IP Spoofing Attacks by Rajat Chopra Raheel Ahmed Farooqui Principles of Information Security & Privacy October 31, 2012 Declaration of Independent CompletionWe declare that we have completed this assignment completely and entirely on our own, withoutany consultation with others. We understand that any breach of the UNC Charlotte Code ofAcademic Integrity may result in severe penalties.We also declare that we have agreed on the following percentages of contributions to thecompletion of the assignment by individual group members: Name Contribution (%) Signature Date Rajat Chopra 50% 10/31/2012Raheel Ahmed 50% 10/31/2012 Farooqui
ABSTRACTSpoofing means, pretending to be something you are not. In Internet terms it meanspretending to be a different Internet address from the one you really have in order to gainsomething. That might be information like credit card numbers, passwords, personalinformation or the ability to carry out actions using someone else’s identity. IP spoofingattack involves forging ones source address. It is the act of using one machine to impersonateanother.Spoofing is an active security attack in which one machine on the network masquerades as adifferent machine. As an active attack, it disrupts the normal flow of data and may involveinjecting data into the communications link between other machines. This masquerade aimsto fool other machines on the network into accepting the impostor as an original, either tolure the other machines into sending it data or to allow it to alter data. The meaning of“spoof” here is not “a light-hearted parody,” but rather “a deception intended to trick one intoaccepting as genuine something that is actually false.” Such deception can have graveconsequences because notions of trust are central to many networking systems.In reality, the attacker is fooling (spoofing) the distant computer into believing that they are alegitimate member of the network. The goal of the attack is to establish a connection that willallow the attacker to gain root access to the host, allowing the creation of a backdoor entrypath into the target system.
INTRODUCTIONThis report describes the use of IP spoofing as a method of attacking a network in order togain unauthorized access. The attack is based on the fact that Internet communicationbetween distant computers is routinely handled by routers which find the best route byexamining the destination address, but generally ignore the origination address. Theorigination address is only used by the destination machine when it responds back to thesource.In a spoofing attack, the intruder sends messages to a computer indicating that the messagehas come from a trusted system. To be successful, the intruder must first determine the IPaddress of a trusted system, and then modify the packet headers to that it appears that thepackets are coming from the trusted system. IP spoofing is one of the most common forms of on-line camouflage. In IP spoofing, anattacker gains unauthorized access to a computer or a network by making it appear that amalicious message has come from a trusted machine by “spoofing” the IP address of thatmachine. In the subsequent pages of this report, we will examine the concepts of IP spoofing:why it is possible, how it works, what it is used for and how to defend against it.
BRIEF HISTORYIn the April 1989 article entitled: “Security Problems in the TCP/IP Protocol Suite”, author S.M Bellovin of AT & T Bell labs was among the first to identify IP spoofing as a real risk tocomputer networks. Bellovin describes how Robert Morris, creator of the now infamousInternet Worm, figured out how TCP created sequence numbers and forged a TCP packetsequence. This TCP packet included the destination address of his “victim” and using an IPspoofing attack Morris was able to obtain root access to his targeted system without a UserID or password.A common misconception is that "IP spoofing" can be used to hide your IP address whilesurfing the Internet, chatting on-line, sending e-mail, and so forth. This is not true generally.Forging the source IP address causes the responses to be misdirected, meaning you cannotcreate a normal network connection.WHY IP SPOOFING?What is the advantage of sending a spoofed packet? It is that the sender has some kind ofmalicious intention and does not want to be identified. You can use the source address in theheader of an IP datagram to trace the senders location. Most systems keep logs of Internetactivity, so if attackers want to hide their identity, they need to change the source address.The host receiving the spoofed packet responds to the spoofed address, so the attackerreceives no reply back from the victim host. But if the spoofed address belongs to a host onthe same subnet as the attacker, then the attacker can "sniff" the reply. You can use IPspoofing for several purposes; for some scenarios an attacker might want to inspect theresponse from the target victim (called "non-blind spoofing"), whereas in other cases theattacker might not care (blind spoofing).
DETAILS OF AN ATTACKIP spoofing in brief consists of several interim steps:TCP/IP PROTOCOL SUITEIP Spoofing exploits the flaws in TCP/IP protocol suite. In order to completely understandhow these attacks can take place, one must examine the structure of the TCP/IP protocolsuite. A basic understanding of these headers and network exchanges is crucial to the process.
