ipspoofingseminarreport-111014111833-phpapp02

7/25/2019 ipspoofingseminarreport-111014111833-phpapp02

1/25

IP Spoofing 09IT054

Acknowledgement

It gives me immense pleasure in presenting seminar onIP Spoofing. I would

like to acknowledge the contribution of certain distinguished people without their

support and guidance this seminar would not have been concluded.

!irst of all I thank "od the almight# for blessing me in making m# seminar a

successful one. I hereb# wish to e$press m# gratitude to our principal Dr.

Jayeshkumar S. Patel for providing us all facilities. I also e$press m# sincere

gratitude toMs. Khyati Shah %ead of &epartment of Information Technolog# for her

guidance and support to shape this seminar in a s#stematic wa#. I am also greatl#

indebted to Ms. Bijal Selarka 'sst. Professor of (.). * I.T. &epartment for her

valuable suggestions in the preparation of the seminar. In addition I would like to

thank all staff members of (.). * I.T. &epartment and all m# friends of IT for their

suggestions and constructive criticism.

Rahul M Polara

Abstract

&epartment of Information Technolog# + ,I)-


2/25

IP Spoofing 09IT054

IP spoofing is a method of attacking a network in order to gain unauthori/ed access.

The attack is based on the fact that Internet communication between distant computers

is routinel# handled b# routers which find the best route b# e$amining the destinationaddress but generall# ignore the origination address. The origination address is onl#

used b# the destination machine when it responds back to the source.

In a spoofing attack the intruder sends messages to a computer indicating that the

message has come from a trusted s#stem. To be successful the intruder must first

determine the IP address of a trusted s#stem and then modif# the packet headers to

that it appears that the packets are coming from the trusted s#stem.

In essence the attacker is fooling spoofing1 the distant computer into believing that

the# are a legitimate member of the network. The goal of the attack is to establish a

connection that will allow the attacker to gain root access to the host allowing the

creation of a backdoor entr# path into the target s#stem.

&epartment of Information Technolog# + ,I)- 2


3/25

IP Spoofing 09IT054

Index

. Introduction to IP Spoofing

2. 3rief %istor# of IP Spoofing

. T(P*IP P-T(6 S7IT)

. Internet Protocol

.2 Transmission (ontrol Protocol

. (onse8uences of the T(P*IP &esign

4. Spoofing 'ttacks

4. itnick 'ttack

4.2 Session %i:ack 4. &os 'ttack

4.4 ;on 3lind 'ttack

4.5 3lind 'ttack

5. echanism of the 'ttack


4/25

IP Spoofing 09IT054



5/25

IP Spoofing 09IT054

1. INTRODUTION

(riminals have long emplo#ed the tactic of masking their true identit# from

disguises to aliases to caller>id blocking. It should come as no surprise then that

criminals who conduct their nefarious activities on networks and computers should

emplo# such techni8ues. IP spoofing is one of the most common forms of on>line

camouflage. In IP spoofing an attacker gains unauthori/ed access to a computer or

a network b# making it appear that a malicious message has come from a trusted

machine b# ?spoofing@ the IP address of that machine. In the subse8uent pages of

this report we will e$amine the concepts of IP spoofingA wh# it is possible how it

works what it is used for and how to defend against it.



6/25

IP Spoofing 09IT054

!. "r#e$ h#stor% o$ IP &'oo$#ng

The concept of IP spoofing was initiall# discussed in academic circles in

the 9B0Cs. In the 'pril 9B9 article entitledA ?Securit# Problems in the T(P*IP

Protocol Suite@ author S. 3ellovin of 'T D T 3ell labs was among the first to

identif# IP spoofing as a real risk to computer networks. 3ellovin describes how

-obert orris creator of the now infamous Internet Eorm figured out how T(P

created se8uence numbers and forged a T(P packet se8uence. This T(P packet

included the destination address of his ?victim@ and using an IP spoofing attack

orris was able to obtain root access to his targeted s#stem without a 7ser I& or

password. 'nother infamous attack Fevin itnickCs (hristmas &a# crack of

Tsutomu ShimomuraCs machine emplo#ed the IP spoofing and T(P se8uence

prediction techni8ues. Ehile the popularit# of such cracks has decreased due to

the demise of the services the# e$ploited spoofing can still be used and needs to

