Spoofing Attacks

advertisement
IP Spoofing Attack
Dr. Neminath Hubballi
IIT Indore © Neminath Hubballi
Outline
 Introduction
 IP address spoofing
 ICMP spoofing
 ARP spoofing
 DNS spoofing
 Email spoofing
 Defense mechanisms
IIT Indore © Neminath Hubballi
What is Spoofing
 Dictionary.com says –
“to communicate electronically under a fals
e identity”
 More conventional definition
 hoax or trick (someone)
 Ex. Caller ID spoofing was prevalent in
purchase scams
 Required specific equipment to accomplish
such spoofing
IIT Indore © Neminath Hubballi
Why Spoofing Works in Networks
 Computer networks are designed with trust





relationship
Design goal was get it working
Security was never a concern
Design was not intended for today’s use cases
We are best in reacting to situations
Spoofing is possible almost in every layer of
TCP/IP stack
IIT Indore © Neminath Hubballi
IP Address Spoofing
 IP spoofing is the creation of IP packets
using somebody else’s IP address as
source address of a IP packet
 Absence of state information makes IP
protocol vulnerable to spoofing
 Peer is not authenticated
IIT Indore © Neminath Hubballi
Normal Interaction
200.1.1.1
Source IP
Destination IP
200.1.1.1
100.1.1.1
Source IP
Destination IP
100.1.1.1
200.1.1.1
100.1.1.1
IIT Indore © Neminath Hubballi
Interaction Under Spoofing
Source IP
Destination IP
150.1.1.1
100.1.1.1
200.1.1.1
100.1.1.1
150.1.1.1
Source IP
Destination IP
100.1.1.1
150.1.1.1
IIT Indore © Neminath Hubballi
Interaction Under Spoofing
Source IP
Destination IP
150.1.1.2
100.1.1.1
200.1.1.1
When attacker
uses a non
existing IP
address as
source address
100.1.1.1
Source IP
Destination IP
100.1.1..1
150.1.1.2
I have no
way forward
IIT Indore © Neminath Hubballi
IP Address Spoofing
 By spoofing address attacker conceals
identity
 Make it appear that it has come from a
different source
 IP address spoofing is used in many cyber
attacks
 There are some legitimate use cases
 Website performance testing
 NAT
IIT Indore © Neminath Hubballi
Why Spoof IP Address
 For the same reason why thieves wear
black dress, helmet and do their work in
night
 IP address acts as a source of sender’s
identity
 Many systems keep logs of your activities
 IP address are part of logging
IIT Indore © Neminath Hubballi
Non Blind IP Spoofing
Atta
cker
10.0.0.2
10.0.0.1
10.0.0.3
Targe
t
10.0.0.4
10.0.0.7
10.0.0.15
10.0.0.6
when the attacker is on the same subnet
as the victim
SEQ and ACK can be sniffed
IIT Indore © Neminath Hubballi
Blind IP Spoofing
Target
Atta
cke
r
when the attacker is on the different subnet
perhaps different networks
SEQ and ACK can not be sniffed that
easily
IIT Indore © Neminath Hubballi
IP Address Spoofing in Reality
IIT Indore © Neminath Hubballi
IP Address Spoofing-Implications
 Many network services use host names or
address for identification and authentication
 Host wanting service prepare a message and
send it to a remote service. Receiver either
allows or disallows the service
 Many services are vulnerable to IP spoofing




RPC (http://seclists.org/bugtraq/1995/Jan/182 )
NFS
X window system
Any service using IP address as authentication
method
IIT Indore © Neminath Hubballi
IP Spoofing Derivative Attacks
 Man in the middle attack: Allows sniffing packets in between
 Routing redirect: Send a packet advertising a false better route to reach







a destination
Source routing: Insert attacker host in the list
 Strict: Packet has to traverse only through the addresses mentioned
 Loose: In addition to the list mentioned, packet can traverse
additional routers
Smurf attack: send ICMP packet to a broadcast address with spoofed
address
SYN flooding: Send too many TCP connections with spoofed source
address
Sequence number prediction
Session hijacking
Determining the state of firewall
 Stateful firewalls remember history
Denial of service
IIT Indore © Neminath Hubballi
How Easy it is to Spoof IP Address
 Little programming is enough !
 Raw socket programming in UNIX
 You will find examples of raw socket programs here
http://www.pdbuchan.com/rawsock/rawsock.html
 WinPacp in windows
 Several open source tools are available
 Hping – seems not actively maintained now
 Scapy – it does many things- packet manipulation,
capture, spoof etc.
IIT Indore © Neminath Hubballi
Defenses Against IP Address
Spoofing
 No complete solution exists
 Ingress filtering-drop packets coming from outside with
source IP addresses used inside network
 Egress filtering-any packet having source IP address not
in the network are dropped
 Avoiding trust relationship based on IP address
 Unicast Reverse Path Forwarding – discard IP packet
that lack verifiable IP source address
 Idea is simple a reverse path to the source IP address of an
incoming packet is using the same interface
 Strict- same interface
 Loose- if any path exists to the source its ok
IIT Indore © Neminath Hubballi
Defenses Against IP Address
Spoofing
 Anti-Spoofing with IP sourceguard
 Layer 2 security feature
 Restricts IP traffic on un-trusted layer 2 ports to achieve with an
IP address other than one assigned by DHCP/static assignment
 Encryption and authentication – IPSec may be an
answer
 Make ISN prediction difficult by having a perfect random
number generation
 RFC 1948 recommends ISN to be a function of Source
IP, Destination IP, Source Port, Destination Port and a
secrete key
 TCP Receiver window based prediction
 Set the window size to small
 Traceroute
 Measure TTL values
IIT Indore © Neminath Hubballi
Download