INTERNET PROTOCOL-IPThe Internet Protocol (or IP as it generally known), is the network layer of the Internet. IPprovides a connection-less service. The job of IP is to route and send a packet to the packetsdestination. IP provides no guarantee whatsoever, for the packets it tries to deliver. The IPpackets are usually termed datagrams. The datagrams go through a series of routers beforethey reach the destination. At each node that the datagram passes through, the nodedetermines the next hop for the datagram and routes it to the next hop. Since the network isdynamic, it is possible that two datagrams from the same source take different paths to makeit to the destination. Since the network has variable delays, it is not guaranteed that thedatagrams will be received in sequence. IP only tries for a best-effort delivery. It does nottake care of lost packets; this is left to the higher layer protocols. There is no state maintainedbetween two datagrams; in other words, IP is connection-less.The IP Header is shown above. The Version is currently set to 4. In order to distinguish itfrom the new version IPv6, IP is also referred to as IPv4. The source address and thedestination address are 4-byte Internet addresses. The Options field contains various optionssuch as source based routing, and record route. The source based routing allows the sender tospecify the path the datagram should take to reach the destination. Record route allows thesender to record the route the datagram is taking. None of the IP fields are encrypted andthere no authentication. It would be extremely easy to set an arbitrary destination address (orthe source address), and IP would send the datagram. The destination has no way ofascertaining the fact that the datagram actually originated from an IP address other than the
one in the source address field. It is easy to see why any authentication scheme based on IP-addresses would fail.Transmission Control Protocol-TCPIP can be thought of as a routing wrapper for layer 4 (transport), which contains theTransmission Control Protocol (TCP). Unlike IP, TCP uses a connection-oriented design.This means that the participants in a TCP session must first build a connection - via the 3-way handshake (SYN-SYN/ACK-ACK) -then update one another on progress - viasequences and acknowledgements. This “conversation”, ensures data reliability, since thesender receives an OK from the recipient after each packet exchange.As you can see above, a TCP header is very different from an IP header. We are concernedwith the first 12 bytes of the TCP packet, which contain port and sequencing information.Much like an IP datagram, TCP packets can be manipulated using software. The source anddestination ports normally depend on the network application in use (for example, HTTP viaport 80). Whats important for our understanding of spoofing are the sequence andacknowledgement numbers. The data contained in these fields ensures packet delivery bydetermining whether or not a packet needs to be resent. The sequence number is the numberof the first byte in the current packet, which is relevant to the data stream. Theacknowledgement number, in turn, contains the value of the next expected sequence numberin the stream. This relationship confirms, on both ends, that the proper packets were received.It’s quite different than IP, since transaction state is closely monitored.
Consequences of The TCP/IP DesignNow that we have an overview of the TCP/IP formats, lets examine the consequences.Obviously, its very easy to mask a source address by manipulating an IP header. Thistechnique is used for obvious reasons and is employed in several of the attacks discussedbelow. Another consequence, specific to TCP, is sequence number prediction, which can leadto session hijacking or host impersonating. This method builds on IP spoofing, since asession, albeit a false one, is built.Spoofing AttacksIP Spoofing consists of several steps. First, the target host is chosen. Next, a pattern of trust isdiscovered, along with a trusted host. The trusted host is then disabled, and the target’s TCPsequence numbers are sampled. The trusted host is impersonated, the sequence numbersguessed, and a connection attempt is made to a service that only requires address-basedauthentication. If successful, the attacker executes a simple command to leave a backdoor.Non-Blind spoofing: - This type of attack takes place when the attacker is on the samesubnet as the victim. The sequence and acknowledgment numbers can be sniffed, eliminatingthe potential difficulty of calculating them accurately.Blind Spoofing: - In this type of attack sequence and acknowledgement numbers areunreachable. In order to circumvent this, several packets are sent to the target machine inorder to sample sequence numbers.Both types of spoofing are forms of a common security violation known as Man In TheMiddle Attack. In these attacks, a malicious machine intercepts a legitimate communicationbetween two known parties. The malicious host then controls the flow of communication andcan eliminate or alter the information sent by one of the original parties without theknowledge of either the original sender or the recipient. In this way, an attacker can fool intodisclosing confidential information by “spoofing” the identity of the original sender, who ispresumable trusted by the recipient.IP spoofing is almost used in what is currently one of the most difficult attacks to defendagainst- Denial of Service attacks, or DoS.The connection setup phase in a TCP system consists of a three-way handshake . Thishandshake is done by using special bit combinations in the "flags" fields. If host A wants toestablish a TCP connection with host B, it sends a packet with a SYN flag set. Host B replieswith a packet that has SYN and ACK flags set in the TCP header. Host A sends back a packetwith an ACK flag set, finishing the initial handshake. Then hosts A and B can communicatewith each other, as shown below.