be addressed b# all securit# administrators. ' common misconception is that GIP

spoofingG can be used to hide #our IP address while surfing the Internet chatting

on>line sending e>mail and so forth. This is generall# not true. !orging the

source IP address causes the responses to be misdirected meaning #ou cannot

create a normal network connection. %owever IP spoofing is an integral part of

man# network attacks that do not need to see responses blind spoofing1.



7/25

IP Spoofing 09IT054

(. TP)IP PROTOO* &UIT+

IP Spoofing e$ploits the flaws in T(P*IP protocol suite. In order to

completel# understand how these attacks can take place one must e$amine the

structure of the T(P*IP protocol suite. ' basic understanding of these headers

and network e$changes is crucial to the process.

(.1 Internet Protocol , IP

The Internet Protocol or IP as it generall# known1 is the network la#er of the

Internet. IP provides a connection>less service. The :ob of IP is to route and send a

packet to the packetCs destination. IP provides no guarantee whatsoever for the

packets it tries to deliver. The IP packets are usuall# termed datagrams. The datagrams

go through a series of routers before the# reach the destination. 't each node that the

datagram passes through the node determines the ne$t hop for the datagram and

routes it to the ne$t hop. Since the network is d#namic it is possible that two

datagrams from the same source take different paths to make it to the destination.

Since the network has variable dela#s it is not guaranteed that the datagrams will be

received in se8uence. IP onl# tries for a best>effort deliver#. It does not take care of

lost packetsH this is left to the higher la#er protocols. There is no state maintained

between two datagramsH in other words IP is connection>less

T#e IP $eade" is s#o%n a&ove. T#e 'e"sion is cu""entl( set to 4.

In o"de" to distinguis# it !"o) t#e ne% ve"sion IPv*+ IP is also "e!e""ed

to as IPv4. T#e sou"ce add"ess and t#e destination add"ess a"e 4,&(te

Inte"net add"esses. T#e -ptions feld contains va"ious options suc# as

sou"ce &ased "outing+ and "eco"d "oute. T#e sou"ce &ased "outing

allo%s t#e sende" to speci!( t#e pat# t#e datag"a) s#ould tae to

"eac# t#e destination. eco"d "oute allo%s t#e sende" to "eco"d t#e

"oute t#e datag"a) is taing. one o! t#e IP felds a"e enc"(pted and

t#e"e no aut#entication. It %ould &e et"e)el( eas( to set an a"&it"a"(

destination add"ess o" t#e sou"ce add"ess2+ and IP %ould send t#e

datag"a). T#e destination #as no %a( o! asce"taining t#e !act t#at

&epartment of Information Technolog# + ,I)- =


8/25

IP Spoofing 09IT054

t#e datag"a) actuall( o"iginated !"o) an IP add"ess ot#e" t#an t#e

one in t#e sou"ce add"ess feld. It is eas( to see %#( an(

aut#entication sc#e)e &ased on IP,add"esses %ould !ail.

(.! Transm#ss#on ontrol Protocol , TP

IP can be thought of as a routing wrapper for la#er 4 transport1 which

contains the Transmission (ontrol Protocol T(P1. 7nlike IP T(P uses a

connection>oriented design. This means that the participants in a T(P session

must first build a connection > via the >wa# handshake S;>S;*'(F>'(F1

> then update one another on progress > via se8uences and acknowledgements.

This ?conversation@ ensures data reliabilit# since the sender receives an F

from the recipient after each packete$change.

