1. IP Spoofing

• Bao Ho

ToanTai Vu

CS 265 - Security Engineering

Spring 2003

San Jose State University

2. Presentation Outline

Introduction, Background

Attacks with IP Spoofing

Counter Measures

Summary

3. IP Spoofing

IP Spoofing is a technique used to gain unauthorized access to computers.

• IP: Internet Protocol

• Spoofing: using somebdody elses information

Exploits the trust relationships

Intruder sends messages to a computer with an IP address of a trusted host.

4. IP / TCP

IP is connectionless, unreliable

TCP connection-oriented

TCP/IP handshake

AB:SYN; my number is X BA:ACK; now X+1 SYN; my number is Y A B:ACK; now Y+1 5. A blind Attack

Host I cannot see what Host V send back

6. IP Spoofing Steps

Selecting a target host (the victim)

Identify a host that the target trust

Disable the trusted host, sampled the targets TCP sequence

The trusted host is impersonated and the ISN forged.

Connection attempt to a service that only requires address-based authentication.

If successfully connected, executes a simple command to leave a backdoor.

7. IP Spoofing Attacks

Man in the middle

Routing

Flooding / Smurfing

8. Attacks

Man - in - the - middle:

Packet sniffs on link between the two endpoints, and therefore can pretend to be one end of the connection.

9. Attacks

Routing re-direct:redirects routing information from the original host to the attackers host.

Source routing:The attacker redirects individual packets by the hackers host.

10. Attacks

Flooding: SYN flood fills up the receive queue from random source addresses.

Smurfing:ICMP packet spoofed to originate from the victim, destined for the broadcast address, causing all hosts on the network to respond to the victim at once.

11. IP-Spoofing Facts

IP protocol is inherently weak

Makes no assumption about sender/recipient

Nodes on path do not check senders identity

There is no way to completely eliminate IP spoofing

Can only reduce the possibility of attack

12. IP-Spoofing Counter-measures

No insecure authenticated services

Disable commands like ping

Use encryption

Strengthen TCP/IP protocol

Firewall

IP traceback

13. No insecure authenticated services

r* services are hostname-based or IP-based

Other more secure alternatives, i.e., ssh

Remove binary files

Disable in inet, xinet

Clean up .rhost files and /etc/host.equiv

No application with hostname/IP-based authentication, if possible

14. Disable ping command

ping command has rare use

Can be used to trigger a DOS attack by flooding the victim with ICMP packets

This attack does not crash victim, but consume network bandwidth and system resources

Victim fails to provide other services, and halts if runs out of memory

15. DOS using Ping 16. Use Encryption

Encrypt traffic, especially TCP/IP packets and Initial Sequence Numbers

Kerberos is free, and is built-in with OS

Limit session time

Digital signature can be used to identify the sender of the TCP/IP packet.

17. Strengthen TCP/IP protocol

Use good random number generators to generate ISN

Shorten time-out value in TCP/IP request

Increase request queue size

Cannot completely prevent TCP/IP half-open-connection attack

Can only buy more time, in hope that the attack will be noticed.

18. Firewall

Limit traffic to services that are offered

Control access from within the network

Free software: ipchains, iptables

Commercial firewall software

Packet filters: router with firewall built-in

Multiple layer of firewall

19. Network layout with Firewall 20. IP Trace-back

To trace back as close to the attackers location as possible

Limited in reliability and efficiency

Require cooperation of many other network operators along the routing path

Generally does not receive much attention from network operators

21. Summary/Conclusion

IP spoofing attacks is unavoidable.

Understanding how and why spoofing attacks are used, combined with a few simple prevention methods, can help protect your network from these malicious cloaking and cracking techniques.

22. References

IP-spoofing Demystified (Trust-Relationship Exploitation), Phrack Magazine Review , Vol. 7, No. 48 ,pp. 48-14,www.networkcommand.com/docs/ipspoof.txt

Security Enginerring: A Guide to Building Dependable Distributed Systems , Ross Anderson, pp. 371

Introduction to IP Spoofing, Victor Velasco, November 21, 2000,www.sans.org/rr/threats/intro_spoofing.php

A Large-scale Distributed Intrusion Detection Framework Based on Attack Strategy Analysis, Ming-Yuh Huang, Thomas M. Wicks,Applied Research and Technology , The Boeing Company

Internet Vulnerabilities Related to TCP/IP and T/TCP,ACM SIGCOMM , Computer Communication Review

IP Spoofing,www . linuxgazette . com /issue63/ sharma . html

Distributed System: Concepts and Design , Chapter 7, by Coulouris, Dollimore, and Kindberg

FreeBSD IP Spoofing,www . securityfocus . com /advisories/2703

IP Spoofing Attacks and Hijacked Terminal Connections,www.cert.org/advisories/CA-1995-01.html

Network support for IP trace-back,IEEE/ACM Transactions on Networking , Vol. 9, No. 3, June 2001

An Algebraic Approach to IP Trace-back,ACM Transactions on Information and System Security , Vol. 5, No. 2, May 2002

Web Spoofing. An Internet Con Game,http ://bau2. uibk .ac.at/ matic /spoofing. htm

23. Questions / Answers