I P S P O O F I N G
1. IP SPOOFING Attacks & Defences By PRASAD R RAO 2. Outline Introduction IP Spoofing attacks IP Spoofing defences Conclusion 3. Introduction 4. Types of spoofing IP spoofing : Attacker uses IP address of another computer to acquire information or gain access. Email spoofing : Attacker sends email but makes it appear to come from someone else Web spoofing : Attacker tricks web browser into communicating with a different web server than the user intended. 5. IP Spoofing IP spoofing is the creation of tcp/ip packets with somebody elses IP address in the header. Routers use the destination IP address to forward packets, but ignore the source IP address. The source IP address is used only by the destination machine, when it responds back to the source. When an attacker spoofs someones IP address, the victims reply goes back to that address. 6. Since the attacker does not receive packets back, this is called aone-way attackorblind spoofing . To see the return packets, the attacker mustinterceptthem. 7. IP Spoofing Attacks Blind IP Spoofing Man in the middle attack Source routing ICMP attacks UDP attacks TCP attacks 8. Blind IP Spoofing Usually the attacker does not have access to the reply, abuse trust relationship between hosts.For example: Host C sends an IP datagram with the address of some other host (Host A) as the source address to Host B. Attacked host (B) replies to the legitimate host (A). 9. Blind IP spoofing 10. Man in the middle attack If an attacker controls a gateway that is in the delivery route, he canSniff the traffic Intercept the traffic Modify traffic This is not easy in the internet because of hop by hop routing, unless source routing is used. 11. 12. Source routing Source routing is one of the IP options that allows the specification of an IP address that should be on theroutefor the packet delivery. This allows someone to use a spoofed return address, and still see the traffic by placing his machine in thepath . 13. Types of source routing: Loose source routing( LSR ): The sender specifies a list of some IP addresses that a packet must go through (it might go through more) Strict source routing( SSR ): The sender specifies the exact path a packet must take (if it is not possible the packet is dropped) 14. An attacker sends a packet to the destination with a spoofed address butspecifiesLSR and puts his IP address in the list. An attacker could use source routing to learn more about a network that he or she is targeting for attackThe best way to protect againstsource routing spoofing is to simply disable sourcerouting at your routers. 15. ICMP Echo Attacks Map the hosts of a network :The attack sends ICMP echo datagram to all the hosts in a subnet, then he collects the replies and determines which hosts are alive .Denial of service attack (SMURF attack) :The attack sends spoofed (with victims IP address) ICMP Echo Requests to subnets, the victim will get ICMP Echo Replies from every machine. 16. 17. ICMP Redirect attacks ICMP redirect messages can be used to re-route traffic on specific routes or to a specific host that is not a router at all.The ICMP redirect attack is very simple: just send a spoofed ICMP redirect message that appears to come from the hosts default gateway. 18. 19. After ICMP redirect attack 20. UDP attacks UDP is a connectionless protocol .There is no error checking or guaranteed delivery. UDP packets are very simple and are mainly used for low overhead protocols.TCP is connection oriented and the TCP connection setup sequence number is hard to predicated . UDP traffic is more vulnerable for IP spoofing than TCP. 21. 22. TCP Attacks The attack aims at impersonating another host mostly during the TCP connection establishment phase . To spoof a TCP connection hacker needs to know via which algorithm the server generates its initial sequenceThe hacker needs this to supply the correct number in its final ACK message confirming the connection and in all subsequent data packets . 23. 24. IP Spoofing defences Dont rely on IP-based authentication. Use router filters to prevent packets from entering your network if they have a source address from inside it. Use router filters to prevent packets from leaving your network if they have a source address from outside it. 25. Use random initial sequence numbers. Prevents SN prediction . 26. CONCLUSION IP spoofing is less of a threat today due to the use of random sequence numbering. Many security experts are predicting a shift from IP spoofing attacks to application-related spoofing. Sendmailis one example, that when not properly configured allows anyone to send mail as email@example.com. 27. Thanks!