ip spoofing, cs265 1 ip spoofing
DESCRIPTION
TRANSCRIPT
- 1. IP Spoofing
- Bao Ho
- ToanTai Vu
- CS 265 - Security Engineering
- Spring 2003
- San Jose State University
2. Presentation Outline
- Introduction, Background
- Attacks with IP Spoofing
- Counter Measures
- Summary
3. IP Spoofing
- IP Spoofing is a technique used to gain unauthorized access to computers.
-
- IP: Internet Protocol
-
- Spoofing: using somebdody elses information
- Exploits the trust relationships
- Intruder sends messages to a computer with an IP address of a trusted host.
4. IP / TCP
- IP is connectionless, unreliable
- TCP connection-oriented
- TCP/IP handshake
AB:SYN; my number is X BA:ACK; now X+1 SYN; my number is Y A B:ACK; now Y+1 5. A blind Attack
- Host I cannot see what Host V send back
6. IP Spoofing Steps
- Selecting a target host (the victim)
- Identify a host that the target trust
- Disable the trusted host, sampled the targets TCP sequence
- The trusted host is impersonated and the ISN forged.
- Connection attempt to a service that only requires address-based authentication.
- If successfully connected, executes a simple command to leave a backdoor.
7. IP Spoofing Attacks
- Man in the middle
- Routing
- Flooding / Smurfing
8. Attacks
- Man - in - the - middle:
- Packet sniffs on link between the two endpoints, and therefore can pretend to be one end of the connection.
9. Attacks
- Routing re-direct:redirects routing information from the original host to the attackers host.
- Source routing:The attacker redirects individual packets by the hackers host.
10. Attacks
- Flooding: SYN flood fills up the receive queue from random source addresses.
- Smurfing:ICMP packet spoofed to originate from the victim, destined for the broadcast address, causing all hosts on the network to respond to the victim at once.
11. IP-Spoofing Facts
- IP protocol is inherently weak
- Makes no assumption about sender/recipient
- Nodes on path do not check senders identity
- There is no way to completely eliminate IP spoofing
- Can only reduce the possibility of attack
12. IP-Spoofing Counter-measures
- No insecure authenticated services
- Disable commands like ping
- Use encryption
- Strengthen TCP/IP protocol
- Firewall
- IP traceback
13. No insecure authenticated services
- r* services are hostname-based or IP-based
- Other more secure alternatives, i.e., ssh
- Remove binary files
- Disable in inet, xinet
- Clean up .rhost files and /etc/host.equiv
- No application with hostname/IP-based authentication, if possible
14. Disable ping command
- ping command has rare use
- Can be used to trigger a DOS attack by flooding the victim with ICMP packets
- This attack does not crash victim, but consume network bandwidth and system resources
- Victim fails to provide other services, and halts if runs out of memory
15. DOS using Ping 16. Use Encryption
- Encrypt traffic, especially TCP/IP packets and Initial Sequence Numbers
- Kerberos is free, and is built-in with OS
- Limit session time
- Digital signature can be used to identify the sender of the TCP/IP packet.
17. Strengthen TCP/IP protocol
- Use good random number generators to generate ISN
- Shorten time-out value in TCP/IP request
- Increase request queue size
- Cannot completely prevent TCP/IP half-open-connection attack
- Can only buy more time, in hope that the attack will be noticed.
18. Firewall
- Limit traffic to services that are offered
- Control access from within the network
- Free software: ipchains, iptables
- Commercial firewall software
- Packet filters: router with firewall built-in
- Multiple layer of firewall
19. Network layout with Firewall 20. IP Trace-back
- To trace back as close to the attackers location as possible
- Limited in reliability and efficiency
- Require cooperation of many other network operators along the routing path
- Generally does not receive much attention from network operators
21. Summary/Conclusion
- IP spoofing attacks is unavoidable.
- Understanding how and why spoofing attacks are used, combined with a few simple prevention methods, can help protect your network from these malicious cloaking and cracking techniques.
22. References
- IP-spoofing Demystified (Trust-Relationship Exploitation), Phrack Magazine Review , Vol. 7, No. 48 ,pp. 48-14,www.networkcommand.com/docs/ipspoof.txt
- Security Enginerring: A Guide to Building Dependable Distributed Systems , Ross Anderson, pp. 371
- Introduction to IP Spoofing, Victor Velasco, November 21, 2000,www.sans.org/rr/threats/intro_spoofing.php
- A Large-scale Distributed Intrusion Detection Framework Based on Attack Strategy Analysis, Ming-Yuh Huang, Thomas M. Wicks,Applied Research and Technology , The Boeing Company
- Internet Vulnerabilities Related to TCP/IP and T/TCP,ACM SIGCOMM , Computer Communication Review
- IP Spoofing,www . linuxgazette . com /issue63/ sharma . html
- Distributed System: Concepts and Design , Chapter 7, by Coulouris, Dollimore, and Kindberg
- FreeBSD IP Spoofing,www . securityfocus . com /advisories/2703
- IP Spoofing Attacks and Hijacked Terminal Connections,www.cert.org/advisories/CA-1995-01.html
- Network support for IP trace-back,IEEE/ACM Transactions on Networking , Vol. 9, No. 3, June 2001
- An Algebraic Approach to IP Trace-back,ACM Transactions on Information and System Security , Vol. 5, No. 2, May 2002
- Web Spoofing. An Internet Con Game,http ://bau2. uibk .ac.at/ matic /spoofing. htm
23. Questions / Answers