ip spoofing
TRANSCRIPT
IP SpoofingIP Spoofing BYBY
ASHISH KUMARASHISH KUMAR
BT – ITBT – IT
UNDER GUIDANCE OFUNDER GUIDANCE OF
MRS.ASHA JYOTI
IP SPOOFING ?IP SPOOFING ?
• IP Spoofing is a technique used to gain IP Spoofing is a technique used to gain unauthorized access to computers.unauthorized access to computers.
– IP: Internet ProtocolIP: Internet Protocol
– Spoofing: using somebody else’s Spoofing: using somebody else’s informationinformation
• Exploits the trust relationshipsExploits the trust relationships
• Intruder sends messages to a computer Intruder sends messages to a computer with an IP address of a trusted host.with an IP address of a trusted host.
IP SPOOFINGIP SPOOFING
WHY IP SPOOFING IS EASY ?WHY IP SPOOFING IS EASY ?
• Problem with the Routers.Problem with the Routers.
• Routers look at Destination Routers look at Destination addresses only.addresses only.
• Authentication based on Source Authentication based on Source addresses only.addresses only.
• To change source address field in IP To change source address field in IP header field is easyheader field is easy
IP SPOOFING STEPSIP SPOOFING STEPS
• Selecting a target host (the victim)Selecting a target host (the victim)• Identify a host that the target “trust”Identify a host that the target “trust”• Disable the trusted host, sampled the Disable the trusted host, sampled the
target’s TCP sequencetarget’s TCP sequence• The trusted host is impersonated and the The trusted host is impersonated and the
ISN forged.ISN forged.• Connection attempt to a service that only Connection attempt to a service that only
requires address-based authentication.requires address-based authentication.• If successfully connected, executes a If successfully connected, executes a
simple command to leave a backdoor.simple command to leave a backdoor.
Spoofing AttacksSpoofing Attacks
Spoofing is classified into :-Spoofing is classified into :-
1. Non-blind spoofing :1. Non-blind spoofing :
This attack takes place when the This attack takes place when the attacker is on the same subnet as attacker is on the same subnet as the target that could see sequence the target that could see sequence and acknowledgement of packets.and acknowledgement of packets.
CONTD…CONTD…
2. Blind spoofing :2. Blind spoofing :
This attack may take place from This attack may take place from outside where sequence and outside where sequence and acknowledgement numbers are acknowledgement numbers are unreachable. Attackers usually send unreachable. Attackers usually send several packets to the target machine several packets to the target machine in order to sample sequence numbers, in order to sample sequence numbers, which is doable in older days .which is doable in older days .
COTND…COTND…
• 3. Denial of Service Attack :3. Denial of Service Attack :
IP spoofing is almost always used in denialIP spoofing is almost always used in denial
of service attacks (DoS), in which attackers of service attacks (DoS), in which attackers
are concerned with consuming bandwidth are concerned with consuming bandwidth
and resources by flooding the target with as and resources by flooding the target with as
many packets as possible in a short amount many packets as possible in a short amount
of time.of time.
CONTD…CONTD…
• 4. SMURF ATTACK : 4. SMURF ATTACK : Send ICMP ping packet with spoofed Send ICMP ping packet with spoofed
IP source address to a LAN which will IP source address to a LAN which will broadcast to all hosts on the LANbroadcast to all hosts on the LAN
Each host will send a reply packet to Each host will send a reply packet to the spoofed IP address leading to the spoofed IP address leading to denial of servicedenial of service
CONTD…CONTD…
5. Man - in - the – middle :5. Man - in - the – middle :Packet sniffs on link between the two Packet sniffs on link between the two
endpoints, and therefore can pretend endpoints, and therefore can pretend to to
be one end of the connection.be one end of the connection.
Detection of IP Detection of IP SpoofingSpoofing
1. If you monitor packets using 1. If you monitor packets using network-monitoring software such as network-monitoring software such as netlog, look for a packet on your netlog, look for a packet on your external interface that has both its external interface that has both its source and destination IP addresses source and destination IP addresses in your local domain. If you find one, in your local domain. If you find one, you are currently under attack.you are currently under attack.
Detection of IP Detection of IP SpoofingSpoofing2.2. Another way to detect IP spoofing is to Another way to detect IP spoofing is to
compare the process accounting logs compare the process accounting logs between systems on your internal network. between systems on your internal network. If the IP spoofing attack has succeeded on If the IP spoofing attack has succeeded on one of your systems, you may get a log one of your systems, you may get a log entry on the victim machine showing a entry on the victim machine showing a remote access; on the apparent source remote access; on the apparent source machine, there will be no corresponding machine, there will be no corresponding entry for initiating that remote access .entry for initiating that remote access .
IP-Spoofing Counter-IP-Spoofing Counter-measuresmeasures• No insecure authenticated servicesNo insecure authenticated services
• Disable commands like pingDisable commands like ping
• Use encryptionUse encryption
• Strengthen TCP/IP protocolStrengthen TCP/IP protocol
• FirewallFirewall
• IP trace backIP trace back
IP Trace-backIP Trace-back
• To trace back as close to the attacker’s To trace back as close to the attacker’s location as possiblelocation as possible
• Limited in reliability and efficiencyLimited in reliability and efficiency
• Require cooperation of many other Require cooperation of many other network operators along the routing pathnetwork operators along the routing path
• Generally does not receive much attention Generally does not receive much attention from network operatorsfrom network operators
Misconception of IP SpoofingMisconception of IP Spoofing
A common misconception is that "IP Spoofing" canA common misconception is that "IP Spoofing" can
be used to hide your IP address while surfing thebe used to hide your IP address while surfing the
Internet, chatting on-line, sending e-mail, and so Internet, chatting on-line, sending e-mail, and so
forthforth. .
