NETWORK SECURITY A PAPER ON P ITFALLS AND PROBLEMS ENCOUNTERED IN IP-SPOOFING Arpit Gupta Deepika Chug
Bad Practices Spread It is easy to see the faults of others but not so easy to see one’s own faults If I just open a bunch of ports in the firewall my app will work. I think I will wedge the computer room door open. Much easier. They have blocked my favorite Web site. Lucky I have a modem. I think I will use my first name as a password. Say, we run a network too. How do you configure your firewalls? Why do we need the door locked? Hey, nice modem. What's the number of that line? I can never think of a good password. What do you use?
Understanding The Landscape Author Script-Kiddie Hobbyist Hacker Expert Specialist Vandal Thief Spy Trespasser National Interest Personal Gain Personal Fame Curiosity
An Evolving Threat Hobbyist Hacker Expert Specialist Largest area by volume Largest area by $ lost Script-Kiddie Largest segment by $ spent on defense Fastest growing segment Author Vandal Thief Spy Trespasser National Interest Personal Gain Personal Fame Curiosity
IP -> Internet Protocol.. Spoofing -> Hiding.. It is a trick played on servers to fool the target computers into thinking that it is receiving data from source other than the trusted host. This Attack is actually a Trust-Relationship Exploitation. “ Things are not what they seem and that is why the world gets conned” WHAT IS IP-SPOOFING ???
A B C B is on line A disguising his voice,making it sound more like that of B If we now,replace the 3 people by computers and change the term “voice” with “IP-Address” then you would know what we mean by IP-SPOOFING… REAL LIFE EXAMPLE TO EXPLAIN WHAT IS IP SPOOFING.
C B A CLIENT HOST A B C PACKETS DISCRIPTION: SYN =client’s ISN (4894305) ACK= 0 SYN= Host’s ISN (1896955367) ACK= client’s ISN +1 (4894306) ACK= Host’s ISN +1 (1896955368) THE 3-WAY HANDSHAKE ..
THE ATTACK IN BRIEF …… <ul><li>The Target Host is Chosen . </li></ul><ul><li>A Pattern of Trust is discovered, along with </li></ul><ul><li>the Trusted Host . </li></ul><ul><li>3. Trusted Host is Disabled & the Target’s </li></ul><ul><li>TCP Sequence number is detected . </li></ul><ul><li>4. Trusted Host is impersonated, the Sequence </li></ul><ul><li>numbers guessed, & a connection attempt is </li></ul><ul><li>made to service , that only requires address- </li></ul><ul><li>-based authentication . </li></ul>-- ON SUCCESS THE ATTACKER ISSUES A SIMPLE COMMAND TO LEAVE A BACKDOOR --
THE ATTACK HACKER 203.45.98.01 VICTIM 22.214.171.124 FAKE 126.96.36.199 Remote Host Packets with IP Address of Trusted Host (FAKE) Attacking Host
THE ATTACK VICTIM 188.8.131.52 FAKE 184.108.40.206 Trusted Host SYN / ACK PACKETS , Remote Host
As soon as we find the TRUSTED-HOST ( FAKE),our next Step is to disable it. WHY ???? “ -- FAKE must not at any time respond to the SYN/ACK packet send by VICTIM -- “ How to do it ???? Use up all the memory of TRUSTED-HOST so that it will not able to respond to the SYN/ACK packet sent to it by the VICTIM . So one very easy method of doing so is to Perform the SYN Flooding Denial of Service Attack TRUSTED HOST DISABLING..
SYN SYN SYN SYN SYN SYN QUEUE FULL There is a upper limit of how many concurrent SYN request TCP can process for a given socket, this limit is called BACKLOG LIMIT B A C k L O G Q U E U E Backlog limit = length (Queue) SO what is SYN FLOODing ???
