WHAT IS IP-SPOOFING ??? IP -> Internet Protocol.. Spoofing -> Hiding.. It is a trick played on servers to fool the targetcomputers into thinking that it is receiving data fromsource other than the trusted host. This Attack is actually a Trust-RelationshipExploitation.
REAL LIFE EXAMPLE TO B is on lineEXPLAIN WHAT ISIP SPOOFING. A disguising his voice,making it sound more like that of B C A BIf we now,replace the 3 people by computers and changethe term “voice” with “IP-Address” then you would knowwhat we mean by IP-SPOOFING…
THE K ATTAC1. Non-blind spoofing :This attack takes place when the attacker is on thesame subnet as the target that could see sequence andacknowledgement of packets. SYN S R SYN,ACK ACK A
2. Blind spoofingThis attack may take place from outside where sequenceand acknowledgement numbers are unreachable. Attackersusually send several packets to the target machine inorder to figure out sequence numbers, which is easy to doin older days. Since most OSs implement random sequencenumber generation today, it becomes more difficult topredict the sequence number accurately. If, however, thesequence number was compromised, data could be sent tothe target.
3. Denial of Service Attack : IP spoofing is almost always used in denial of service attacks (DoS), in which attackers are concerned with consuming bandwidth & resources by flooding the target with as many packets as possible in a short amount of time.
4.Man in the Middle AttackThis is also called connection hijacking. In this attacks, amalicious party intercepts a legitimate communicationbetween two hosts to controls the flow of communicationand to eliminate or alter the information sent by one of theoriginal participants without their knowledge. S A R
WHY IP SPOOFING IS EASY ?• Problem with the Routers.• Routers look at Destination addresses only.• Authentication based on Source addresses only.• To change source address field in IP header field is easy.
IO N E CTDET Routing Methods • Ingress filtering • Egress filtering Non-Routing Methods • IP Identification Number • Flow Control • Packet Retransmission •Traceroute
Routing MethodRouters know IP addresses originate with whichnetwork interface. If the router receives IPPackets with external IP addresses on an internalinterface or vice versa its likely to be spoofed.Filtering:•Ingress filtering(inbound packets)-protectorg.from outside attacks.•Egress filtering(outbound packets)-preventinternal computers from being involved in SpoofingAttack
Non-RoutingActive- verify that the packet was sent fromclaimed source, Method validate case.Passive- no such action, indicate packet wasspoofed.
Identification Number(ID) Detect IP Spoofed Packet,when attacker is on same Subnet as Target. R S Detection as follows: Sen d Pa c k et •ID value should be near the Questionable packets. •ID value must be greaterID than the ID value invalues Questionable Packet. •If its Spoofed there value change rapidly.
Flow ControlS R • If the Packets = Spoofed,then Sender =no recipient’s ACK Packets,will not respond to flow AC control. K •If the Recipient’s =no ACK ACK Packets,Sender Should Stop After the initial window size is exhausted. W.s. =(exc I eed)
Contd.. S R ACK Another Way to Detect IP Spoofing. w=0 •We set W=0 ,in order to know ,ACK Sender is receiving or not. SYN •If W=0,and we get ACK with ACK some Data ,it means it’s likely to be Spoofed.
Packet RetransmissionS R ACK TCP uses sequence number to determine which Packets have been ReSYN ACK. Method to Detect: •When Packet Receive with an ACK- number less then min expected,or greater than max expected,the ACK Packet Drops and as a way to resyn. The connection,send a reply with min expected Ack-number is sent. RST •After receiving ACK successfully next time sent RST in reply ,its spoofed.
Contd.. FIREWALL Capture reply, and Prevent the internal host from seeing the reply ,and will Prevent an ACK-Storm .
Traceroute Traceroute tells number of hops to the true source. Detection is as follows •If the Firewall blocks UDP packets it will count the Hops to the firewall. •If the packet is spoofed the number of Hops increase. (monitored site more hops away than true ).
t iv e ve n e s Pre sur M ea1.Packet Filtering2.Firewall3.Disable commands like Ping.4.Encryption
Should arriving packet be allowed in? Departing packet let out?internal network connected to InternetRouter filter packets-by-packets, decision toforward/drop packets based on: --Source IP address, destination IP address. --TCP SYN and ACK bits.
Oh sure, Don’tOur network worry. We have is secure, several right? firewalls
CONCLUSIONIP-Spoofing is an exploitation of trust-basedrelationship and can be curbed effectively ifproper measures are used. Understandinghow and why spoofing attacks are used,combined with a few simple preventionmethods, can help protect networks fromthese malicious cloaking and crackingtechniques.