's #ou can see above a T(P header is ver# different from an IP header. Ee are

concerned with the first 2 b#tes of the T(P packet which contain port and

se8uencing information. uch like an IP datagram T(P packets can be

manipulated using software. The source and destination ports normall# depend

on the network application in use for e$ample %TTP via port B01. EhatCs

important for our understanding of spoofing are the se8uence and

acknowledgement numbers. The data contained in these fields ensures packet

deliver# b# determining whether or not a packet needs to be resent. The

se8uence number is the number of the first b#te in the current packet which is

relevant to the data stream. The acknowledgement number in turn contains the

value of the ne$t e$pected se8uence number in the stream. This relationship

confirms on both ends that the proper packets were received. ItJs 8uite different

than IP since transaction state is closel# monitored.

(.( onse-uences o$ the TP)IP Des#gn

;ow that we have an overview of the T(P*IP formats letCs e$amine the

conse8uences. bviousl# itCs ver# eas# to mask a source address b#

manipulating an IP header. This techni8ue is used for obvious reasons and is

emplo#ed in several of the attacks discussed below. 'nother conse8uence

&epartment of Information Technolog# + ,I)- B
http://www.faqs.org/rfcs/rfc793.htmlhttp://www.faqs.org/rfcs/rfc793.html


9/25

IP Spoofing 09IT054

specific to T(P is se8uence number prediction which can lead to session

hi:ackingor host impersonating. This method builds on IP spoofing since a

session albeit a false one is built. Ee will e$amine the ramifications of this in

the attacks discussed below.

http://www.owasp.org/asac/auth-session/hijack.shtmlhttp://www.owasp.org/asac/auth-session/hijack.shtmlhttp://www.owasp.org/asac/auth-session/hijack.shtmlhttp://www.owasp.org/asac/auth-session/hijack.shtml


10/25

IP Spoofing 09IT054

. &POO/IN0 ATTA&

There are a few variations on the t#pes of attacks that successfull#

emplo# IP spoofing. 'lthough some are relativel# dated others are ver#

pertinent to current securit# concerns. IP>spoofing consists of several steps

which I will briefl# outline here then e$plain in detail. !irst the target host is

chosen. ;e$t a pattern of trust is discovered along with a trusted host. The

trusted host is then disabled and the targetCs T(P se8uence numbers are

sampled. The trusted host is impersonated the se8uence numbers guessed and a

connection attempt is made to a service that onl# re8uires address>based

authentication. If successful the attacker e$ecutes a simple command to leave a

backdoor.

.1 M#tn#ck Attack

itnick 'ttack err# K>masL itnick hacks a &iskless Eorkstation on

&ecember 25th 994 The victim + Tsutomu Shinomura The attack + IP spoofing

and abuse of trust relationships between a diskless terminal and login serve .! &ess#on 2#3ack

Session %i:ack 'lice 3ob )ve IJm 3obL IJm 'liceL . )ve assumes a man>in>the>

middle position through some mechanism. !or e$ample )ve could use 'rc

Poisoning social engineering router hacking etc... 2. )ve can monitor traffic

between 'lice and 3ob without altering the packets or se8uence numbers. . 't

an# point )ve can assume the identit# of either 3ob or 'lice through the Spoofed

IP address. This breaks the pseudo connection as )ve will start modif#ing the

se8uence numbers

.( Dos Attack

&oS 'ttack &enial of Service &oS1 attack aimed at preventing clients from

accessing a service. IP Spoofing can be used to create &oS attacks

&oS 'ttack Server 'ttacker 6egitimate 7sers Interweb !ake IPs Service -e8uests

!lood of -e8uests from 'ttacker Server 8ueue full legitimate re8uests get

dropped Service -e8uests

&oS 'ttack The attacker spoofs a large number of re8uests from various IP

addresses to fill Services 8ueue. Eith the services 8ueue filled legitimate userJs



11/25

IP Spoofing 09IT054

cannot use the service. &oS becomes more dangerous if spread to multiple

computers.

. Non4"l#nd &'oo$#ng

This t#pe of attack takes place when the attacker is on the same subnet

as the victim. The se8uence and acknowledgement numbers can be sniffed

eliminating the potential difficult# of calculating them accuratel#. The biggest

threat of spoofing in this instance would be session hi:acking. This is

accomplished b# corrupting the data stream of an established connection then

re>establishing it based on correct se8uence and acknowledgement numbers withthe attack machine. 7sing this techni8ue an attacker could effectivel# b#pass

an# authentication measures taken place to build the connection.