THE ATTACK HACKER 203.45.98.01 VICTIM 220.127.116.11 Remote Host SYN/ACK Packets acknowledging Trusted Host has received SYN/ACK Packets Attacking Host
Detection <ul><li>Monitoring packets </li></ul><ul><li>external interface source and destination IP addresses in your local domain. </li></ul><ul><li>Accounting logs between systems on your internal network. </li></ul><ul><li>log entry on the victim machine showing a remote access </li></ul><ul><li>Detecting unusual activity </li></ul>
Packet Filtering <ul><li>internal network connected to Internet </li></ul><ul><li>Router filter packets-by-packets, decision to </li></ul><ul><li>forward/drop packets based on: </li></ul><ul><li>--Source IP address, destination IP address. </li></ul><ul><li>--TCP SYN and ACK bits. </li></ul>Should arriving packet be allowed in? Departing packet let out?
Our network is secure, right? Oh sure, Don’t worry. We have several firewalls
Initial Sequence Number (ISN) Randomizing ISN Incrementation At every connection --incremented by 64,000 At every sec. – incremented by 128,000 Its value gets wrapped every 9.32hrs. So,it’s easy for any genius to do the guesswork and calculate the correct sequence number
CONCLUSION IP-Spoofing is an exploitation of trust-based relationship and can be curbed effectively if proper measures are used.Understanding how and why spoofing attacks are used , combined with a few simple prevention methods, can help protect networks from these malicious cloaking and cracking techniques.
IP-Spoofing Software In Technical Discussion Client Client Client/Server Target Victim Hacker Part 1 : Target is being attacked 192.168.1.2 192.168.1.20 192.168.1.30 Target is being attacked With the UDP packets, when No measures were taken UDP 192.168.1.20
IP-Spoofing Software In Technical Discussion Client Client Client/Server Target Victim Hacker Part 2 : Target is being attacked but the software is interface to this 192.168.1.2 192.168.1.20 192.168.1.30 The s/w UDP 192.168.1.20 UDP 192.168.1.20
IP-Spoofing Software In technical Discussion Part 3: The s/w Role as an Interface 1)Scans all the Registered IP Addresses for their Authenticity. myip log file (List of registered clients) While scanning these it also resolves The respective Mac Address at runtime. 2) (Maintains the list of spoofed Clients) log file
IP-Spoofing Software In technical Discussion Part 3.1: The s/w Role as an Interface 3) Maintains the list of Registered Clients whenever they communicate. myhost log file (List of registered clients) 4)The unauthorised user is blocked.
UDP HEADER 16 32 Source port Destination port Length Checksum Data
16 32 bits Source port Destination port Sequence number Acknowledgement number Offset Resrvd U A P R S F Window Checksum Urgent pointer Option + Padding Data TCP header structure
<ul><li>RESOURCES OF HELP:::: </li></ul><ul><li>what is ethical hacking http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci921117,00.html </li></ul><ul><li>CSS ethical hacking </li></ul><ul><li>http://css.sfu.ca/update/ethical-hacking.html </li></ul><ul><li>pros and cons of ethical hacking </li></ul><ul><li>http://www.cioupdate.com/trends/article.php/3303001 </li></ul><ul><li>Prateek Mittal, Gautam Barua ‘Detection of ip-spoofing’ </li></ul><ul><li>http://www.iitg.ernet.in/engfac/cse/public_html/students/mittal/ipspoofing_derm.html </li></ul><ul><li>http://www.developerfusion/uk community of developer/how can i use my ip address - code.htm </li></ul><ul><li>‘ IP Spoofing Demystified’, http://datastronghold.com/articles/hacking-articles/IP spoofing.html </li></ul><ul><li>‘ Blind part of IP Spoofing’, http://examples.orielly.com/networksa/tools/blind-spoof.html </li></ul><ul><li>‘ Non-Blind part of IP Spoofing’, </li></ul><ul><li>http://www.datastronghold.com/security-articles/hacking-articles/-=-a-short-overview-of-ip-spoofing-part-1=-.html </li></ul>