IP spooing
-
Upload
irfan-dark -
Category
Documents
-
view
218 -
download
0
Transcript of IP spooing
-
8/8/2019 IP spooing
1/7
The Internet Protocol (IP) is a protocol used for communicating data across a packet-
switchedinternetwork using the Internet Protocol Suite, also referred to as TCP/IP.
IP is the primary protocol in theInternet Layerof the Internet Protocol Suite and has the task of
delivering distinguished protocol datagrams(packets) from the source host to the destination hostsolely based on their addresses. For this purpose the Internet Protocol defines addressing
methods and structures for datagram encapsulation. The first major version of addressing
structure, now referred to as Internet Protocol Version 4 (IPv4) is still the dominant protocol of the
Internet, although the successor, Internet Protocol Version 6 (IPv6) is being deployed actively
worldwide.
An Internet Protocol address (IP address) is a numerical label that is assigned to devices
participating in acomputer network that uses the Internet Protocolfor communication between its
nodes.[1]An IP address serves two principal functions: host or network interface identification and
location addressing. Its role has been characterized as follows: "A nameindicates what we seek.
An address indicates where it is. A route indicates how to get there."[2]
The designers of TCP/IP defined an IP address as a 32-bit number[1] and this system, known
asInternet Protocol Version 4 orIPv4, is still in use today. However, due to the enormous growth
of the Internet and the predicted depletion of available addresses, a new addressing system
(IPv6), using 128 bits for the address, was developed in 1995 [3] and standardized byRFC 2460 in
1998.[4]Although IP addresses are stored as binary numbers, they are usually displayed
inhuman-readablenotations, such as 208.77.188.166 (forIPv4), and 2001:db8:0:1234:0:567:1:1
(forIPv6).
The Internet Protocol is used to routedatapackets between networks; IP addresses specify the
locations of the source and destination nodes in the topologyof the routing system. For this
purpose, some of the bits in an IP address are used to designate a subnetwork. The number of
these bits is indicated in CIDR notation, appended to the IP address; e.g.,208.77.188.166/24.
As the development ofprivate networks raised the threat ofIPv4 address exhaustion,RFC
1918set aside a group of private address spaces that may be used by anyone on private
networks. They are often used with network address translators to connect to the global public
Internet.
http://en.wikipedia.org/wiki/Protocol_(computing)http://en.wikipedia.org/wiki/Packet-switchedhttp://en.wikipedia.org/wiki/Packet-switchedhttp://en.wikipedia.org/wiki/Internetworkhttp://en.wikipedia.org/wiki/Internet_Protocol_Suitehttp://en.wikipedia.org/wiki/Internet_Protocol_Suitehttp://en.wikipedia.org/wiki/Internet_Layerhttp://en.wikipedia.org/wiki/Internet_Layerhttp://en.wikipedia.org/wiki/Internet_Layerhttp://en.wikipedia.org/wiki/Internet_Protocol_Suitehttp://en.wikipedia.org/wiki/Datagramhttp://en.wikipedia.org/wiki/Encapsulation_(networking)http://en.wikipedia.org/wiki/Encapsulation_(networking)http://en.wikipedia.org/wiki/IPv4http://en.wikipedia.org/wiki/IPv6http://en.wikipedia.org/wiki/Computer_networkhttp://en.wikipedia.org/wiki/Computer_networkhttp://en.wikipedia.org/wiki/Internet_Protocolhttp://en.wikipedia.org/wiki/Internet_Protocolhttp://en.wikipedia.org/wiki/IP_address#cite_note-rfc760-0%23cite_note-rfc760-0http://en.wikipedia.org/wiki/IP_address#cite_note-rfc760-0%23cite_note-rfc760-0http://en.wikipedia.org/wiki/Identification_(information)http://en.wikipedia.org/wiki/Logical_addresshttp://en.wikipedia.org/wiki/Logical_addresshttp://en.wikipedia.org/wiki/Hostnamehttp://en.wikipedia.org/wiki/Hostnamehttp://en.wikipedia.org/wiki/IP_address#cite_note-rfc791-1%23cite_note-rfc791-1http://en.wikipedia.org/wiki/32-bithttp://en.wikipedia.org/wiki/IP_address#cite_note-rfc760-0%23cite_note-rfc760-0http://en.wikipedia.org/wiki/IPv4http://en.wikipedia.org/wiki/IPv4http://en.wikipedia.org/wiki/Internethttp://en.wikipedia.org/wiki/IPv6http