Ip Spoofing


Published on

Presentation on web's most dangerous attack - IP Spoofing.

Published in: Technology
  • need more description about diagram...pls upload more details ..pls send the report of this ppt....
    Are you sure you want to  Yes  No
    Your message goes here
  • nice need more explanation
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Ip Spoofing

  2. 2. Bad Practices Spread It is easy to see the faults of others but not so easy to see one’s own faults If I just open a bunch of ports in the firewall my app will work. I think I will wedge the computer room door open. Much easier. They have blocked my favorite Web site. Lucky I have a modem. I think I will use my first name as a password. Say, we run a network too. How do you configure your firewalls? Why do we need the door locked? Hey, nice modem. What's the number of that line? I can never think of a good password. What do you use?
  3. 3. Understanding The Landscape Author Script-Kiddie Hobbyist Hacker Expert Specialist Vandal Thief Spy Trespasser National Interest Personal Gain Personal Fame Curiosity
  4. 4. An Evolving Threat Hobbyist Hacker Expert Specialist Largest area by volume Largest area by $ lost Script-Kiddie Largest segment by $ spent on defense Fastest growing segment Author Vandal Thief Spy Trespasser National Interest Personal Gain Personal Fame Curiosity
  5. 5. IP -> Internet Protocol.. Spoofing -> Hiding.. It is a trick played on servers to fool the target computers into thinking that it is receiving data from source other than the trusted host. This Attack is actually a Trust-Relationship Exploitation. “ Things are not what they seem and that is why the world gets conned” WHAT IS IP-SPOOFING ???
  6. 6. A B C B is on line A disguising his voice,making it sound more like that of B If we now,replace the 3 people by computers and change the term “voice” with “IP-Address” then you would know what we mean by IP-SPOOFING… REAL LIFE EXAMPLE TO EXPLAIN WHAT IS IP SPOOFING.
  7. 7. HACKER VICTIM FAKE FAKE Remote Host Datagram (Data Packets) Trusted Host Attacking Host IP SPOOFING
  8. 8. C B A CLIENT HOST A B C PACKETS DISCRIPTION: SYN =client’s ISN (4894305) ACK= 0 SYN= Host’s ISN (1896955367) ACK= client’s ISN +1 (4894306) ACK= Host’s ISN +1 (1896955368) THE 3-WAY HANDSHAKE ..
  9. 9. THE ATTACK IN BRIEF …… <ul><li>The Target Host is Chosen . </li></ul><ul><li>A Pattern of Trust is discovered, along with </li></ul><ul><li>the Trusted Host . </li></ul><ul><li>3. Trusted Host is Disabled & the Target’s </li></ul><ul><li>TCP Sequence number is detected . </li></ul><ul><li>4. Trusted Host is impersonated, the Sequence </li></ul><ul><li>numbers guessed, & a connection attempt is </li></ul><ul><li>made to service , that only requires address- </li></ul><ul><li>-based authentication . </li></ul>-- ON SUCCESS THE ATTACKER ISSUES A SIMPLE COMMAND TO LEAVE A BACKDOOR --
  10. 10. THE ATTACK HACKER VICTIM FAKE Remote Host Packets with IP Address of Trusted Host (FAKE) Attacking Host
  11. 11. THE ATTACK VICTIM FAKE Trusted Host SYN / ACK PACKETS , Remote Host
  12. 12. As soon as we find the TRUSTED-HOST ( FAKE),our next Step is to disable it. WHY ???? “ -- FAKE must not at any time respond to the SYN/ACK packet send by VICTIM -- “ How to do it ???? Use up all the memory of TRUSTED-HOST so that it will not able to respond to the SYN/ACK packet sent to it by the VICTIM . So one very easy method of doing so is to Perform the SYN Flooding Denial of Service Attack TRUSTED HOST DISABLING..
  13. 13. SYN SYN SYN SYN SYN SYN QUEUE FULL There is a upper limit of how many concurrent SYN request TCP can process for a given socket, this limit is called BACKLOG LIMIT B A C k L O G Q U E U E Backlog limit = length (Queue) SO what is SYN FLOODing ???
  14. 14. BLIND ATTACK FAKE Trusted Host SYN / ACK PACKETS , VICTIM Remote Host HACKER Attacking Host