.5 "l#nd &'oo$#ng

This is a more sophisticated attack because the se8uence and

acknowledgement numbers are unreachable. In order to circumvent this several

packets are sent to the target machine in order to sample se8uence numbers.

Ehile not the case toda# machines in the past used basic techni8ues for

generating se8uence numbers. It was relativel# eas# to discover the e$act

formula b# stud#ing packets and T(P sessions. Toda# most Ses implement

random se8uence number generation making it difficult to predict them

accuratel#. If however the se8uence number was compromised data could be

sent to the target. Several #ears ago man# machines used host>based

authentication services i.e. -login1. ' properl# crafted attack could add the

re8uisite data to a s#stem i.e. a new user account1 blindl# enabling full access

for the attacker who was impersonating a trusted host.

http://www.webopedia.com/TERM/s/subnet.htmlhttp://www.webopedia.com/TERM/s/subnet.html


12/25

IP Spoofing 09IT054

/#g. "l#nd &'oo$#ng

3suall( t#e attace" does not #ave access to t#e "epl(+ and

a&uses t"ust "elations#ip &et%een #osts. o" ea)ple5

$ost C sends an IP datag"a) %it# t#e add"ess o! so)e ot#e"

#ost $ost A2 as t#e sou"ce add"ess to $ost 6. Attaced #ost 62

"eplies to t#e legiti)ate #ost A2



13/25

IP Spoofing 09IT054

5. M+2ANI&M O/ T2+ ATTA

"enerall# the attack is made from the root account on the attacking host

against the root account on the target. If the attacker is going to all this trouble

it would be stupid not to go for root. Since root access is needed to wage the

attack this should not be an issue.1

ne often overlooked but critical factor in IP>spoofing is the fact that

the attack is blind. The attacker is going to be taking over the identit# of a

trusted host in order to subvert the securit# of the target host. The trusted host is

disabled using the method described below. 's far as the target knows it is

carr#ing on a conversation with a trusted pal. In realit# the attacker is sitting off

in some dark corner of the Internet forging packets purportedl# from this trusted



14/25

IP Spoofing 09IT054

host while it is locked up in a denial of service battle. The IP datagrams sent

with the forged IP>address reach the target fine recall that IP is a connectionless>

oriented protocol>> each datagram is sent without regard for the other end1 but

the datagrams the target sends back destined for the trusted host1 end up in the

bit>bucket. The attacker never sees them. The intervening routers know where

the datagrams are supposed to go. The# are supposed to go the trusted host. 's

far as the network la#er is concerned this is where the# originall# came from

and this is where responses should go. f course once the datagrams are routed

there and the information is demultiple$ed up the protocol stack and reaches

T(P it is discarded the trusted hostCs T(P cannot respond>> see below1. So the

attacker has to be smart and MknowM what was sent and MknowM what reponse

the server is looking for. The attacker cannot see what the target host sends but

she can MpredictM what it will sendH that coupled with the knowledge of what it

MwillM send allows the attacker to work around this blindness.

'fter a target is chosen the attacker must determine the patterns of trust

for the sake of argument we are going to assume the target host MdoesM in fact

trust somebod#. If it didnCt the attack would end here1. !iguring out who a host

trusts ma# or ma# not be eas#. ' Cshowmount >eC ma# show where file s#stems

are e$ported and rpcinfo can give out valuable information as well. If enough

background information is known about the host it should not be too difficult. If

all else fails tr#ing neighboring IP addresses in a brute force effort ma# be a

viable option.