The three-way handshake must be completed in order to establish a connection. Connectionsthat have been initiated but not finished are called half-open connections. A finite-size datastructure is used to store the state of the half-open connections. An attacking host can send aninitial SYN packet with a spoofed IP address, and then the victim sends the SYN-ACKpacket and waits for a final ACK to complete the handshake. If the spoofed address does notbelong to a host, then this connection stays in the half-open state indefinitely, thus occupyingthe data structure. If there are enough half-open connections to fill the state data structure,then the host cannot accept further requests, thus denying service to the legitimateconnections.Setting a time limit for half-open connections and then erasing them after the timeout canhelp with this problem, but the attacker may keep continuously sending the packets. Theattacked host will not have space to accept new incoming legitimate connections, but theconnection that was established before the attack will have no effect. In this type of attack,the attacker has no interest in examining the responses from the victim. When the spoofedaddress does belong to a connected host, that host sends a reset to indicate the end of thehandshake.Man In The Middle AttackBoth types of spoofing are forms of a common security violation known as a man in themiddle (MITM) attack. In these attacks, a malicious party intercepts a legitimatecommunication between two friendly parties. The malicious host then controls the flow ofcommunication and can eliminate or alter the information sent by one of the originalparticipants without the knowledge of either the original sender or the recipient. In this way,an attacker can fool a victim into disclosing confidential information by “spoofing” theidentity of the original sender, who is presumably trusted by the recipient.
If an attacker controls a gateway that is in the delivery route, he can sniff the traffic intercept / block / delay traffic modify trafficThis is not easy in the Internet because of hop-by-hop routing, unless you control one of thebackbone hosts or source routing is used. This can also be done combined with IP sourcerouting option. IP source routing is used to specify the route in the delivery of a packet,which is independent of the normal delivery mechanisms. If the traffic can be forced throughspecific routes (=specific hosts), and if the reverse route is used to reply traffic, a host on theroute can easily impersonate another host. The attack procedure could be:Thus, when two hosts are desynchronized enough, they will discard (ignore) packets fromeach other. An attacker can then inject forged packets with the correct sequence numbers(and potentially modify or add commands to the communication). Obviously, this requiresthe attacker to be located on the communication path between the two hosts so that he mayeavesdrop, in order to replicate packets being sent. The key to this attack is creating thedesynchronized state. Joncheray describes two possible ways to do this: one is during thethree-way handshake, and the other is in the middle of an established connection. Note that"ignored" packets may actually generate ACKs, rather than being completely ignored. Whenthe other end receives packets with incorrect sequence numbers, it replies with an ACKpacket containing the sequence number it is expecting. But the receiver of these ACKdiscards them, as they have the wrong sequence numbers! The receiver then sends its own
ACK to notify the sender... Thus, a large number of ACKs are generated in this attack. This"signature" of the attack could be used to detect connection hijacking.CountermeasuresPacket FilteringThe router that connects a network to another network is known as a border router. One wayto mitigate the threat of IP spoofing is by inspecting packets when they the leave and enter anetwork looking for invalid source IP addresses. If this type of filtering were performed on allborder routers, IP address spoofing would be greatly reduced. Egress filtering checks thesource IP address of packets to ensure they come from a valid IP address range within theinternal network. When the router receives a packet that contains an invalid source address,the packet is simply discarded and does not leave the network boundary. Ingress filteringchecks the source IP address of packets that enter the network to ensure they do not comefrom sources that are not permitted to access the network. At a minimum, all private,reserved, and internal IP addresses should be discarded by the router and not allowed to enterthe network. In Linux, packet filtering can be enabled using:echo 2 > /proc/sys/net/ipv4/conf/*/rp_filterLimits of Packet FilteringPacket filtering normally may not prevent a system from participating in an attack if thespoofed IP address used could fall within the valid internal address range. However it willsimplify the process of tracing the packets, since the systems will have to use a source IPaddress within the valid IP range of the network.Filtering At The RouterIf your site has a direct connection to the Internet, you can use your router to help you out.First make sure only hosts on your internal LAN can participate in trust-relationships (nointernal host should trust a host outside the LAN). Then simply filter out *all* traffic fromthe outside (the Internet) that purports to come from the inside (the LAN). Implementingingress and egress filtering on your border routers is a great place to start your spoofingdefense. You will need to implement an ACL (access control list) that blocks private IPaddresses on your downstream interface. Additionally, this interface should not acceptaddresses with your internal range as the source, as this is a common spoofing technique usedto circumvent firewalls. On the upstream interface, you should restrict source addressesoutside of your valid range, which will prevent someone on your network from sendingspoofed traffic to the Internet.Encryption And AuthenticationImplementing encryption and authentication will also reduce spoofing threats. Both of thesefeatures are included in Ipv6, which will eliminate current spoofing threats. Additionally, you
