IP Spoofing
Sometimes on the internet, a girl
named Alice is really a man named
Yves
Sources
General Information:
Mitnick Attack Sequence:
http://tarpit.rmc.ca/knight/EEE466Lectures/DA14/14%20%20Security%20I.ppt
DoS and DDoS attacks:
http://www.gulker.com/ra/hack/tsattack.html
Session Hijack Sequence:
http://en.wikipedia.org/wiki/Ip_spoofing
http://www.securityfocus.com/infocus/1674
http://tarpit.rmc.ca/knight/EE579index.htm (See ppts on subject)
http://tarpit.rmc.ca/knight/EEE466Lectures/DA14/14%20%20Security%20I.ppt
Conversation with Todd ‘Hot Toddy’ Jackson
Phrack Article:
http://www.phrack.org/issues.html?issue=64&id=15#article
Overview
TCP/IP – in brief
IP Spoofing
Basic overview
Examples
Mitnick Attack
Session Hijack
DoS/DDoS Attack
Defending Against the Threat
Continuous Evolution
Conclusion
TCP/IP in 3 minute or less
General use of term describes the
Architecture upon which the Interweb
is built.
TCP/IP are specific protocols within
that architecture.
TCP/IP in 3 minutes or less
Application
Transport
TCP
Interweb
IP
Network
Access
Physical
TCP/IP in 3 minute or less
IP is the internet layer protocol.
Does not guarantee delivery or
ordering, only does its best to move
packets from a source address to a
destination address.
IP addresses are used to express the
source and destination.
IP assumes that each address is
unique within the network.
TCP/IP in 3 minutes or less
TCP is the transport layer protocol.
It guarantees delivery and ordering,
but relies upon IP to move packets to
proper destination.
Port numbers are used to express
source and destination.
Destination Port is assumed to be
awaiting packets of data.
TCP/IP in 3 minutes or less
Client Using Mozilla
Some Web Server
HTTP - GET
Application
TCP – Port 80
Transport
IP – 10.24.1.1
Interweb
MAC –
Network
Access
Network
Access
11010010011101
00110100110101
Physical
Physical
00:11:22:33:44:55
But what
happens if
someone is
lying??
Application
Transport
Interweb
IP Spoofing – Basic Overview
Basically, IP spoofing is lying about an
IP address.
Normally, the source address is
incorrect.
Lying about the source address lets
an attacker assume a new identity.
IP Spoofing – Basic Overview
Because the source address is not the
same as the attacker’s address, any
replies generated by the destination
will not be sent to the attacker.
Attacker must have an alternate way
to spy on traffic/predict responses.
To maintain a connection, Attacker
must adhere to protocol requirements
IP Spoofing – Basic Overview
Difficulties for attacker:
TCP sequence numbers
One way communication
Adherence to protocols for other layers
IP Spoofing – The Reset
Sucker - Alice
2.3.SYN
RESET
ACK––
Sure,
Umm..what
I have
do
no
youidea
want
why
to
you
talk
are
about?
talking
to me
1. SYN –
Let’s have a
conversation
Victim - Bob
4. No connection –
Guess I need to take
Bob out of the picture…
Attacker - Eve
IP Spoofing – Mitnick Attack
Merry X-mas! Mitnick hacks a Diskless
Workstation on December 25th, 1994
The victim – Tsutomu Shinomura
The attack – IP spoofing and abuse of
trust relationships between a diskless
terminal and login server.
Mitnick Attack
6. Mitnick fakes
4.
forgesthe
a SYN
ACKfrom
using
the
server
the
proper
to the
TCP
terminal
sequence number
Workstation
5. Terminals responds with an
ACK, which is ignored by the
7.
Mitnick has now
flooded port (and not visible to
established
a one way
Mitnick)
Server
communications channel
3. Mitnick discovers
2.
Probes thethat the
Workstation
TCP
sequence
tonumber
determine
is the
behaviour of by
incremented
its TCP
128000
sequence
each
number
new
connection
generator
1. Mitnick Flood’s
server’s login port so it
can no longer respond
Kevin Mitnick
Mitnick Attack – Why it worked
Mitnick abused the trust relationship
between the server and workstation
He flooded the server to prevent
communication between it and the
workstation
Used math skillz to determine the TCP
sequence number algorithm (ie add
128000)
This allowed Mitnick to open a connection
without seeing the workstations outgoing
sequence numbers and without the server
interrupting his attack
IP Spoofing - Session Hijack
IP spoofing used to eavesdrop/take
control of a session.
