IP Spoofing

1
IP Spoofing

• Bao Ho
• ToanTai Vu
• CS 265 - Security Engineering
• Spring 2003
• San Jose State University

2
Presentation Outline

• Introduction, Background
• Attacks with IP Spoofing
• Counter Measures
• Summary

3
IP Spoofing

• IP Spoofing is a technique used to gain
  unauthorized access to computers.
• IP Internet Protocol
• Spoofing using somebdody elses information
• Exploits the trust relationships
• Intruder sends messages to a computer with an IP
  address of a trusted host.

4
IP / TCP

• IP is connectionless, unreliable
• TCP connection-oriented
• TCP/IP handshake

A ? B SYN my number is X B ? A ACK now
X1 SYN my number is Y A? B
ACK now Y1
5
A blind Attack

• Host I cannot see what Host V send back

6
IP Spoofing Steps

• Selecting a target host (the victim)
• Identify a host that the target trust
• Disable the trusted host, sampled the targets
  TCP sequence
• The trusted host is impersonated and the ISN
  forged.
• Connection attempt to a service that only
  requires address-based authentication.
• If successfully connected, executes a simple
  command to leave a backdoor.

7
IP Spoofing Attacks

• Man in the middle
• Routing
• Flooding / Smurfing

8
Attacks

• Man - in - the - middle
• Packet sniffs on link between the two endpoints,
  and therefore can pretend to be one end of the
  connection.

9
Attacks

• Routing re-direct redirects routing information
  from the original host to the attackers host.
• Source routing The attacker redirects individual
  packets by the hackers host.

10
Attacks

• Flooding SYN flood fills up the receive queue
  from random source addresses.
• Smurfing ICMP packet spoofed to originate from
  the victim, destined for the broadcast address,
  causing all hosts on the network to respond to
  the victim at once.

11
IP-Spoofing Facts

• IP protocol is inherently weak
• Makes no assumption about sender/recipient
• Nodes on path do not check senders identity
• There is no way to completely eliminate IP
  spoofing
• Can only reduce the possibility of attack

12
IP-SpoofingCounter-measures

• No insecure authenticated services
• Disable commands like ping
• Use encryption
• Strengthen TCP/IP protocol
• Firewall
• IP traceback

13
No insecure authenticated services

• r services are hostname-based or IP-based
• Other more secure alternatives, i.e., ssh
• Remove binary files
• Disable in inet, xinet
• Clean up .rhost files and /etc/host.equiv
• No application with hostname/IP-based
  authentication, if possible

14
Disable ping command

• ping command has rare use
• Can be used to trigger a DOS attack by flooding
  the victim with ICMP packets
• This attack does not crash victim, but consume
  network bandwidth and system resources
• Victim fails to provide other services, and halts
  if runs out of memory

15
DOS using Ping
16
Use Encryption

• Encrypt traffic, especially TCP/IP packets and
  Initial Sequence Numbers
• Kerberos is free, and is built-in with OS
• Limit session time
• Digital signature can be used to identify the
  sender of the TCP/IP packet.

17
Strengthen TCP/IP protocol

• Use good random number generators to generate ISN
• Shorten time-out value in TCP/IP request
• Increase request queue size
• Cannot completely prevent TCP/IP
  half-open-connection attack
• Can only buy more time, in hope that the attack
  will be noticed.

18
Firewall

• Limit traffic to services that are offered
• Control access from within the network
• Free software ipchains, iptables
• Commercial firewall software
• Packet filters router with firewall built-in
• Multiple layer of firewall

19
Network layout with Firewall
20
IP Trace-back

• To trace back as close to the attackers location
  as possible
• Limited in reliability and efficiency
• Require cooperation of many other network
  operators along the routing path
• Generally does not receive much attention from
  network operators

21
Summary/Conclusion

• IP spoofing attacks is unavoidable.
• Understanding how and why spoofing attacks are
  used, combined with a few simple prevention
  methods, can help protect your network from these
  malicious cloaking and cracking techniques.

22
References

• IP-spoofing Demystified (Trust-Relationship
  Exploitation), Phrack Magazine Review, Vol. 7,
  No. 48, pp. 48-14, www.networkcommand.com/docs/ips
  poof.txt
• Security Enginerring A Guide to Building
  Dependable Distributed Systems, Ross Anderson,
  pp. 371
• Introduction to IP Spoofing, Victor Velasco,
  November 21, 2000, www.sans.org/rr/threats/intro_s
  poofing.php
• A Large-scale Distributed Intrusion Detection
  Framework Based on Attack Strategy Analysis,
  Ming-Yuh Huang, Thomas M. Wicks, Applied Research
  and Technology, The Boeing Company
• Internet Vulnerabilities Related to TCP/IP and
  T/TCP, ACM SIGCOMM, Computer Communication Review
• IP Spoofing, www.linuxgazette.com/issue63/sharma.h
  tml
• Distributed System Concepts and Design, Chapter
  7, by Coulouris, Dollimore, and Kindberg
• FreeBSD IP Spoofing, www.securityfocus.com/advisor
  ies/2703
• IP Spoofing Attacks and Hijacked Terminal
  Connections, www.cert.org/advisories/CA-1995-01.ht
  ml
• Network support for IP trace-back, IEEE/ACM
  Transactions on Networking, Vol. 9, No. 3, June
  2001
• An Algebraic Approach to IP Trace-back, ACM
  Transactions on Information and System Security,
  Vol. 5, No. 2, May 2002
• Web Spoofing. An Internet Con Game,
  http//bau2.uibk.ac.at/matic/spoofing.htm

23
Questions / Answers