15/25

IP Spoofing 09IT054

6. METHODS TO PREVENT IP

SPOOFING ATTACK

6.1 Packet flterin

T#e "oute" t#at connects a net%o" to anot#e" net%o" is no%n as a

&o"de" "oute". -ne %a( to )itigate t#e t#"eat o! IP spoofng is &(

inspecting pacets %#en t#e( t#e leave and ente" a net%o" looing !o"

invalid sou"ce IP add"esses. I! t#is t(pe o! flte"ing %e"e pe"!o")ed on all

&o"de" "oute"s+ IP add"ess spoofng %ould &e g"eatl( "educed. g"ess

flte"ing c#ecs t#e sou"ce IP add"ess o! pacets to ensu"e t#e( co)e !"o)

a valid IP add"ess "ange %it#in t#e inte"nal net%o". #en t#e "oute"

"eceives a pacet t#at contains an invalid sou"ce add"ess+ t#e pacet is

si)pl( disca"ded and does not leave t#e net%o" &ounda"(. Ing"ess

flte"ing c#ecs t#e sou"ce IP add"ess o! pacets t#at ente" t#e net%o" to

ensu"e t#e( do not co)e !"o) sou"ces t#at a"e not pe")itted to access

t#e net%o". At a )ini)u)+ all p"ivate+ "ese"ved+ and inte"nal IP add"esses

s#ould &e disca"ded &( t#e "oute" and not allo%ed to ente" t#e net%o"

6.! /#lter#ng at the Router

If #our site has a direct connection to the Internet #ou can use #our router to help

#ou out. !irst make sure onl# hosts on #our internal 6'; can participate in trust>

relationships no internal host should trust a host outside the 6';1. Then simpl#

filter out MallM traffic from the outside the Internet1 that purports to come from the

inside the 6';1.

Implementing ingress and egress filtering on #our border routers is a

great place to start #our spoofing defense. ou will need to implement an '(6

access control list1 that blocks private IP addresses on #our downstream

interface. 'dditionall# this interface should not accept addresses with #our

internal range as the source as this is a common spoofing techni8ue used tocircumvent firewalls. n the upstream interface #ou should restrict source



16/25

IP Spoofing 09IT054

addresses outside of #our valid range which will prevent someone on #our

network from sending spoofed traffic to the Internet.

6.( +ncr%'t#on and Authent#cat#on

Implementing encr#ption and authentication will also reduce spoofing

threats. 3oth of these features are included in Ipvspoofing is to re8uire all network traffic

to be encr#pted and*or authenticated. Ehile several solutions e$ist it will be a

while before such measures are deplo#ed as defacto standards.



17/25

IP Spoofing 09IT054

7 . APP*IATION& O/ IP &POO/IN0

7.1 As%mmetr#c rout#ng 8&'l#tt#ng rout#ng9

As())et"ic "outing )eans t"ac goes ove" di:e"ent

inte"!aces !o" di"ections in and out. In ot#e" %o"ds+ as())et"ic

"outing is %#en t#e "esponse to a pacet !ollo%s a di:e"ent pat# !"o)

one #ost to anot#e" t#an t#e o"iginal pacet did. T#e )o"e co""ect and

)o"e gene"al ans%e" is+ !o" an( sou"ce IP add"ess ;A; and destination

;6;+ t#e pat# !ollo%ed &( an( pacet "e


18/25

IP Spoofing 09IT054

Fi. Satellite DS%

T#e advantage o! a satellite net%o" is to p"ovide #ig#

&and%idt# se"vices independent o! t#e use"s location ove" a %ide

geog"ap#ical a"ea. A satellite net%o" consists o! t%o t(pes o!

stations5 !eeds and "eceive"s. ve"( "eceive" #as a satellite dis#

connected to a use" station. T#e use" station #as an et"a inte"!ace+

DS= )ode) connected to t#e ISP+ t#is is called "etu"n c#annel. All

"e


19/25

IP Spoofing 09IT054

Fi. Tra&c Pat' "( Satellite DS%

7.( NAT

AT is net%o" add"ess t"anslation.

o")all(+ pacets on a net%o" t"avel !"o) t#ei" sou"ce to t#ei"

destination t#"oug# )an( di:e"ent lins. one o! t#ese lins "eall(

alte" (ou" pacet+ t#e( >ust send it on%a"d. I! one o! t#ese lins %e"e

to do AT+ t#en t#e( %ould alte" t#e sou"ce o" destinations o! t#e

pacet as it passes t#"oug#. 3suall( t#e lin doing AT %ill "e)e)&e"

#o% it )angled a pacet+ and %#en a "epl( pacet passes t#"oug# t#e

ot#e" %a(+ it %ill do t#e "eve"se )angling on t#at "epl( pacet+ so

eve"(t#ing %o"s.



