49845942 Seminar on Ip Spoofing

8/4/2019 49845942 Seminar on Ip Spoofing

1/27

IP Spoofing Attack


2/27

IP spoofing

IP spoofing is a technique used to gainunauthorized access to computers, where by theattacker sends messages to a computer with a

forging IP address indicating that the message iscoming from a trusted host.

Attacker puts an internal, or trusted, IP addressas its source. The access control device sees

the IP address as trusted and lets it through.


3/27

IP Spoofing

IP spoofing occurs when a hacker inside or outside anetwork impersonates the conversations of a trustedcomputer.

Two general techniques are used during IP spoofing:

A hacker uses an IP address that is within the rangeof trusted IP addresses.

A hacker uses an authorized external IP address thatis trusted.

Uses for IP spoofing include the following:

IP spoofing is usually limited to the injection of

malicious data or commands into an existing streamof data.

A hacker changes the routing tables to point to thespoofed IP address, then the hacker can receive allthe network packets that are addressed to the

spoofed address and reply just as any trusted usercan.


4/27

Basic Concept of IP Spoofing

A

10.10.10.1

www.carleton.ca

134.117.1.60http://www.carleton.ca

10.10.10.1

Src_IP

134.117.1.60

dst_IP

Any (>1024)

Src_port

80

dst_port

11.11.11.1

Src_IP

134.117.1.60

dst_IP

Any (>1024)

Src_port

80

dst_port

spoofed


5/27

IP Spoofing


6/27

Why IP Spoofing is easy?

Problem with the Routers.

Routers look at Destination addressesonly.

Authentication based on Sourceaddresses only.

To change source address field in IPheader field is easy.


7/27

Spoofing Attacks:

There are a few variations on the types of attacksthat using IP spoofing.

Spoofing is classified into :-

1.non-blind spoofingThis attack takes place when the attacker is onthe same subnet as the target that could seesequence and acknowledgement of packets.

Using the spoofing to interfere with a connectionthat sends packets along your subnet.


8/27

Spoofing Attacks:

sender

victim

partner

Oh, my partner sentme a packet. Ill

process this.

impersonation


9/27

IP Spoofing

trusted host

A B

Intruder

Three-way handshake

SYN(A)

ACK(A+1) SYN(B)

ACK(B+1)


10/27

Spoofing Attacks:

2. Blind spoofing

This attack may take place from outside wheresequence and acknowledgement numbers are

unreachable. Attackers usually send severalpackets to the target machine in order to samplesequence numbers, which is doable in olderdays .

Using the spoofing to interfere with a connection(or creating one), that does not send packetsalong your cable.


11/27

Spoofing Attacks:

sender

victim

Oops, many packetsare coming. But, who

is the real source?

flooding attack


12/27

Spoofing Attacks:

3.Man in the Middle Attack

This is also called connection hijacking. Inthis attacks, a malicious party intercepts alegitimate communication between twohosts to controls the flow ofcommunication and to eliminate or alter

the information sent by one of the originalparticipants without their knowledge.


13/27

Spoofing Attacks:

sender

ip spoofed packet

victim

reflector

src: victim

dst: reflector

Oops, a lot ofreplies without any

request

reflection


14/27

Spoofing Attacks:

4.Denial of Service Attack

conducting the attack, attackers spoof source IPaddresses to make tracing and stopping the DoS asdifficult as possible. When multiple compromised hosts

are participating in the attack, all sending spoofed traffic,it is very challenging to quickly block the traffic.

IP spoofing is almost always used in denial of serviceattacks (DoS), in which attackers are concerned withconsuming bandwidth and resources by flooding thetarget with as many packets as possible in a shortamount of time. To effectively


15/27

Spoofing Attacks:

IP spoofing can also be a method of attack used bynetwork intruders to defeat network security measures,such asauthenticationbased on IP addresses. Thismethod of attack on a remote system can be extremelydifficult, as it involves modifying thousands of packets at

a time. This type of attack is most effective where trustrelationships exist between machines.