://en.wikipedia.org/wiki/IP_address#cite_note-rfc1883-2%23cite_note-rfc1883-2http://tools.ietf.org/html/rfc2460http://en.wikipedia.org/wiki/IP_address#cite_note-rfc2460-3%23cite_note-rfc2460-3http://en.wikipedia.org/wiki/IP_address#cite_note-rfc2460-3%23cite_note-rfc2460-3http://en.wikipedia.org/wiki/Binary_numberhttp://en.wikipedia.org/wiki/Human-readablehttp://en.wikipedia.org/wiki/Human-readablehttp://en.wikipedia.org/wiki/Human-readablehttp://en.wikipedia.org/wiki/IPv4http://en.wikipedia.org/wiki/IPv4http://en.wikipedia.org/wiki/IPv6http://en.wikipedia.org/wiki/Routinghttp://en.wikipedia.org/wiki/Routinghttp://en.wikipedia.org/wiki/Packet_(information_technology)http://en.wikipedia.org/wiki/Packet_(information_technology)http://en.wikipedia.org/wiki/Network_topologyhttp://en.wikipedia.org/wiki/Network_topologyhttp://en.wikipedia.org/wiki/Subnetworkhttp://en.wikipedia.org/wiki/Subnetworkhttp://en.wikipedia.org/wiki/CIDR_notationhttp://en.wikipedia.org/wiki/Private_networkhttp://en.wikipedia.org/wiki/IPv4_address_exhaustionhttp://en.wikipedia.org/wiki/IPv4_address_exhaustionhttp://tools.ietf.org/html/rfc1918http://tools.ietf.org/html/rfc1918http://tools.ietf.org/html/rfc1918http://en.wikipedia.org/wiki/Network_address_translatorhttp://en.wikipedia.org/wiki/Protocol_(computing)http://en.wikipedia.org/wiki/Packet-switchedhttp://en.wikipedia.org/wiki/Packet-switchedhttp://en.wikipedia.org/wiki/Internetworkhttp://en.wikipedia.org/wiki/Internet_Protocol_Suitehttp://en.wikipedia.org/wiki/Internet_Layerhttp://en.wikipedia.org/wiki/Internet_Protocol_Suitehttp://en.wikipedia.org/wiki/Datagramhttp://en.wikipedia.org/wiki/Encapsulation_(networking)http://en.wikipedia.org/wiki/IPv4http://en.wikipedia.org/wiki/IPv6http://en.wikipedia.org/wiki/Computer_networkhttp://en.wikipedia.org/wiki/Internet_Protocolhttp://en.wikipedia.org/wiki/IP_address#cite_note-rfc760-0%23cite_note-rfc760-0http://en.wikipedia.org/wiki/Identification_(information)http://en.wikipedia.org/wiki/Logical_addresshttp://en.wikipedia.org/wiki/Hostnamehttp://en.wikipedia.org/wiki/IP_address#cite_note-rfc791-1%23cite_note-rfc791-1http://en.wikipedia.org/wiki/32-bithttp://en.wikipedia.org/wiki/IP_address#cite_note-rfc760-0%23cite_note-rfc760-0http://en.wikipedia.org/wiki/IPv4http://en.wikipedia.org/wiki/Internethttp://en.wikipedia.org/wiki/IPv6http://en.wikipedia.org/wiki/IP_address#cite_note-rfc1883-2%23cite_note-rfc1883-2http://tools.ietf.org/html/rfc2460http://en.wikipedia.org/wiki/IP_address#cite_note-rfc2460-3%23cite_note-rfc2460-3http://en.wikipedia.org/wiki/Binary_numberhttp://en.wikipedia.org/wiki/Human-readablehttp://en.wikipedia.org/wiki/IPv4http://en.wikipedia.org/wiki/IPv6http://en.wikipedia.org/wiki/Routinghttp://en.wikipedia.org/wiki/Packet_(information_technology)http://en.wikipedia.org/wiki/Network_topologyhttp://en.wikipedia.org/wiki/Subnetworkhttp://en.wikipedia.org/wiki/CIDR_notationhttp://en.wikipedia.org/wiki/Private_networkhttp://en.wikipedia.org/wiki/IPv4_address_exhaustionhttp://tools.ietf.org/html/rfc1918http://tools.ietf.org/html/rfc1918http://en.wikipedia.org/wiki/Network_address_translator -
8/8/2019 IP spooing
2/7
The Internet Assigned Numbers Authority(IANA), which manages the IP address space
allocations globally, cooperates with five Regional Internet Registries (RIRs) to allocate IP
address blocks toLocal Internet Registries(Internet service providers) and other entities.
) A technique used to gain unauthorized access to computers, whereby the
intruder sends messages to a computerwith an IP address indicating that the
message is coming from a trusted host. To engage in IP spoofing, ahackermust
first use a variety of techniques to find an IP address of a trusted host and then
modify thepacket headers so that it appears that the packets are coming from
that host
Introduction: IP Spoofing
An article on "Security Problems in the TCP/IP Protocol Suite" by S.M.Bellovin in
1989 initially explored IP Spoofing attacks . He described how Robert Morris,
creator of the now infamous Internet Worm, figured out how TCP created
sequence numbers and forged a TCP packet sequence.