20/25

IP Spoofing 09IT054

7.. TP and IP s'oo$#ng Tools

1 enda$ for 6inu$

enda$ is an eas#>to>use tool for T(P se8uence number prediction

and rshd spoofing.21 spoofit.h

spoofit.h is a nicel# commented librar# for including IP spoofing

functionalit# into #our programs.

1 ipspoof

ipspoofis a T(P and IP spoofing utilit#.

41 hunt

huntis a sniffer which also offers man# spoofing functions.

51 dsniff

dsniff is a collection of tools for network auditing and penetration

testing. dsniff filesnarf mailsnarf msgsnarf urlsnarf and websp#

passivel# monitor a network for interesting data passwords e>mail

files etc.1. arpspoof dnsspoof and macof facilitate the interception

of network traffic.

http://rootshell.com/archive-j457nxiqi3gq59dv/199711/mendax_linux.tgzhttp://rootshell.com/archive-j457nxiqi3gq59dv/199711/mendax_linux.tgzhttp://air.csc.ncsu.edu/xzhao/docs/DogPack/spoofers/sp/spoofit.hhttp://www.ryanspc.com/spoof/ipspoof.chttp://www.ryanspc.com/sniffers/hunt-1.3.tgzhttp://www.monkey.org/~dugsong/dsniff/http://rootshell.com/archive-j457nxiqi3gq59dv/199711/mendax_linux.tgzhttp://air.csc.ncsu.edu/xzhao/docs/DogPack/spoofers/sp/spoofit.hhttp://www.ryanspc.com/spoof/ipspoof.chttp://www.ryanspc.com/sniffers/hunt-1.3.tgzhttp://www.monkey.org/~dugsong/dsniff/


21/25

IP Spoofing 09IT054

:. Ad;antages

!reedom of spoofing. The attacker is not bounded b# a specific range of IPs.

;o wasted or unneeded initiated packets. The attacker sends one T(P*7&Ppacket per

port.;o tracing of the original scanner. &etection of the scanning machine

isimpossible at the IP la#er.



22/25

IP Spoofing 09IT054


23/25

IP Spoofing 09IT054

1=. onclus#on

IP spoofng is less o! a t#"eat toda( due to t#e patc#es to t#e

3ni -pe"ating s(ste) and t#e %idesp"ead use o! "ando)se


24/25

IP Spoofing 09IT054

11. Re$erence

!ollowing the Nourne# of a Spoofed Packet

http://www.scs.carleton.ca/~dlwhyte/whytepapers/ipspoof.htm

;'T and ;etworks

http://www.suse.de/~mha/linux-ip-nat/diplom/node4.html

's#mmetric routing > Nani 6akkakorpi

http://keskus.hut.fi/tutkimus/ipana/paperit/QoSR/S1!-QoSR-

asymmetric.pdf

T(P*IP protocol suite > Thomas Toth

http://www.infosys.tuwien.ac.at/"eachin#/$ourses/%netSec/slides/sli.pdf

Securit# problems in the T(P*IP protocol suite S.. 3ellovin 'TDT 3ell

6aboratories urra# %ill ;ew Nerse# 0=9=4

http://www.research.att.com/~sm&/papers/ipext.pdf

Introduction To ;etwork 'ddress Translation ;'T1

http://www.firewall.cx/nat-intro.php

http://'ork.net/~phil/$rackin#/%nternet.html

http://'ork.net/~phil/$rackin#/%nternet.html IP spoofing

http://&ear.c&a.ufl.edu/teets/pro(ects/%S)*+++,1!+/perryna/index.html



25/25

IP Spoofing 09IT054

ipspoofingseminarreport-111014111833-phpapp02

Documents