IP Spoofing Attack Dr. Neminath Hubballi IIT Indore © Neminath Hubballi Outline Introduction IP address spoofing ICMP spoofing ARP spoofing DNS spoofing Email spoofing Defense mechanisms IIT Indore © Neminath Hubballi What is Spoofing Dictionary.com says – “to communicate electronically under a fals e identity” More conventional definition hoax or trick (someone) Ex. Caller ID spoofing was prevalent in purchase scams Required specific equipment to accomplish such spoofing IIT Indore © Neminath Hubballi Why Spoofing Works in Networks Computer networks are designed with trust relationship Design goal was get it working Security was never a concern Design was not intended for today’s use cases We are best in reacting to situations Spoofing is possible almost in every layer of TCP/IP stack IIT Indore © Neminath Hubballi IP Address Spoofing IP spoofing is the creation of IP packets using somebody else’s IP address as source address of a IP packet Absence of state information makes IP protocol vulnerable to spoofing Peer is not authenticated IIT Indore © Neminath Hubballi Normal Interaction 200.1.1.1 Source IP Destination IP 200.1.1.1 100.1.1.1 Source IP Destination IP 100.1.1.1 200.1.1.1 100.1.1.1 IIT Indore © Neminath Hubballi Interaction Under Spoofing Source IP Destination IP 150.1.1.1 100.1.1.1 200.1.1.1 100.1.1.1 150.1.1.1 Source IP Destination IP 100.1.1.1 150.1.1.1 IIT Indore © Neminath Hubballi Interaction Under Spoofing Source IP Destination IP 150.1.1.2 100.1.1.1 200.1.1.1 When attacker uses a non existing IP address as source address 100.1.1.1 Source IP Destination IP 100.1.1..1 150.1.1.2 I have no way forward IIT Indore © Neminath Hubballi IP Address Spoofing By spoofing address attacker conceals identity Make it appear that it has come from a different source IP address spoofing is used in many cyber attacks There are some legitimate use cases Website performance testing NAT IIT Indore © Neminath Hubballi Why Spoof IP Address For the same reason why thieves wear black dress, helmet and do their work in night IP address acts as a source of sender’s identity Many systems keep logs of your activities IP address are part of logging IIT Indore © Neminath Hubballi Non Blind IP Spoofing Atta cker 10.0.0.2 10.0.0.1 10.0.0.3 Targe t 10.0.0.4 10.0.0.7 10.0.0.15 10.0.0.6 when the attacker is on the same subnet as the victim SEQ and ACK can be sniffed IIT Indore © Neminath Hubballi Blind IP Spoofing Target Atta cke r when the attacker is on the different subnet perhaps different networks SEQ and ACK can not be sniffed that easily IIT Indore © Neminath Hubballi IP Address Spoofing in Reality IIT Indore © Neminath Hubballi IP Address Spoofing-Implications Many network services use host names or address for identification and authentication Host wanting service prepare a message and send it to a remote service. Receiver either allows or disallows the service Many services are vulnerable to IP spoofing RPC (http://seclists.org/bugtraq/1995/Jan/182 ) NFS X window system Any service using IP address as authentication method IIT Indore © Neminath Hubballi IP Spoofing Derivative Attacks Man in the middle attack: Allows sniffing packets in between Routing redirect: Send a packet advertising a false better route to reach a destination Source routing: Insert attacker host in the list Strict: Packet has to traverse only through the addresses mentioned Loose: In addition to the list mentioned, packet can traverse additional routers Smurf attack: send ICMP packet to a broadcast address with spoofed address SYN flooding: Send too many TCP connections with spoofed source address Sequence number prediction Session hijacking Determining the state of firewall Stateful firewalls remember history Denial of service IIT Indore © Neminath Hubballi How Easy it is to Spoof IP Address Little programming is enough ! Raw socket programming in UNIX You will find examples of raw socket programs here http://www.pdbuchan.com/rawsock/rawsock.html WinPacp in windows Several open source tools are available Hping – seems not actively maintained now Scapy – it does many things- packet manipulation, capture, spoof etc. IIT Indore © Neminath Hubballi Defenses Against IP Address Spoofing No complete solution exists Ingress filtering-drop packets coming from outside with source IP addresses used inside network Egress filtering-any packet having source IP address not in the network are dropped Avoiding trust relationship based on IP address Unicast Reverse Path Forwarding – discard IP packet that lack verifiable IP source address Idea is simple a reverse path to the source IP address of an incoming packet is using the same interface Strict- same interface Loose- if any path exists to the source its ok IIT Indore © Neminath Hubballi Defenses Against IP Address Spoofing Anti-Spoofing with IP sourceguard Layer 2 security feature Restricts IP traffic on un-trusted layer 2 ports to achieve with an IP address other than one assigned by DHCP/static assignment Encryption and authentication – IPSec may be an answer Make ISN prediction difficult by having a perfect random number generation RFC 1948 recommends ISN to be a function of Source IP, Destination IP, Source Port, Destination Port and a secrete key TCP Receiver window based prediction Set the window size to small Traceroute Measure TTL values IIT Indore © Neminath Hubballi