This TCP packet included thedestination address of his victim and using as IP
spoofing attack Morris was able to obtain root access to his targeted system
without a User ID or password.
Introduction:
IP spoofing is a technique used to gain unauthorized access to computers,
whereby the attacker sends messages to a computer with a forging IP address
indicating that the message is coming from a trusted host. There are a
few variations on the types of attacks that using IP spoofing.
Spoofing Attacks:
1.non-blind spoofing
This attack takes place when the attacker is on the same subnet as the target
that could see sequence and acknowledgement of packets. The threat of this type
of spoofing is session hijacking and an attacker could bypass
http://en.wikipedia.org/wiki/Internet_Assigned_Numbers_Authorityhttp://en.wikipedia.org/wiki/Internet_Assigned_Numbers_Authorityhttp://en.wikipedia.org/wiki/Regional_Internet_Registrieshttp://en.wikipedia.org/wiki/Local_Internet_Registryhttp://en.wikipedia.org/wiki/Local_Internet_Registryhttp://en.wikipedia.org/wiki/Local_Internet_Registryhttp://en.wikipedia.org/wiki/Internet_service_providerhttp://www.webopedia.com/TERM/I/ip_spoofing.html#%23http://www.webopedia.com/TERM/I/IP_address.htmlhttp://www.webopedia.com/TERM/I/ip_spoofing.html#%23http://www.webopedia.com/TERM/I/hacker.htmlhttp://www.webopedia.com/TERM/I/packet.htmlhttp://en.wikipedia.org/wiki/Internet_Assigned_Numbers_Authorityhttp://en.wikipedia.org/wiki/Regional_Internet_Registrieshttp://en.wikipedia.org/wiki/Local_Internet_Registryhttp://en.wikipedia.org/wiki/Internet_service_providerhttp://www.webopedia.com/TERM/I/ip_spoofing.html#%23http://www.webopedia.com/TERM/I/IP_address.htmlhttp://www.webopedia.com/TERM/I/ip_spoofing.html#%23http://www.webopedia.com/TERM/I/hacker.htmlhttp://www.webopedia.com/TERM/I/packet.html -
8/8/2019 IP spooing
3/7
any authenticationmeasures taken place to build the connection. This is
accomplished by corrupting the DataStream of an established connection, then re-
establishing it based on correct sequence and acknowledgement numbers with the
attack machine.
2.Blind spoofing
This attack may take place from outside where sequence
and acknowledgementnumbers are unreachable. Attackers usually send several
packets to the target machine in order to sample sequence numbers, which is
doable in older days. Today, most OSs implement random sequence number
generation, making it difficult to predict them accurately. If, however, the
sequence number was compromised, data could be sent to the target.
3.Man in the Middle Attack
This is also called connection hijacking. In this attacks, a malicious partyintercepts a legitimate communication between two hosts to controls the flow
ofcommunication and to eliminate or alter the information sent by one of the
original participants without their knowledge. In this way, an attacker can fool a
target into disclosing confidential information by spoofing the identity of the
original sender or receiver. Connection hijacking exploits a "desynchronized state"
in TCPcommunication. When the sequence number in a received packet is not the
same as the expected sequence number, the connection is called
"desynchronized." Depending on the actual value of the received sequence
number, the TCP layer may either discard or buffer the packet. When two hosts
are desynchronized enough, they will discard/ignore packets from each other. An
attacker can then inject forged packets with the correct sequence numbers and
potentially modify or add messages to the communication. This requires the
attacker to be located on thecommunication path between the two hosts in order
to replicate packets being sent. The key to this attack is creating the
desynchronized state.
4.Denial of Service Attack
IP spoofing is almost always used in denial of service attacks (DoS), in which
attackers are concerned with consuming bandwidth and resources by flooding the
target with as many packets as possible in a short amount of time. To effectivelyconducting the attack, attackers spoof source IP addresses to make tracing and
stopping the DoS as difficult as possible. When multiple compromised hosts are
participating in the attack, all sending spoofed traffic, it is very challenging to
quickly block the traffic.
Misconception of IP Spoofing:
-
8/8/2019 IP spooing
4/7
A common misconception is that "IP Spoofing" can be used to hide your IP
address while surfing the Internet, chatting on-line, sending e-mail, and so forth.
This is generally not true. Forging the source IP address causes the responses to
be misdirected, meaning you cannot create a normal network conncetion.
However, IP spoofing is an integral part of many networks that do not need to see
responses.
