1 / 25

IP Spoof Attack

IP Spoof Attack. Zhengming 2011-4-5. content. Background IP Spoof history IP Spoof Attack Event IP Spoof Attack Categories IP Spoof Attack Demo IP Spoof Attack Defense. version. IHL. Type of Service. Total length. Identification. DF. DF. MF. Fragment offset. Time to live.

brand
Download Presentation

IP Spoof Attack

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IP Spoof Attack Zhengming 2011-4-5

  2. content • Background • IP Spoof history • IP Spoof Attack Event • IP Spoof Attack Categories • IP Spoof Attack Demo • IP Spoof Attack Defense

  3. version IHL Type of Service Total length Identification DF DF MF Fragment offset Time to live Protocol Header checksum Source address Destination address Options (0 or more words) Internet Protocol (IP) ECE 4112 - Internetwork Security

  4. IP Spoof Background • 互联网上每周有4000多起源地址伪造攻击 • 美国、中国是世界上遭受源地址伪造攻击最多的国家之一(CAIDA) • 98%的地址可以进行伪造或邻居伪造(MIT Spoofer)

  5. CAIDA Telescope • 一个实时backscatter (反射式)假冒源地址DoS攻击观测平台 • 观察一个黑洞地址内收到的报文,其中许多是被攻击者随机假冒黑洞内的地址空间,被受害者发回的应答报文 • 可以估计互联网随机假冒源地址方式的攻击总量(实际上由于黑洞为源地址的攻击报文可能被过滤掉,实际上是低估了) • 也可以发现谁被攻击了(收到的源地址就是攻击时的目的地址)

  6. MIT ANA Spoofer Project • 测量互联网对源地址伪造的过滤情况 • 多种源地址类型(invalid, valid, private) • 过滤粒度(可以伪造哪些邻居的地址?) • 地理位置(哪些运营商实施了源地址验证?) • 在所作的测量中,31%的用户可以伪造至少一种地址;其余的用户中,有77%可以伪造不同粒度的邻居的地址。 • 并且在过去四年中,全球网络在源地址过滤方面不进反退。说明在防止伪造方面的发展不如在网络规模上的发展速度。

  7. Example

  8. IP Spoof History • 1985 Robbert Morris A weakness in the 4.2bsd unix TCP/IP software • 1989 S. M Bellovin Security Problems in the TCP/IP Protocol Suite • Morris Worm • Kevin Mitnick's Christmas Day

  9. IP Spoofing Attack • Non-blind attacks • Attacker and target on same subnet • Reply traffic can be sniffed • Blind attacks • Attacker and target on different subnets • Reply traffic cannot be seen by attacker • Attacker must be able to predict replies ECE 4112 - Internetwork Security

  10. IP Spoofing Attack • Attacks made possible by IP spoofing include • Denial of Service (DOS) • Session Hijacking • Man in the Middle • To take over a TCP stream, sequence and acknowledgement numbers must be sniffed or predicted. ECE 4112 - Internetwork Security

  11. IP Spoof Attack Categories

  12. 被假冒主机H 不存在于公网或是没激活的源地址 SYN flooding

  13. 被假冒主机H 就是攻击目标 Smurf DrDoS Land TFN ( tribe flood network)

  14. 被假冒主机H 与V 在同一子网 Blind attack TFN2K ( tribe flood network 2000)

  15. 被假冒主机H 与A 在同一子网 Bounce Scan

  16. 被假冒主机H 在A 与V 通信路径上

  17. 被假冒主机H 既不与V 或A 在同一子网, 也不在A 与V 通信路径上 MITM( man-in-the-middle)

  18. DEMO

  19. IP Spoof Defense • Router based filtering • End to End • Traceback

  20. Router based filtering • Ingress Filtering • DPF • SAVE • Passports • HCF ( hop count filtering) • ARBIF • Filter in Access Network

  21. End to End • IPSec • SPM • APPA

  22. Traceback • Packet Mark • PPM、DPM、Pi和AITF • Router Record • Hash-based IP Traceback • Collector • iTrace、CenterTrack

  23. IP Spoof Defense RS =random source, FS =fixed source , RD=random destination, FD=fixed destination

  24. 故事接龙 • 六怪拜访黄药师,黄药师无意理会,命哑姑招呼各人。黄药师则独自划艇出海垂钓。哑姑到海边找寻黄药师却见欧阳锋与杨康到来。杨康诱骗哑姑引六怪到墓穴。欧阳锋假扮黄药师将五怪杀死,故意放走柯镇恶。使柯镇恶误会黄药师杀五怪,令天下群攻黄药师。但欧阳锋、杨康留下不少蛛丝马迹使黄蓉猜知乃二人所为。

  25. Thanks & Questions

More Related