This is generally not true. Forging the source IPThis is generally not true. Forging the source IP
address causes the responses to be misdirected,address causes the responses to be misdirected,
meaning you cannot create a normal network meaning you cannot create a normal network
connection. However, IP spoofing is an integral connection. However, IP spoofing is an integral part ofpart of
many networks that do not need to see responsesmany networks that do not need to see responses..
IP-Spoofing FactsIP-Spoofing Facts
• IP protocol is inherently weakIP protocol is inherently weak
• Makes no assumption about sender/recipientMakes no assumption about sender/recipient
• Nodes on path do not check sender’s identityNodes on path do not check sender’s identity
• There is no way to completely eliminate IP There is no way to completely eliminate IP spoofingspoofing
• Can only reduce the possibility of attackCan only reduce the possibility of attack
Applications Applications
• Asymmetric routing (Splitting Asymmetric routing (Splitting routing)routing)
• SAT DSLSAT DSL
• NATNAT
• IP MasqueradeIP Masquerade
ADVANTAGESADVANTAGES
• Multiple Servers :Multiple Servers :
Sometimes you want to change where Sometimes you want to change where packets heading into your network packets heading into your network will go. Frequently this is because you will go. Frequently this is because you have only one IP address, but you have only one IP address, but you want people to be able to get into the want people to be able to get into the boxes behind the one with the `real' boxes behind the one with the `real' IP address.IP address.
ADVANTAGESADVANTAGES• Transparent Proxying :Transparent Proxying :
Sometimes you want to pretend that each Sometimes you want to pretend that each packet which passes through your Linux packet which passes through your Linux box is destined for a program on the Linux box is destined for a program on the Linux box itself. This is used to make box itself. This is used to make transparent proxies: a proxy is a program transparent proxies: a proxy is a program which stands between your network and which stands between your network and the outside world, shuffling communication the outside world, shuffling communication between the two. The transparent part is between the two. The transparent part is because your network won't even know it's because your network won't even know it's talking to a proxy, unless of course, the talking to a proxy, unless of course, the proxy doesn't work. proxy doesn't work.
DISADVANTAGESDISADVANTAGES
• Blind to Replies :Blind to Replies : A drawback to ip source address A drawback to ip source address
spoofing is that reply packet will go spoofing is that reply packet will go back to the spoofed ip address rather back to the spoofed ip address rather than to the attacker. This is fine for than to the attacker. This is fine for many type of attack packet. However many type of attack packet. However in the scanning attack as we will see in the scanning attack as we will see next the attacker may need to see next the attacker may need to see replies .in such cases ,the attacker replies .in such cases ,the attacker can not use ip address spoofing .can not use ip address spoofing .
DISADVANTAGEDISADVANTAGE
• Serial attack platforms :Serial attack platforms :
However, the attacker can still maintain However, the attacker can still maintain anonymity by taking over a chain of attack anonymity by taking over a chain of attack hosts. The attacker attacks the target hosts. The attacker attacks the target victim using a point host-the last host in victim using a point host-the last host in the attack chain .Even if authorities learn the attack chain .Even if authorities learn the point host’s identity .They might not be the point host’s identity .They might not be able to track the attack through the chain able to track the attack through the chain of attack hosts all the way back to the of attack hosts all the way back to the attackers base host.attackers base host.
CONCLUSIONCONCLUSION
• IP spoofing attacks is unavoidable.IP spoofing attacks is unavoidable.
• Understanding how and why spoofing Understanding how and why spoofing attacks are used, combined with a attacks are used, combined with a few simple prevention methods, can few simple prevention methods, can help protect your network from these help protect your network from these malicious cloaking and cracking malicious cloaking and cracking techniques.techniques.
ReferencesReferences• IP-spoofing Demystified (Trust-Relationship IP-spoofing Demystified (Trust-Relationship
Exploitation), Exploitation), www.networkcommand.com/docs/ipspoof.txtwww.networkcommand.com/docs/ipspoof.txt
• Introduction to IP Spoofing, Victor Velasco, Introduction to IP Spoofing, Victor Velasco, www.sans.org/rr/threats/intro_spoofing.phpwww.sans.org/rr/threats/intro_spoofing.php
• Internet Vulnerabilities Related to TCP/IP and T/TCP, ACM Internet Vulnerabilities Related to TCP/IP and T/TCP, ACM SIGCOMM, Computer Communication ReviewSIGCOMM, Computer Communication Review
• IP Spoofing, IP Spoofing, www.linuxgazette.com/issue63/sharma.htmlwww.linuxgazette.com/issue63/sharma.html
• FreeBSD IP Spoofing, FreeBSD IP Spoofing, www.securityfocus.com/advisories/2703www.securityfocus.com/advisories/2703
• IP Spoofing Attacks and Hijacked Terminal Connections, IP Spoofing Attacks and Hijacked Terminal Connections, www.cert.org/advisories/CA-1995-01.htmlwww.cert.org/advisories/CA-1995-01.html
• Network support for IP trace-backNetwork support for IP trace-back
• Web Spoofing. An Internet Con Game, Web Spoofing. An Internet Con Game, http://bau2.uibk.ac.at/matic/spoofing.htmhttp://bau2.uibk.ac.at/matic/spoofing.htm
THANK YOU !THANK YOU !