Detection of IP Spoofing:
We can monitor packets using network-monitoring software. A packet on an
external interface that has both its source and destination IP addresses in the
local domain is an indication of IP spoofing. Another way to detect IP spoofing is
to compare the process accounting logs between systems on your internal
network. If the IP spoofing attack has succeeded on one of your systems, you
may get a log entry on the victim machine showing a remote access; on the
apparent source machine, there will be no corresponding entry for initiating that
remote access.
Prevention of IP Spoofing:
To prevent IP spoofing happen in your network, the following are some common
practices:
Avoid using the source address authentication. Implement
cryptographicauthentication system-wide.
Configuring your network to reject packets from the Net that claim to
originate from a local address.
Implementing ingress and egress filtering on the border routers and
implement an ACL (access control list) that blocks private IP addresses on
your downstream interface.
If you allow outside connections from trusted hosts, enable encryption sessions at
the router.
IP Fragment Attacks:
When packets are too large to be sent in a single IP packet, due to interface
hardware limitations for example, an intermediate router can split them up unlessprohibited by the Don't Fragment flag. IP fragmentation occurs when a router
receives a packet larger than the MTU (Maximum Transmission Unit) of the next
network segment. All such fragments will have the same Identification field value,
and the fragment offset indicates the position of the current fragment in the
context of the pre-split up packet. Intermediate routers are not expected to re-
assemble the fragments. The final destination will reassemble all the fragments of
an IP packet and pass it to higher protocol layers like TCP or UDP.
-
8/8/2019 IP spooing
5/7
Attackers create artificially fragmented packets in order to
circumvent firewalls that do not perform packet reassembly. These only consider
the properties of each individual fragment, and let the fragments through to
final destination. One such attack involving fragments is known as the tiny
fragment attack.
Two TCP fragments are created. The first fragment is so small that it does not
even include the full TCP header, particularly the destination port number. The
second fragment contains the remainder of the TCP header, including the port
number. Another such type of malicious fragmentation involves fragments that
have illegal fragment offsets.
A fragment offset value gives the index position of this fragment's data in a
reassembled packet. The second fragment packet contains an offset value, which
is less than the length of the data in the first packet. E.g..
If the first fragment was 24 bytes long, the second fragment may claim to have
an offset of 20. Upon reassembly, the data in the second fragment overwrites the
last four bytes of the data from the first fragment. If the unfragmented packet
were TCP, then the first fragment would contain the TCP header overwriting
thedestination port number.
In the IP layer implementations of nearly all OS, there are bugs in the reassembly
code. An attacker can create and send a pair of carefully crafted but malformed IP
packets that in the process of reassembly cause a server to panic and crash. The
receiving host attempts to reassemble such a packet, it calculates a negative
length for the second fragment. This value is passed to a function (such as
memcpy ()), which should do a copy from/ to memory, which takes the negative
number to be an enormous unsigned (positive) number.
Another type of attack involves sending fragments that if reassembled will be an
abnormally large packet, larger than the maximum permissible length for an IP
packet. The attacker hopes that the receiving host will crash while attempting to
reassemble the packet. The Ping of Death used this attack. It creates an ICMP
echo request packet, which is larger than the maximum packet size of 65,535
bytes.
ICMP Smurfing
"Smurf" is the name of an automated program that attacks a network by
exploiting IP broadcast addressing. Smurf and similar programs can cause the
attacked part of a network to become "inoperable." Network nodes and their
administrators to exchange information about the state of the network use ICMP.
-
8/8/2019 IP spooing
6/7
A smurf program builds a network packet with a spoofed victim source address.
The packet contains an ICMP ping message addressed to an IP broadcast address,
meaning all IP addresses in a given network. If the routing device delivering
traffic to those broadcast addresses performs the IP broadcast to layer 2
broadcast function, most hosts on that IP network will reply to it with an ICMP
echo reply each. The echo responses to the ping message are sent back to thevictim address. Enough pings and resultant echoes can flood the network making
it unusable for real traffic.
A related attack is called "fraggle", simple re-write of smurf; uses UDP echo
packets in the same fashion as the ICMP echo packets. The intermediary
(broadcast) devices, and the spoofed victim are both hurt by this attack. The
attackers rely on the ability to source spoofed packets to the "amplifiers" in order
to generate the traffic which causes the denial of service.
In order to stop this, all networks should perform filtering either at the edge of
the network where customers connect (access layer) or at the edge of the
network with connections to the upstream providers, in order to defeat the
possibility of source address spoofed packets from entering from downstream
networks, or leaving for upstream networks.
One way to defeat smurfing is to disable IP broadcast addressing at each network
router since it is seldom used
-
8/8/2019 IP spooing
7/7