- CS 265 - Security Engineering
- San Jose State University
2. Presentation Outline
3. IP Spoofing
- IP Spoofing is a technique used to gain unauthorized access to
computers.
-
- Spoofing: using somebdody elses information
- Exploits the trust relationships
- Intruder sends messages to a computer with an IP address of a
trusted host.
4. IP / TCP
- IP is connectionless, unreliable
AB:SYN; my number is X BA:ACK; now X+1 SYN; my number is Y A
B:ACK; now Y+1 5. A blind Attack
- Host I cannot see what Host V send back
6. IP Spoofing Steps
- Selecting a target host (the victim)
- Identify a host that the target trust
- Disable the trusted host, sampled the targets TCP sequence
- The trusted host is impersonated and the ISN forged.
- Connection attempt to a service that only requires
address-based authentication.
- If successfully connected, executes a simple command to leave a
backdoor.
7. IP Spoofing Attacks
8. Attacks
- Packet sniffs on link between the two endpoints, and therefore
can pretend to be one end of the connection.
9. Attacks
- Routing re-direct:redirects routing information from the
original host to the attackers host.
- Source routing:The attacker redirects individual packets by the
hackers host.
10. Attacks
- Flooding: SYN flood fills up the receive queue from random
source addresses.
- Smurfing:ICMP packet spoofed to originate from the victim,
destined for the broadcast address, causing all hosts on the
network to respond to the victim at once.
11. IP-Spoofing Facts
- IP protocol is inherently weak
- Makes no assumption about sender/recipient
- Nodes on path do not check senders identity
- There is no way to completely eliminate IP spoofing
- Can only reduce the possibility of attack
12. IP-Spoofing Counter-measures
- No insecure authenticated services
- Disable commands like ping
- Strengthen TCP/IP protocol
13. No insecure authenticated services
- r* services are hostname-based or IP-based
- Other more secure alternatives, i.e., ssh
- Clean up .rhost files and /etc/host.equiv
- No application with hostname/IP-based authentication, if
possible
14. Disable ping command
- ping command has rare use
- Can be used to trigger a DOS attack by flooding the victim with
ICMP packets
- This attack does not crash victim, but consume network
bandwidth and system resources
- Victim fails to provide other services, and halts if runs out
of memory
15. DOS using Ping 16. Use Encryption
- Encrypt traffic, especially TCP/IP packets and Initial Sequence
Numbers
- Kerberos is free, and is built-in with OS
- Digital signature can be used to identify the sender of the
TCP/IP packet.
17. Strengthen TCP/IP protocol
- Use good random number generators to generate ISN
- Shorten time-out value in TCP/IP request
- Increase request queue size
- Cannot completely prevent TCP/IP half-open-connection
attack
- Can only buy more time, in hope that the attack will be
noticed.
18. Firewall
- Limit traffic to services that are offered
- Control access from within the network
- Free software: ipchains, iptables
- Commercial firewall software
- Packet filters: router with firewall built-in
- Multiple layer of firewall
19. Network layout with Firewall 20. IP Trace-back
- To trace back as close to the attackers location as
possible
- Limited in reliability and efficiency
- Require cooperation of many other network operators along the
routing path
- Generally does not receive much attention from network
operators
21. Summary/Conclusion
- IP spoofing attacks is unavoidable.
- Understanding how and why spoofing attacks are used, combined
with a few simple prevention methods, can help protect your network
from these malicious cloaking and cracking techniques.
22. References
- IP-spoofing Demystified (Trust-Relationship Exploitation),
Phrack Magazine Review , Vol. 7, No. 48 ,pp.
48-14,www.networkcommand.com/docs/ipspoof.txt
- Security Enginerring: A Guide to Building Dependable
Distributed Systems , Ross Anderson, pp. 371
- Introduction to IP Spoofing, Victor Velasco, November 21,
2000,www.sans.org/rr/threats/intro_spoofing.php
- A Large-scale Distributed Intrusion Detection Framework Based
on Attack Strategy Analysis, Ming-Yuh Huang, Thomas M.
Wicks,Applied Research and Technology , The Boeing Company
- Internet Vulnerabilities Related to TCP/IP and T/TCP,ACM
SIGCOMM , Computer Communication Review
- IP Spoofing,www . linuxgazette . com /issue63/ sharma .
html
- Distributed System: Concepts and Design , Chapter 7, by
Coulouris, Dollimore, and Kindberg
- FreeBSD IP Spoofing,www . securityfocus . com
/advisories/2703
- IP Spoofing Attacks and Hijacked Terminal
Connections,www.cert.org/advisories/CA-1995-01.html
- Network support for IP trace-back,IEEE/ACM Transactions on
Networking , Vol. 9, No. 3, June 2001
- An Algebraic Approach to IP Trace-back,ACM Transactions on
Information and System Security , Vol. 5, No. 2, May 2002
- Web Spoofing. An Internet Con Game,http ://bau2. uibk .ac.at/
matic /spoofing. htm
23. Questions / Answers