Attacker normally within a LAN/on the
communication path between server
and client.
Not blind, since the attacker can see
traffic from both server and client.
Session Hijack
Alice
3. At
1.
2.
Eveany
assumes
can
point,
monitor
Eve
a man-in-thetraffic
can assume
between
the
middle
Alice
identity
and
position
ofBob
either
without
through
Bob or
altering
some
Alice the
mechanism.
packets
through
or
thesequence
Spoofed
For example,
numbers.
IP address.
Eve could
use Arp
This
breaks
Poisoning,
the pseudo
socialconnection
engineering,
as
Eve will start
router
modifying
hackingthe
etc...
sequence numbers
I’m
Bob!
I’m
Alice!
Eve
Bob
IP Spoofing – DoS/DDoS
Denial of Service (DoS) and
Distributed Denial of Service (DDoS)
are attacks aimed at preventing
clients from accessing a service.
IP Spoofing can be used to create
DoS attacks
DoS Attack
Service
Requests
Server
Flood of
Requests from
Attacker
Interweb
Fake IPs
Attacker
Server queue full,
legitimate
requests get
dropped
Service
Requests
Legitimate Users
DoS Attack
The attacker spoofs a large number of
requests from various IP addresses to
fill a Services queue.
With the services queue filled,
legitimate user’s cannot use the
service.
DDoS Attack
Queue
Full
Server
(already DoS’d)
SYN ACK
1. Attacker makes
large number of SYN
connection requests
to target servers on
behalf of a DoS’d
server
Interweb
SYN ACK
SYN
SYN
Attacker
SYN
ACK
SYN
ACK
SYN
SYN
Target Servers
2. Servers send SYN ACK to
spoofed server, which cannot
respond as it is already DoS’d.
Queue’s quickly fill, as each
connection request will have to go
through a process of sending
several SYN ACKs before it times
out
DDoS Attack
Many other types of DDoS are
possible.
DoS becomes more dangerous if
spread to multiple computers.
IP Spoofing – Defending
IP spoofing can be defended against in a number of
ways:
As mentioned, other protocols in the Architectural
model may reveal spoofing.
TCP sequence numbers are often used in this manner
New generators for sequence numbers are a lot more
complicated than ‘add 128000’
Makes it difficult to guess proper sequence numbers if
the attacker is blind
“Smart” routers can detect IP addresses that are
outside its domain.
“Smart” servers can block IP ranges that appear to
be conducting a DoS.
IP Spoofing continues to evolve
IP spoofing is still possible today, but
has to evolve in the face of growing
security.
New issue of Phrack includes a
method of using IP spoofing to
perform remote scans and determine
TCP sequence numbers
This allows a session Hijack attack
even if the Attacker is blind
Conclusion
IP Spoofing is an old school Hacker
trick that continues to evolve.
Can be used for a wide variety of
purposes.
Will continue to represent a threat as
long as each layer continues to trust
each other and people are willing to
subvert that trust.
Questions?
Application
Application
Transport
Transport
Interweb
Interweb
Network
Access
Network
Access
Physical
Physical
Sucker - Alice
Victim Bob
Attacker
- Eve
Sucker - Alice
Interweb
Victim Bob
Attacker
- Eve
Stolen from: http://tarpit.rmc.ca/knight/EE579/mitnik.ppt
IP header
0
16
Version
IHL
Time to Live
Total Length
Type of Service
Identification
31
Flags
Protocol
Source Address
Destination Address
Options and Padding
Fragment Offset
Header Checksum
Stolen from: http://tarpit.rmc.ca/knight/EE579/mitnik.ppt
TCP header
0
16
Source Port
31
Destination Port
Sequence Number
Acknowledgement Number
Data
Offset
Reserved
Checksum
Flags
Window
Urgent Pointer
Options and Padding
TCP Sequence Numbers
Client
Start SEQ - 1892
2.
3.
1. Server
Client
Client ACKs,
transmits
transmits
sends
50
20no
bytes
bytes
data
Server
Start SEQ - 15562
SEQ – 1892
ACK – 15562
Size - 50
SEQ – 15562
ACK – 1942
Size - 25
SEQ – 1942
ACK – 15587
Size - 0
End SEQ - 1942
End SEQ - 15587
0
