120 likes | 255 Views
Joshua White Director of CyOON Research and Development “Cyber Operations for Optical Networks” jwhite@everisinc.com Everis Inc http://www.EverisInc.com (315)-370-1535. CyberPatriot Advanced Topics: IP Spoofing Overview. Company Background IP Spoofing Overview Why Is It So Easy
E N D
Joshua White Director of CyOON Research and Development “Cyber Operations for Optical Networks” jwhite@everisinc.com Everis Inc http://www.EverisInc.com (315)-370-1535 CyberPatriot Advanced Topics: IP Spoofing Overview
Company Background IP Spoofing Overview Why Is It So Easy Types Of IP Spoofing Detection Techniques Prevention Techniques Conclusions Agenda
IP Spoofing Overview IP spoofing is a technique used to gain unauthorized access to computers/networks The attacker sends messages to a computer using a forged IP address indicating that the message is coming from a trusted host
IP Spoofing Overview (2) IP Spoofing Occurs When An Individual Inside Or Outside Of A Network Impersonates The Conversations Of A Trusted Node Most Spoofing Attacks Fall Under Two Techniques: Using An IP Address Within The Range Of Trusted IP's Using An Authorized External IP Address That Is Trusted. For Government And Enterprise Instances A Third Technique Exists: Using An IP Address Other Than Your Own To Place Blame On Another Country Or Individual. This IP Address Is Neither Trusted or Untrusted, It Simply Is Not Truthful.
IP Spoofing Overview (3) Considering The AAA Model For Secure Protocols, (RFC-2906) Some Example Uses Of IP Spoofing To Perpetrate Attacks Against It Are: Injection of Malicious Data Or Code Into An Existing Data Stream (Authentication) A Hacked Routing Table Set For The Attacker To Receive And Send From A Spoofed IP Would Allowing Them To Completely Replace The Legitimate Source. (Authorization) DoS or Other Attacks Can Be Covered Up By Using A Spoofed IP Address To Shirk Responsibility For The Action. Thus Breaking The Rules Of Non-Repudiation (Accountability)
Why Is It So Easy? IP Spoofing Is Easy Due To A Number Of Reasons Routers Forward Traffic Based On The Destination Address (RFC-1812) Some Security Mechanisms Allow For IP As The Sole Means Of Authentication (RFC-5406) Actually Changing The Source IP In a Packet Is Extremely Easy To Do (LibPal, PacketForge, Etc.)
Types Of IP Spoofing Everis Engineers Define IP Spoofing Attacks As Falling Under Three Categories: Blind The Attacker Has Some Real-Time Knowledge Of The Network, Such As Packet Sequence Identifiers. Used Heavily In Replay Attacks Non-Blind The Attacker Has Has No Knowledge Or Access To Real-Time Network Information Used Heavily In DoS and Probing Infinite Knowledge The Attacker Is Sitting (Sniffing) A Live Session And HiJacks It Using Both Spoofed IP, MAC, Authentication, Etc. Used Heavily In MITM Attacks
Advanced IP Spoofing Attacks A Number Of Very Advanced Attacks Can Be Accomplished Through The Use Of IP Spoofing The Simplest Example Is SMURFING: SMURF Attack A LAN Is Sent An ICMP Broadcast Packet With A Spoofed Source Address. All Computers On The LAN Reply To The Owner Of The Real Address That Was Spoofed, Thus Overwhelming It (D-DoS)
Detection There's No Sure Fire Way To Detect IP Spoofing Though Some Rule Of Thumb Exist: If An Internal IP Address Shows Up In A Log File As Coming In Through An External Interface Then It's Probably Been Spoofed If An Advanced Attack Is Happening On Your Network, You Can Make The Assumption That The Attacker Is Covering Their Tracks By Spoofing The Source Identifier
Prevention There Are No Full Proof Prevention Mechanisms However To Better Protect Yourself: Do Not Allow Authenticated Access Without Some Layered Mechanism Such As: CHAP LEAP KERBEROS Etc. Do Not Allow Certain Ranges Of IP's To Pass In/Out Of Your Border Gateway For Instance Don't Allow The Internal Range Of IP's Access From The External Interface
Conclusion Their Exists A Need For Mechanism Which Prevent/Detect/Traceback IP Spoofing Attacks These Mechanisms Should Focus On Fixing The Problems In The AAA Security Model Everis Is Currently Focused On Fixing The Non-Repudiation Aspect (Accountability) Which Is Broken By Not Being Able To Accurately Identify Who A Perpetrator Is.
Thanks • Thanks to: • Central NY ISSA for providing time to the CyberPatriot documentation project • www.issa.org • Everis Inc. for hosting, technical support, experienced staff and more • www.everisinc.com • Griffiss Institute for providing space and support • http://www.griffissinstitute.org/ • Rome AFRL for their support of STEM • http://www.wpafb.af.mil/afrl/ri/ 12