• 240 likes • 852 Views
IP Spoofing. Bao Ho ToanTai Vu CS 265 - Security Engineering Spring 2003 San Jose State University. Presentation Outline. Introduction, Background Attacks with IP Spoofing Counter Measures Summary. IP Spoofing. IP Spoofing is a technique used to gain unauthorized access to computers.
E N D
IP Spoofing Bao Ho ToanTai Vu CS 265 - Security Engineering Spring 2003 San Jose State University IP Spoofing, CS265
Presentation Outline • Introduction, Background • Attacks with IP Spoofing • Counter Measures • Summary IP Spoofing, CS265
IP Spoofing • IP Spoofing is a technique used to gain unauthorized access to computers. • IP: Internet Protocol • Spoofing: using somebdody else’s information • Exploits the trust relationships • Intruder sends messages to a computer with an IP address of a trusted host. IP Spoofing, CS265
IP / TCP • IP is connectionless, unreliable • TCP connection-oriented TCP/IP handshake A B: SYN; my number is X B A: ACK; now X+1 SYN; my number is Y A B: ACK; now Y+1 IP Spoofing, CS265
A blind Attack Host I cannot see what Host V send back IP Spoofing, CS265
IP Spoofing Steps • Selecting a target host (the victim) • Identify a host that the target “trust” • Disable the trusted host, sampled the target’s TCP sequence • The trusted host is impersonated and the ISN forged. • Connection attempt to a service that only requires address-based authentication. • If successfully connected, executes a simple command to leave a backdoor. IP Spoofing, CS265
IP Spoofing Attacks • Man in the middle • Routing • Flooding / Smurfing IP Spoofing, CS265
Attacks Man - in - the - middle: Packet sniffs on link between the two endpoints, and therefore can pretend to be one end of the connection. IP Spoofing, CS265
Attacks • Routing re-direct: redirects routing information from the original host to the attacker’s host. • Source routing: The attacker redirects individual packets by the hacker’s host. IP Spoofing, CS265
Attacks • Flooding: SYN flood fills up the receive queue from random source addresses. • Smurfing: ICMP packet spoofed to originate from the victim, destined for the broadcast address, causing all hosts on the network to respond to the victim at once. IP Spoofing, CS265
IP-Spoofing Facts • IP protocol is inherently weak • Makes no assumption about sender/recipient • Nodes on path do not check sender’s identity • There is no way to completely eliminate IP spoofing • Can only reduce the possibility of attack IP Spoofing, CS265
IP-SpoofingCounter-measures • No insecure authenticated services • Disable commands like ping • Use encryption • Strengthen TCP/IP protocol • Firewall • IP traceback IP Spoofing, CS265
No insecure authenticated services • r* services are hostname-based or IP-based • Other more secure alternatives, i.e., ssh • Remove binary files • Disable in inet, xinet • Clean up .rhost files and /etc/host.equiv • No application with hostname/IP-basedauthentication, if possible IP Spoofing, CS265
Disable ping command • ping command has rare use • Can be used to trigger a DOS attack by flooding the victim with ICMP packets • This attack does not crash victim, but consume network bandwidth and system resources • Victim fails to provide other services, and halts if runs out of memory IP Spoofing, CS265
DOS using Ping IP Spoofing, CS265
Use Encryption • Encrypt traffic, especially TCP/IP packets and Initial Sequence Numbers • Kerberos is free, and is built-in with OS • Limit session time • Digital signature can be used to identify the sender of the TCP/IP packet. IP Spoofing, CS265
Strengthen TCP/IP protocol • Use good random number generators to generate ISN • Shorten time-out value in TCP/IP request • Increase request queue size • Cannot completely prevent TCP/IP half-open-connection attack • Can only buy more time, in hopethat the attack will be noticed. IP Spoofing, CS265
Firewall • Limit traffic to services that are offered • Control access from within the network • Free software: ipchains, iptables • Commercial firewall software • Packet filters: router with firewall built-in • Multiple layer of firewall IP Spoofing, CS265
Network layout with Firewall IP Spoofing, CS265
IP Trace-back • To trace back as close to the attacker’s location as possible • Limited in reliability and efficiency • Require cooperation of many other network operators along the routing path • Generally does not receive much attention from network operators IP Spoofing, CS265
Summary/Conclusion • IP spoofing attacks is unavoidable. • Understanding how and why spoofing attacks are used, combined with a few simple prevention methods, can help protect your network from these malicious cloaking and cracking techniques. IP Spoofing, CS265
References • IP-spoofing Demystified (Trust-Relationship Exploitation),Phrack Magazine Review, Vol. 7, No. 48, pp. 48-14, www.networkcommand.com/docs/ipspoof.txt • Security Enginerring: A Guide to Building Dependable Distributed Systems, Ross Anderson, pp. 371 • Introduction to IP Spoofing, Victor Velasco, November 21, 2000, www.sans.org/rr/threats/intro_spoofing.php • A Large-scale Distributed Intrusion Detection Framework Based on Attack Strategy Analysis,Ming-Yuh Huang, Thomas M. Wicks, Applied Research and Technology, The Boeing Company • Internet Vulnerabilities Related to TCP/IP and T/TCP, ACM SIGCOMM, Computer Communication Review • IP Spoofing, www.linuxgazette.com/issue63/sharma.html • Distributed System: Concepts and Design, Chapter 7, by Coulouris, Dollimore, and Kindberg • FreeBSD IP Spoofing, www.securityfocus.com/advisories/2703 • IP Spoofing Attacks and Hijacked Terminal Connections, www.cert.org/advisories/CA-1995-01.html • Network support for IP trace-back, IEEE/ACM Transactions on Networking, Vol. 9, No. 3, June 2001 • An Algebraic Approach to IP Trace-back, ACM Transactions on Information and System Security, Vol. 5, No. 2, May 2002 • Web Spoofing. An Internet Con Game, http://bau2.uibk.ac.at/matic/spoofing.htm IP Spoofing, CS265
Questions / Answers IP Spoofing, CS265