should eliminate all host-based authentication measures, which are sometimes common formachines on the same subnet. Ensure that the proper authentication measures are in place andcarried out over a secure (encrypted) channel.Disable CommandsOne easy solution to prevent this attack is not to rely on address-based authentication.Disable all the r* commands, remove all .rhosts files and empty out the /etc/hosts.equiv file.This will force all users to use other means of remote access (telnet, ssh, skey, etc).Applications of IP SpoofingAsymmetric routing means traffic goes over different interfaces for directions in and out. Inother words, asymmetric routing is when the response to a packet follows a different pathfrom one host to another than the original packet did. The more correct and more generalanswer is, for any source IP address A and destination B, the path followed by any packet(request or response) from A to B is different than the path taken by a packet from B to A.NATNAT is network address translation. Normally, packets on a network travel from their sourceto their destination through many different links. None of these links really alter your packet,they just send it onward. If one of these links were to do NAT, then they would alter thesource or destinations of the packet as it passes through. Usually the link doing NAT willremember how it mangled a packet, and when a reply packet passes through the other way, itwill do the reverse mangling on that reply packet, so everything works.NAT have several applications:Modem ConnectionsTo The Internet Most ISPs give you a single IP address when you dial up to them. You cansend out packets with any source address you want, but only replies to packets with thissource IP address will return to you. If you want to use multiple different machines (such as ahome network) to connect to the Internet through this one link, youll need NAT.
Multiple Servers Sometimes you want to change where packets heading into your network will go. Frequentlythis is because (as above) you have only one IP address, but you want people to be able to getinto the boxes behind the one with the `real IP address. If you rewrite the destination ofincoming packets, you can manage this. This type of NAT was called port-forwarding. Acommon variation of this is load-sharing, where the mapping ranges over a set of machines,fanning packets out to them.Transparent ProxyingSometimes you want to pretend that each packet which passes through your Linux box isdestined for a program on the Linux box itself. This is used to make transparent proxies: aproxy is a program which stands between your network and the outside world, shufflingcommunication between the two. The transparent part is because your network wont evenknow its talking to a proxy, unless of course, the proxy doesnt work. NAT has two differenttypes: Source NAT (SNAT) and Destination NAT (DNAT). Source NAT is when you alterthe source address of the first packet: i.e. you are changing where the connection is comingfrom. Source NAT is always done post-routing, just before the packet goes out onto the wire.Masquerading is a specialized form of SNAT.IP MasqueradeIP Masquerade, is a specific form of Network Address Translation (NAT) which allowsinternally connected computers that do not have registered Internet IP addresses tocommunicate to the Internet via the Linux servers Internet IP address. IP masquerading letsyou use a single Internet-connected computer running Linux with a real IP address as agateway for non-connected machines with "fake" IP addresses. The Linux box with a realaddress handles mapping packets from your intranet out to the Internet, and when responsescome back, it maps them back to your intranet. This lets you browse the web and use otherInternet functions from multiple machines without having a special network setup from yourISP.IP Spoofing And IPv6IP spoofing detection, or in other words validating the source address of an IPv6 packet, is alittle more complicated than the process for IPv4. A host using IPv6 may potentially havemultiple addresses. Again the problem inside the Local Area Network is to associate the IPv6address with the Layer 2 or MAC address. Among peers on the same network, you can useNeighbor Discovery or Secure Neighbor Discovery (SEND) advertisements to verify thesource address in a packet. You can verify source addresses of packets arriving from nodesoutside the network by using the Authentication Header (AH) in IPv6 datagrams. You canuse agreed-upon parameters between source and destination to calculate authenticationinformation on header fields that does not change during transit. Although this process willnot prevent someone from signing a spoofed address, it does provide a means to authenticatethe identity of the source.