For example, it is common on some corporate networksto have internal systems trust each other, so that a user

can log in without a username or password providedthey are connecting from another machine on theinternal network (and so must already be logged in). Byspoofing a connection from a trusted machine, anattacker may be able to access the target machine

without authenticating .
http://en.wikipedia.org/wiki/Authenticationhttp://en.wikipedia.org/wiki/Authentication


16/27

SMURF ATTACK

Send ICMP ping packet with spoofed IPsource address to a LAN which willbroadcast to all hosts on the LAN

Each host will send a reply packet to thespoofed IP address leading to denial ofservice


17/27

Misconception of IP Spoofing:

A common misconception is that "IP Spoofing" canbe used to hide your IP address while surfing theInternet, chatting on-line, sending e-mail, and so

forth.This is generally not true. Forging the source IP

address causes the responses to bemisdirected, meaning you cannot create a

normal network connection. However, IPspoofing is an integral part of many networksthat do not need to see responses.


18/27

Impact

Current intruder activity in spoofing sourceIP addresses can lead to unauthorizedremote root access to systems behind a

filtering-router firewall. After gaining rootaccess and taking over existing terminaland login connections, intruders can gain

access to remote hosts.


19/27

Detection of IP Spoofing:

1. If you monitor packets using network-monitoring software such as netlog, lookfor a packet on your external interface that

has both its source and destination IPaddresses in your local domain. If you findone, you are currently under attack.


20/27

Detection of IP Spoofing:

2. Another way to detect IP spoofing is tocompare the process accounting logsbetween systems on your internal network.

If the IP spoofing attack has succeeded onone of your systems, you may get a logentry on the victim machine showing a

remote access; on the apparent sourcemachine, there will be no correspondingentry for initiating that remote access.


21/27

Source Address Validation :

Check the source IP address of IP packets

filter invalid source address

filter close to the packets origin as possible

filter precisely as possible

If no networks allow IP spoofing, we caneliminate these kinds of attacks


22/27

close to the origin

we can check and drop the packets which haveunused address everywhere, but used spacecan be checked before aggregation

10.0.0.0/23

10.0.3.0/24

You are

spoofing!

Hmm, thislooks ok...but..

RT.a RT.b

You arespoofing!

You arespoofing!

srcip: 10.0.0.1

srcip: 0.0.0.0

srcip: 10.0.0.1

srcip: 0.0.0.0

srcip: 0.0.0.0

You arespoofing!

srcip: 10.0.0.1

You arespoofing!


23/27

Prevention IP spoofing

The best method of preventing the IP spoofingproblem is to install a filtering router that restrictsthe input to your external interface (known as an

input filter) by not allowing a packet through if ithas a source address from your internalnetwork. In addition, you should filter outgoingpackets that have a source address different

from your internal network in order to prevent asource IP spoofing attack originating from yoursite.


24/27

Prevention IP spoofing

If your vendors router does not support filtering on

the inbound side of the interface or if there willbe a delay in incorporating the feature into your

system, you may filter the spoofed IP packets byusing a second router between your externalinterface and your outside connection. Configurethis router to block, on the outgoing interface

connected to your original router, all packets thathave a source address in your internal network.


25/27

Prevention of IP Spoofing:

To prevent IP spoofing happen in your network, thefollowing are some common practices:

1- Avoid using the source address authentication. Implementcryptographic authentication system-wide.

2- Configuring your network to reject packets from the Net that claimto originate from a local address.

3- Implementing ingress and egress filtering on the border routersand implement an ACL (access control list) that blocks private IPaddresses on your downstream interface.

If you allow outside connections from trusted hosts, enable

encryption sessions at the router.


26/27

Filtering

10.10.10.0

10.10.0.0

if src_addr is

from 10.10.0.0

then forward

else drop

if src_addr is from

10.10.0.0

then dropelse forward


27/27

CONCLUSION

Documents

49845942 Seminar on Ip Spoofing