580 likes | 1.12k Views
IP Spoofing. BY ASHISH KUMAR BT – IT UNDER GUIDANCE OF MRS.ASHA JYOTI. IP SPOOFING ?. IP Spoofing is a technique used to gain unauthorized access to computers. IP: Internet Protocol Spoofing: using somebody else’s information Exploits the trust relationships
E N D
IP Spoofing BY ASHISH KUMAR BT – IT UNDER GUIDANCE OF MRS.ASHA JYOTI
IP SPOOFING ? • IP Spoofing is a technique used to gain unauthorized access to computers. • IP: Internet Protocol • Spoofing: using somebody else’s information • Exploits the trust relationships • Intruder sends messages to a computer with an IP address of a trusted host.
WHY IP SPOOFING IS EASY ? • Problem with the Routers. • Routers look at Destination addresses only. • Authentication based on Source addresses only. • To change source address field in IP header field is easy
IP SPOOFING STEPS • Selecting a target host (the victim) • Identify a host that the target “trust” • Disable the trusted host, sampled the target’s TCP sequence • The trusted host is impersonated and the ISN forged. • Connection attempt to a service that only requires address-based authentication. • If successfully connected, executes a simple command to leave a backdoor.
Spoofing Attacks Spoofing is classified into :- 1. Non-blind spoofing : This attack takes place when the attacker is on the same subnet as the target that could see sequence and acknowledgement of packets.
CONTD… 2. Blind spoofing : This attack may take place from outside where sequence and acknowledgement numbers are unreachable. Attackers usually send several packets to the target machine in order to sample sequence numbers, which is doable in older days .
COTND… • 3. Denial of Service Attack : IP spoofing is almost always used in denial of service attacks (DoS), in which attackers are concerned with consuming bandwidth and resources by flooding the target with as many packets as possible in a short amount of time.
CONTD… • 4. SMURF ATTACK : • Send ICMP ping packet with spoofed IP source address to a LAN which will broadcast to all hosts on the LAN • Each host will send a reply packet to the spoofed IP address leading to denial of service
CONTD… 5. Man - in - the – middle : Packet sniffs on link between the two endpoints, and therefore can pretend to be one end of the connection.
Detection of IP Spoofing 1. If you monitor packets using network-monitoring software such as netlog, look for a packet on your external interface that has both its source and destination IP addresses in your local domain. If you find one, you are currently under attack.
Detection of IP Spoofing 2. Another way to detect IP spoofing is to compare the process accounting logs between systems on your internal network. If the IP spoofing attack has succeeded on one of your systems, you may get a log entry on the victim machine showing a remote access; on the apparent source machine, there will be no corresponding entry for initiating that remote access .
IP-Spoofing Counter-measures • No insecure authenticated services • Disable commands like ping • Use encryption • Strengthen TCP/IP protocol • Firewall • IP trace back
IP Trace-back • To trace back as close to the attacker’s location as possible • Limited in reliability and efficiency • Require cooperation of many other network operators along the routing path • Generally does not receive much attention from network operators
Misconception of IP Spoofing A common misconception is that "IP Spoofing" can be used to hide your IP address while surfing the Internet, chatting on-line, sending e-mail, and so forth. This is generally not true. Forging the source IP address causes the responses to be misdirected, meaning you cannot create a normal network connection. However, IP spoofing is an integral part of many networks that do not need to see responses.
IP-Spoofing Facts • IP protocol is inherently weak • Makes no assumption about sender/recipient • Nodes on path do not check sender’s identity • There is no way to completely eliminate IP spoofing • Can only reduce the possibility of attack
Applications • Asymmetric routing (Splitting routing) • SAT DSL • NAT • IP Masquerade
ADVANTAGES • Multiple Servers : Sometimes you want to change where packets heading into your network will go. Frequently this is because you have only one IP address, but you want people to be able to get into the boxes behind the one with the `real' IP address.
ADVANTAGES • Transparent Proxying : Sometimes you want to pretend that each packet which passes through your Linux box is destined for a program on the Linux box itself. This is used to make transparent proxies: a proxy is a program which stands between your network and the outside world, shuffling communication between the two. The transparent part is because your network won't even know it's talking to a proxy, unless of course, the proxy doesn't work.
DISADVANTAGES • Blind to Replies : A drawback to ip source address spoofing is that reply packet will go back to the spoofed ip address rather than to the attacker. This is fine for many type of attack packet. However in the scanning attack as we will see next the attacker may need to see replies .in such cases ,the attacker can not use ip address spoofing .
DISADVANTAGE • Serial attack platforms : However, the attacker can still maintain anonymity by taking over a chain of attack hosts. The attacker attacks the target victim using a point host-the last host in the attack chain .Even if authorities learn the point host’s identity .They might not be able to track the attack through the chain of attack hosts all the way back to the attackers base host.
CONCLUSION • IP spoofing attacks is unavoidable. • Understanding how and why spoofing attacks are used, combined with a few simple prevention methods, can help protect your network from these malicious cloaking and cracking techniques.
References • IP-spoofing Demystified (Trust-Relationship Exploitation), www.networkcommand.com/docs/ipspoof.txt • Introduction to IP Spoofing, Victor Velasco, www.sans.org/rr/threats/intro_spoofing.php • Internet Vulnerabilities Related to TCP/IP and T/TCP, ACM SIGCOMM, Computer Communication Review • IP Spoofing, www.linuxgazette.com/issue63/sharma.html • FreeBSD IP Spoofing, www.securityfocus.com/advisories/2703 • IP Spoofing Attacks and Hijacked Terminal Connections, www.cert.org/advisories/CA-1995-01.html • Network support for IP trace-back • Web Spoofing. An Internet Con Game, http://bau2.uibk.ac.at/matic/spoofing.htm