IP Spoofing AttackIP Spoofing AttackDr. Neminath HubballiDr. Neminath Hubballi
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
OutlineOutline
IntroductionIntroduction IP address spoofing IP address spoofing ICMP spoofingICMP spoofing ARP spoofingARP spoofing DNS spoofingDNS spoofing Email spoofingEmail spoofing Defense mechanismsDefense mechanisms
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
What is Spoofing
Dictionary.com says – “to communicate electronically under a false identity”
More conventional definition hoax or trick (someone)
Ex. Caller ID spoofing was prevalent in purchase scams Required specific equipment to accomplish
such spoofing
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Why Spoofing Works in NetworksWhy Spoofing Works in Networks
Computer networks are designed with trust Computer networks are designed with trust relationshiprelationship
Design goal was get it working Design goal was get it working Security was never a concern Security was never a concern Design was not intended for today’s use casesDesign was not intended for today’s use cases We are best in reacting to situationsWe are best in reacting to situations Spoofing is possible almost in every layer of Spoofing is possible almost in every layer of
TCP/IP stackTCP/IP stack
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
IP Address SpoofingIP Address Spoofing
IP spoofing is the creation of IP packets using somebody else’s IP address as source address of a IP packet
Absence of state information makes IP Absence of state information makes IP protocol vulnerable to spoofingprotocol vulnerable to spoofing Peer is not authenticatedPeer is not authenticated
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Normal Interaction
Source IP Destination IP
200.1.1.1 100.1.1.1
200.1.1.1 100.1.1.1
Source IP Destination IP
100.1.1.1 200.1.1.1
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Interaction Under Spoofing
Source IP Destination IP
150.1.1.1 100.1.1.1
200.1.1.1 100.1.1.1
Source IP Destination IP
100.1.1.1 150.1.1.1
150.1.1.1 IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Interaction Under Spoofing
Source IP Destination IP
150.1.1.2 100.1.1.1
200.1.1.1 100.1.1.1
Source IP Destination IP
100.1.1..1 150.1.1.2
I have no way forward
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
When attacker uses a non existing IP address as source address
IP Address SpoofingIP Address Spoofing
By spoofing address attacker conceals By spoofing address attacker conceals identityidentity
Make it appear that it has come from a Make it appear that it has come from a different sourcedifferent source
IP address spoofing is used in many cyber IP address spoofing is used in many cyber attacksattacks
There are some legitimate use casesThere are some legitimate use cases Website performance testingWebsite performance testing NATNAT
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Why Spoof IP AddressWhy Spoof IP Address
For the same reason why thieves wear For the same reason why thieves wear black dress, helmet and do their work in black dress, helmet and do their work in nightnight
IP address acts as a source of sender’s IP address acts as a source of sender’s identityidentity
Many systems keep logs of your activitiesMany systems keep logs of your activities IP address are part of loggingIP address are part of logging
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Non Blind IP Spoofing
10.0.0.15
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.1
10.0.0.6
10.0.0.7
when the attacker is on the same subnet as the victim
SEQ and ACK can be sniffedIIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Attacker
Target
Blind IP Spoofing
when the attacker is on the different subnet perhaps different networks
SEQ and ACK can not be sniffed that easily
Target
Attacke
r
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
IP Address Spoofing in RealityIP Address Spoofing in Reality
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
IP Address Spoofing-ImplicationsIP Address Spoofing-Implications
Many network services use host names or Many network services use host names or address for identification and authenticationaddress for identification and authentication
Host wanting service prepare a message and Host wanting service prepare a message and send it to a remote service. Receiver either send it to a remote service. Receiver either allows or disallows the service allows or disallows the service
Many services are vulnerable to IP spoofingMany services are vulnerable to IP spoofing RPC (http://seclists.org/bugtraq/1995/Jan/182RPC (http://seclists.org/bugtraq/1995/Jan/182 ) NFSNFS X window systemX window system Any service using IP address as authentication Any service using IP address as authentication
methodmethod
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
IP Spoofing Derivative AttacksIP Spoofing Derivative Attacks Man in the middle attack: Allows sniffing packets in betweenMan in the middle attack: Allows sniffing packets in between Routing redirect: Send a packet advertising a false better route to reach Routing redirect: Send a packet advertising a false better route to reach
a destinationa destination Source routing: Insert attacker host in the list Source routing: Insert attacker host in the list
Strict: Packet has to traverse only through the addresses mentionedStrict: Packet has to traverse only through the addresses mentioned Loose: In addition to the list mentioned, packet can traverse Loose: In addition to the list mentioned, packet can traverse
additional routersadditional routers Smurf attack: send ICMP packet to a broadcast address with spoofed Smurf attack: send ICMP packet to a broadcast address with spoofed
addressaddress SYN flooding: Send too many TCP connections with spoofed source SYN flooding: Send too many TCP connections with spoofed source
addressaddress Sequence number predictionSequence number prediction Session hijackingSession hijacking Determining the state of firewallDetermining the state of firewall
Stateful firewalls remember historyStateful firewalls remember history Denial of serviceDenial of service
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
How Easy it is to Spoof IP AddressHow Easy it is to Spoof IP Address
Little programming is enough !Little programming is enough ! Raw socket programming in UNIXRaw socket programming in UNIX You will find examples of raw socket programs here You will find examples of raw socket programs here
http://www.pdbuchan.com/rawsock/rawsock.htmlhttp://www.pdbuchan.com/rawsock/rawsock.html WinPacp in windowsWinPacp in windows
Several open source tools are availableSeveral open source tools are available Hping – seems not actively maintained now Hping – seems not actively maintained now Scapy – it does many things- packet manipulation, Scapy – it does many things- packet manipulation,
capture, spoof etc. capture, spoof etc.
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Defenses Against IP Address Defenses Against IP Address Spoofing Spoofing
No complete solution existsNo complete solution exists Ingress filtering-drop packets coming from outside with Ingress filtering-drop packets coming from outside with
source IP addresses used inside network source IP addresses used inside network Egress filtering-any packet having source IP address not Egress filtering-any packet having source IP address not
in the network are droppedin the network are dropped Avoiding trust relationship based on IP addressAvoiding trust relationship based on IP address Unicast Reverse Path Forwarding – discard IP packet Unicast Reverse Path Forwarding – discard IP packet
that lack verifiable IP source addressthat lack verifiable IP source address Idea is simple a reverse path to the source IP address of an Idea is simple a reverse path to the source IP address of an
incoming packet is using the same interface incoming packet is using the same interface Strict- same interfaceStrict- same interface Loose- if any path exists to the source its okLoose- if any path exists to the source its ok
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Defenses Against IP Address Defenses Against IP Address SpoofingSpoofing
Anti-Spoofing with IP sourceguard Anti-Spoofing with IP sourceguard Layer 2 security featureLayer 2 security feature Restricts IP traffic on un-trusted layer 2 ports to achieve with an Restricts IP traffic on un-trusted layer 2 ports to achieve with an
IP address other than one assigned by DHCP/static assignmentIP address other than one assigned by DHCP/static assignment Encryption and authentication – IPSec may be an Encryption and authentication – IPSec may be an
answeranswer Make ISN prediction difficult by having a perfect random Make ISN prediction difficult by having a perfect random
number generation number generation RFC 1948 recommends ISN to be a function of Source RFC 1948 recommends ISN to be a function of Source
IP, Destination IP, Source Port, Destination Port and a IP, Destination IP, Source Port, Destination Port and a secrete keysecrete key
TCP Receiver window based predictionTCP Receiver window based prediction Set the window size to small Set the window size to small
Traceroute Traceroute Measure TTL values IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi