AGENDA…1.What is IP Spoofing???#4.WHAT IS IP SPOOFING???2.Why is IP Spoofing so easy? WHY IS IP SPOOFING EASY??3.Kinds of IP Spoofing. KINDS OF IP Spoofing..4. A brief idea regarding TCP header.TCP HEADER…5.Mechanism of IP Spoofing. MECHANISM OF IP SPOOFING6.Prevention of IP Spoofing. PREVENTION OF IP SPOOFING
WHAT IS IP SPOOFING??? The attacker uses an unauthorised internet protocol address(IP address) making itself appear as a trusted machine . Prime weakness of IP address based networks. Attacker does not care about receiving packets(Denial of Service) or it has some way of guessing the response. Attacker may use an internal IP address or an authorised IP address from an external network.
WHY IS IP SPOOFING POSSIBLE?? None of the fields in an IP header are encrypted. Easy to set an arbitrary destination address. The destination has no way to ascertain that the datagram has actually originated from an IP address other than the one in the source address field. Routers look at Destination addresses only.
KINDS OF IP Spoofing.. Nonblind Spoofing: used when the attacker is on the same subnet as the victim. Attacker sniffs the packets and makes the sequence and acknowledge numbers available.
CONTINUED.. Blind Spoofing : Several packets are sent to the target machine in order to sample sequence numbers. Host c sends an IP datagram with the address of some other host(host A) as the source address to host B. Attacked host(B) replies to the legitimate host(A).
TCP HEADER… A connection oriented transport layer protocol. Two important features that we need are sequence no. and the acknowledgement no.
CONTINUED… Each party numbers the bytes sent with a different starting byte no. When data are sent in segments, a sequence no. Is assigned to each segment, which is the no. of the first byte in the segment. An acknowledgement no. is used to confirm the bytes a host has received .The ack is the no. of the net byte expected by the host. SYN : a synchronise sequence no. flag. ACK : an acknowledgement flag.
MECHANIM OF IP SPOOFING A trusted host IP address of the same subnet or an external network is gained..
HOW TO FINDTARGET TCP SEQUENCE NO.??? Acquiring TCP sequence number of the target system using some other TCP port connection to the target just prior to launching the attack. The target RTT(round trip time) is calculated , necessary to find the next sequence number. Now the attack begins…
ATTACK MECHANISM...3 cases may arise:-1.Guessed sequence no.=sequence no. on the target TCP2. Guessed sequence no.< sequence no. on the target TCP3.Gussed sequence no.>sequence no. on the target TCP
CONTINUED.. 1. Z(b)- -SYN- ->A 2.B<- -SYN/ACK- -A 3.Z(b)- -ACK- ->A 4.Z(b)- -PSH- -> A After the compromise , the attacker will insert a backdoor into the system , that will allow a simple way of intrusion.( A command like ‘cat + + >> ~/.rhosts’ can be used.)
PREVENTION OF IP SPOOFING PACKET FILTERING: Packets entering and leaving the network should be filtered Egress filtering checks the packets leaving the network ensuring malicious packets don’t leave the network. Ingress filtering checks that incoming packets are from the network they claim to be from.(echo2>/proc/sys/net/ipv4/conf/*/rp_filter)
FILTERING AT THE ROUTER : If a site has direct access to the internet , routers can be used. Only hosts on internal network can participate in trust-relationships , then simply filter out all outside traffic that purports to come from inside. An access control list should be maintained to block private IP addresses on the downstream interface.
ENCRYPTION AND AUTHENTICATION… All host based authentication measures should be eliminated. Implement cryptographic authentication system-wide. If trusted hosts from external network are allowed ,enable encryption session at the router.
CONCLUSION IP Spoofing is a difficult problem to tackle, because it is related to the IP packet structure. Although there is no easy solution for the IP spoofing problem, we can apply some simple proactive and reactive methods at the nodes, and use the routers in the network to help detect a spoofed packet and trace it back to its originating source.
REFERENCES…1.IP Spoofing, A journal by Farha Ali , Lander University.2.IP spoofing(http://bear.cba.ufl.edu/teets/projects/ISM6222F102/perryna/index.htm l)3.Bellovin, S.M, “Security problems in the TCP/IP protocol suite”. AT&T Bell Laboratories, Murray Hill, New Jersey 07974 (http://www.research.att.com/~smb/papers/ipext.pdf)4.Toth,Thomas,TCP/IP protocol suite . (http://www.infosys.tuwien.ac.at/Teaching/Courses/InetSec/slides/sli des2.pdf)5. http://www.webopedia.com/TERM/I/IP_spoofing.html