1. IP Spoofing Sometimes on the internet, a girl named Alice is really a man named Yves

5. TCP/IP in 3 minutes or less Application Transport Interweb Network Access Physical TCP IP

8. TCP/IP in 3 minutes or less Application Transport Interweb Network Access Physical Application Transport Interweb Network Access Physical Client Using Mozilla HTTP - GET Some Web Server TCP – Port 80 IP – 10.24.1.1 MAC – 00:11:22:33:44:55 1101001001110100110100110101 But what happens if someone is lying??

12. IP Spoofing – The Reset Victim - Bob Sucker - Alice Attacker - Eve 1. SYN – Let’s have a conversation 2. SYN ACK – Sure, what do you want to talk about? 3. RESET – Umm.. I have no idea why you are talking to me 4. No connection – Guess I need to take Bob out of the picture…

14. Mitnick Attack 1. Mitnick Flood’s server’s login port so it can no longer respond 2. Mitnick Probes the Workstation to determine the behaviour of its TCP sequence number generator 3. Mitnick discovers that the TCP sequence number is incremented by 128000 each new connection 4. Mitnick forges a SYN from the server to the terminal 5. Terminals responds with an ACK, which is ignored by the flooded port (and not visible to Mitnick) Server Workstation Kevin Mitnick 6. Mitnick fakes the ACK using the proper TCP sequence number 7. Mitnick has now established a one way communications channel

17. Session Hijack Alice Bob Eve I’m Bob! I’m Alice! 1. Eve assumes a man-in-the-middle position through some mechanism. For example, Eve could use Arp Poisoning, social engineering, router hacking etc... 2. Eve can monitor traffic between Alice and Bob without altering the packets or sequence numbers. 3. At any point, Eve can assume the identity of either Bob or Alice through the Spoofed IP address. This breaks the pseudo connection as Eve will start modifying the sequence numbers

19. DoS Attack Server Attacker Legitimate Users Interweb Fake IPs Service Requests Flood of Requests from Attacker Server queue full, legitimate requests get dropped Service Requests

21. DDoS Attack Server (already DoS’d) Attacker Target Servers Interweb 1. Attacker makes large number of SYN connection requests to target servers on behalf of a DoS’d server 2. Servers send SYN ACK to spoofed server, which cannot respond as it is already DoS’d. Queue’s quickly fill, as each connection request will have to go through a process of sending several SYN ACKs before it times out SYN SYN SYN SYN SYN ACK SYN ACK SYN ACK SYN ACK Queue Full

26. Questions?

27. Application Transport Interweb Network Access Physical Application Transport Interweb Network Access Physical

28. Victim - Bob Sucker - Alice Attacker - Eve

29. Victim - Bob Sucker - Alice Attacker - Eve Interweb

30. IP header 0 16 31 Options and Padding Source Address Destination Address Total Length Fragment Offset Header Checksum Time to Live Protocol Identification Type of Service Flags Version IHL Stolen from: http://tarpit.rmc.ca/knight/EE579/mitnik.ppt

31. TCP header Stolen from: http://tarpit.rmc.ca/knight/EE579/mitnik.ppt 0 16 31 Source Port Destination Port Sequence Number Acknowledgement Number Window Urgent Pointer Options and Padding Checksum Flags Reserved Data Offset

32. TCP Sequence Numbers Client Server Start SEQ - 1892 Start SEQ - 15562 1. Client transmits 50 bytes 2. Server transmits 20 bytes 3. Client ACKs, sends no data End SEQ - 1942 End SEQ - 15587 SEQ – 1892 ACK – 15562 Size - 50 SEQ – 15562 ACK – 1942 Size - 25 SEQ – 1942 ACK – 15587 Size - 0