  15. 15. THE ATTACK HACKER VICTIM Remote Host SYN/ACK Packets acknowledging Trusted Host has received SYN/ACK Packets Attacking Host
  16. 16. Detection <ul><li>Monitoring packets </li></ul><ul><li>external interface source and destination IP addresses in your local domain. </li></ul><ul><li>Accounting logs between systems on your internal network. </li></ul><ul><li>log entry on the victim machine showing a remote access </li></ul><ul><li>Detecting unusual activity </li></ul>
  17. 17. 1.Packet Filtering 2. Firewall 3.Initial Sequence Number Randomizing Preventive Measures
  18. 18. Packet Filtering <ul><li>internal network connected to Internet </li></ul><ul><li>Router filter packets-by-packets, decision to </li></ul><ul><li>forward/drop packets based on: </li></ul><ul><li>--Source IP address, destination IP address. </li></ul><ul><li>--TCP SYN and ACK bits. </li></ul>Should arriving packet be allowed in? Departing packet let out?
  19. 19. Our network is secure, right? Oh sure, Don’t worry. We have several firewalls
  20. 20. Initial Sequence Number (ISN) Randomizing ISN Incrementation At every connection --incremented by 64,000 At every sec. – incremented by 128,000 Its value gets wrapped every 9.32hrs. So,it’s easy for any genius to do the guesswork and calculate the correct sequence number
  21. 22. CONCLUSION IP-Spoofing is an exploitation of trust-based relationship and can be curbed effectively if proper measures are used.Understanding how and why spoofing attacks are used , combined with a few simple prevention methods, can help protect networks from these malicious cloaking and cracking techniques.
  22. 23. Make your Network Secure
  23. 24. IP-Spoofing Software In Technical Discussion Client Client Client/Server Target Victim Hacker Part 1 : Target is being attacked Target is being attacked With the UDP packets, when No measures were taken UDP
  24. 25. IP-Spoofing Software In Technical Discussion Client Client Client/Server Target Victim Hacker Part 2 : Target is being attacked but the software is interface to this The s/w UDP UDP
  25. 26. IP-Spoofing Software In technical Discussion Part 3: The s/w Role as an Interface 1)Scans all the Registered IP Addresses for their Authenticity. myip log file (List of registered clients) While scanning these it also resolves The respective Mac Address at runtime. 2) (Maintains the list of spoofed Clients) log file
  26. 27. IP-Spoofing Software In technical Discussion Part 3.1: The s/w Role as an Interface 3) Maintains the list of Registered Clients whenever they communicate. myhost log file (List of registered clients) 4)The unauthorised user is blocked.
  27. 29. UDP HEADER 16 32 Source port Destination port Length Checksum Data
  28. 30. 16 32 bits Source port Destination port Sequence number Acknowledgement number Offset Resrvd U A P R S F Window Checksum Urgent pointer Option + Padding Data TCP header structure
  29. 31. <ul><li>RESOURCES OF HELP:::: </li></ul><ul><li>what is ethical hacking http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci921117,00.html </li></ul><ul><li>CSS ethical hacking </li></ul><ul><li>http://css.sfu.ca/update/ethical-hacking.html </li></ul><ul><li>pros and cons of ethical hacking </li></ul><ul><li>http://www.cioupdate.com/trends/article.php/3303001 </li></ul><ul><li>Prateek Mittal, Gautam Barua ‘Detection of ip-spoofing’ </li></ul><ul><li>http://www.iitg.ernet.in/engfac/cse/public_html/students/mittal/ipspoofing_derm.html </li></ul><ul><li>http://www.developerfusion/uk community of developer/how can i use my ip address - code.htm </li></ul><ul><li>‘ IP Spoofing Demystified’, http://datastronghold.com/articles/hacking-articles/IP spoofing.html </li></ul><ul><li>‘ Blind part of IP Spoofing’, http://examples.orielly.com/networksa/tools/blind-spoof.html </li></ul><ul><li>‘ Non-Blind part of IP Spoofing’, </li></ul><ul><li>http://www.datastronghold.com/security-articles/hacking-articles/-=-a-short-overview-of-ip-spoofing-part-1=-.html </li></ul>