IPv6 and IPv4 network interconnections will likely face spoofing problems. IPv6 packets areusually encapsulated in IPv4 packets to travel across the non-IPv6 supporting networks. TheIPv6 interim mechanism "6to4" [10, 11] uses automatic IPv6-to-IPv4 tunnelling tointerconnect networks using different IP versions. This mechanism uses 6to4 routers and 6to4Relay Routers that accept and decapsulate IPv4 traffic from anywhere. There are noconstraints on such embedded packets. Relay routers act as bridges between IPv6 and 6to4networks and can be tricked into sending spoofed traffic anywhere. Also, anyone can sendtunnelled spoofed traffic to a 6to4 router, and the router will believe that it is coming from alegitimate relay. There is no simple way to prevent such attacks, and longer-term solutionsare needed in both IPv6 and IPv4 networks.Services Vulnerable To IP SpoofingConfiguration and services that are vulnerable to IP spoofing: RPC (Remote Procedure Call services) Any service that uses IP address authentication The X Window system The R services suite (rlogin, rsh, etc.)TCP And IP Spoofing Tools1) Mendax for Linux Mendax is an easy-to-use tool for TCP sequence number prediction and rshdspoofing.2) spoofit.h spoofit.h is a nicely commented library for including IP spoofing functionality intoyour programs.3) ipspoof ipspoof is a TCP and IP spoofing utility.4) hunt hunt is a sniffer which also offers many spoofing functions.5) dsniff dsniff is a collection of tools for network auditing and penetration testing. dsniff,filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network forinteresting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate theinterception of network traffic.
ConclusionIP spoofing is a difficult problem to tackle, because it is related to the IP packet structure. IPpackets can be exploited in several ways. Because attackers can hide their identity with IPspoofing, they can make several network attacks. Although there is no easy solution for theIP spoofing problem, you can apply some simple proactive and reactive methods at the nodes,and use the routers in the network to help detect a spoofed packet and trace it back to itsoriginating source.
AcknowledgementI express my sincere thanks to Prof. Yuliang Zheng and Mr. Joe Yeremuk (TeachingAssistant) for their kind co-operation for this presentation.I also extend my sincere thanks to all other members of the faculty of Software InformationSystem Department and my friends for their co-operation and encouragement. Rajat Chopra & Raheel Ahmed Farooqui
References i. Bellovin, S. M. (1989, April). Security Problems in the TCP/IP Protocol. Computer Communication Review,Vol 19, No. 2, 32-48. ii. [On Line], Available; http://www.ja.net/CERT/Bellovin/TCP- IP_Security_Problems.html iii. Computer Incident Advisory Committee (CIAC) (1995). Advisory Notice F-08 Internet iv. Spoofing and Hijacked Session Attacks. v. [On-line], Available: http://ciac.llnl.gov/ciac/bulletins/f-08/shtml vi. Daemon9. (1996, June).IP Spoofing Demystified. Phrack Magazine Review,Vol 7, No. 48, 48-14. vii. [On Line], Available; http://www.fc.net/phrack/files/p48/p48-14.html viii. Alaaeldin A. Aly, "Tracking and Tracing Spoofed IP Packets to Their Sources," Proceedings of 6th annual conference, UAEU April 2005. ix. S.J. Templeton and K.E. Levitt, "Detecting Spoofed Packets," DARPA Information Survivability Conference and Exposition, 2003. x. "IP Spoofing an Introduction," http://www.securityfocus.com/infocus/1674 xi. http://www.phrack.org/issues.html?issue=48&id=14#article xii. http://www.hping.org xiii. http://www.insecure.org/nmap xiv. http://www.ietf.org/internet-drafts/draft-baker-sava-operational-00.txt xv. http://tools.ietf.org/html/draft-baker-sava-cisco-ip-source-guard-00 xvi. http://tools.ietf.org/id/draft-baker-sava-implementation-00.txt xvii. http://tools.ietf.org/html/draft-ietf-v6ops-6to4-security-04xviii. Carpenter, B., Fink, B., and Moore, K., ""Connecting IPv6 Routing Domains Over the IPv4 Internet," The Internet Protocol Journal, Volume 3, No. 1, March 2000.