IP spoofing - BeKnowledge

standguideΔίκτυα και Επικοινωνίες

26 Οκτ 2013 (πριν από 3 χρόνια και 11 μήνες)

78 εμφανίσεις

IP SPOOFING
: A Hacking
Technique



TOPICS

What is TCP/IP

TCP
\
IP protocol architecture

What is IP & TCP

TCP
\
IP Protocol working

What is IP Spoofing & its working

IP Spoofing Examples

IP Spoofing Attacks

Uses of IP Spoofing

Stopping Methods Of Spoofing

IP Spoofing is still developing

Conclusion

References

What is TCP/IP

General use of term “TCP/IP” describes
the Architecture upon which the Internet is
built.


TCP/IP are specific protocols within that
architecture.


TCP/IP PROTOCOL ARCHITECTURE

Application

Transport

Internet

Data Link

Physical

TCP

IP

What is IP

IP is the Internet protocol used in Internet
layer.

It does not guarantee delivery or ordering,
only it move packets from a source
address to a destination address.

IP addresses are used to express the
source and destination.

IP assumes that each address is unique
within the network.

What is TCP

TCP is the Transmission Control Protocol
used in Transport layer.

It guarantees delivery and ordering, but
depends upon IP to move packets to
proper destination.

Port numbers are used to express source
and destination.

Destination Port is assumed to be awaiting
packets of data.


TCP/IP PROTOCOL WORKING

Application

Transport

Internet

Data Link

Physical

Application

Transport

Internet

Data Link

Physical

Client Using Mozilla

HTTP
-

GET

Some Web Server

TCP


Port 80

IP


10.24.1.1

MAC


00:11:22:33:44:55

11010010011101
00110100110101

What is IP SPOOFING

IP spoofing
is the creation of TCP/IP packets with


somebody else's IP address in the header.

Routers use the destination IP address to forward
packets, but ignore the source IP address.

The source IP address is used only by the destination


machine, when it responds back to the source.

When an attacker spoofs someone’s IP address, the


victim’s reply goes back to that address.

Because the source address is not the same as the
attacker’s address, any replies generated by the
destination will not be sent to the attacker.

Since the attacker does not receive packets back, this
is called a
one
-
way attack
or
blind spoofing
.



To see the return packets, the attacker
must
intercept
them.

Attacker must have an alternate way to
spy on traffic/predict responses.

To maintain a connection, Attacker must
fulfill the protocol requirements

Attacker normally within a LAN/on the
communication path between server and
client.

Attacker is not blind, since the he can see
traffic from both server and client.


Steps for SPOOFING IP


IP spoofing Technique consists of these
steps:


Selecting a target host (the victim).

Identifying a host that has a "trust"
relationship with the target. This can be
accomplished by looking at the traffic of the
target host. There cannot be an attack if
the target does not trust anyone.

The trusted host is then disabled using
SYN flooding

and the target’s TCP
sequence numbers are sampled.

A connection attempt is made to a
service that only requires address
-
based authentication (no user id or
password).

If a successful connection is made, the
attacker executes a simple command
to leave a backdoor. This allows for
simple re
-
entries in a non
-
interactive
way for the attacker.


Establishing a TCP Connection

IP Spoofing Example
:
A Valid Source IP

IP Spoofing Example
:
A Spoofed Source IP

Actually what happens?

Alice

Bob

Eve

I’m
Bob!

I’m
Alice!

1. Eve assumes a man
-
in
-
the
-
middle position through some
mechanism. For example, Eve could
use Arp Poisoning, social
engineering, router hacking etc...

2. Eve can monitor traffic between
Alice and Bob without altering the
packets or sequence numbers.

3. At any point, Eve can assume the
identity of either Bob or Alice
through the Spoofed IP address.
This breaks the pseudo connection
as Eve will start modifying the
sequence numbers

IP SPOOFING ATTACKS


Attacks using IP spoofing includes:


Man

in
-
the
-
middle (MITM):

packet sniffs on link
between the two endpoints, and therefore can pretend
to be one end of the connection.

Routing re
-
direct:

redirects routing information from the
original host to the attacker’s host (a variation on the
man
-
in the
-
middle attack).

Source routing:

The attacker redirects individual packets
by the hacker’s host.

Smurfing:

ICMP packet spoofed to originate from the
victim, destined for the broadcast adress, causing all
hosts on the network to respond to the victim at once.
This congests network bandwidth, floods the victim, and
causes a loop at the victim.

USES OF SPOOFING

IP spoofing is most frequently used in
denial
-
of
-
service
attacks
.

In such attacks, the goal is to flood the victim with large
amounts of traffic, and the attacker does not care about
receiving responses to his attack packets.

Packets with spoofed address are more difficult to filter since
each spoofed packet appears to come from a different
address, and they hide the true source of the attack.


Denial of service attacks that use spoofing typically randomly
choose addresses from the entire IP address space

This mechanisms might avoid unroutable addresses or
unused portions of the IP address space.

IP spoofing can also be a method of attack used by network
intruders to defeat network security measures, such as
authentication

based on IP addresses.

By spoofing a connection from a trusted machine, an attacker
may be able to access the target machine without
authenticating.

STOPPING OF SPOOFING ATTACKS


Encryption


Disable Ping


More secure authentication


Good random number generator



Shorten time
-
out value in TCP/IP requests



Firewall

IP Spoofing is still developing

IP spoofing is still possible today, but
has to develop in the face of growing
security.

New techniques includes a method of
using IP spoofing to perform remote
scans and determine the Sequence
number

This allows a session Hijack attack
even if the Attacker is blind

CONCLUSION

IP Spoofing is an old school Hacker
trick that continues to evolve.

Can be used for a wide variety of
purposes.

This will continue to represent a
threat as long as each layer continues
to trust each other and people are
willing to destroy that trust.

REFERENCES



http://www.google.com



http://en.wikipedia.org



http://www.securityfocus.com



http://www.encyclopedia.com