusted layer 2 ports to achieve with an

IP address other than one assigned by DHCP/static assignmentIP address other than one assigned by DHCP/static assignment Encryption and authentication – IPSec may be an Encryption and authentication – IPSec may be an

answeranswer Make ISN prediction difficult by having a perfect random Make ISN prediction difficult by having a perfect random

number generation number generation RFC 1948 recommends ISN to be a function of Source RFC 1948 recommends ISN to be a function of Source

IP, Destination IP, Source Port, Destination Port and a IP, Destination IP, Source Port, Destination Port and a secrete keysecrete key

TCP Receiver window based predictionTCP Receiver window based prediction Set the window size to small Set the window size to small

Traceroute Traceroute Measure TTL values IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi

IP Spoofing Attack Dr. Neminath Hubballi IIT Indore © Neminath Hubballi.

Documents

blind ip spoofing

ip spoofing attack

elses ip address

spoof ip address

existing ip address

activities ip address

spoofing address attacker

ip spoofing rpc http