Studying The History Of Ip Spoofing Information Technology Essay
Back in April 1989, a Steve Bellovin of AT&T was one of the first people to identify IP spoofing as real risk to all computer networks. Robert Morris, the creator of the quite famous Internet Worm, had figured out how TCP made sequence numbers and forged a TCP sequence packet. This packet had included the destination address of the ‘victim’ and using the IP spoofing attack, Morris was able to gain root access to the victims system without a password or user name.
A common misconception is that people think that ‘IP spoofing’ can be used to hide your IP address from everyone while you surf the net, etc. This really isn’t true at all. Forging the home source of the IP address can cause the response to be misdirected, which can lead you to not being able to create a normal network connection. However, this IP spoofing is an important part in the many network attacks today and they don’t need to see any responses; known as blind spoofing.
Although the popularity of these cracks, or spoofs, have been decreased due to the collapse of these services they had exploited, spoofing still can be used which, therefore, needs to be addressed by all, if possible, security administrators.
Internet Protocol Spoofing
Internet protocol (IP) is a network protocol which operates on the Network (3) Layer of the OSI model. This doesn’t contain information regarding the transaction state, where you would use this to route packets on a particular network, because it is a connectionless model. In addition, there is no means in place to make certain that a packet is correctly delivered to the destination.
Investigating the IP header, it’s easy to see that the first 12 bytes (or the top 3 rows of the header) contain different types of information about the packet. The next 8 bytes (the next 2 rows), nonetheless, contains the IP addresses source and destination. Using one of numerous tools, an attacker can easily modify these addresses – specifically the “source address” field. It’s vital to remember that each of these datagram’s are sent separately of all the other ones, which is due to the IP’s stateless nature.
Transmission Control Protocol Spoofing
Transmission Control Protocol (TCP) is part of the 4th Layer which is the Transport Layer in the OSI Model. Different to IP, TCP uses a connection-oriented model. This means that the users in a TCP session must first build the connection. Using the 3-way handshake (SYN-SYN/ACK-ACK), then update one another on progress via the sequences and acknowledgements numbers. This connection ensures data reliability, given that the sender receives an OK message from the recipient after each of the packet exchanges.
As we can see above, a TCP header is rather quite different from an IP header. When seeing this, we find that the first 12 bytes of the TCP packet contain port and sequencing information. Much like the IP datagram, TCP packets could be manipulated using software. The source and destination ports usually depend on what network application is being used (for instance, HTTP via port 80). What’s significant for the understanding of spoofing are the sequence and acknowledgement numbers. The information contained in these fields ensures the packet is delivered by determining whether or not the packet needs to be resent. The sequence number is the number of the first byte in the current packet, which is important to the data stream. The acknowledgement number contains the value of the next expected sequence number in the stream. This relationship confirms, on both ends, that the proper packets were received. Since it is a transaction state that’s closely monitored, it’s rather different than IP.
Types of Spoofing Attacks
Non-Blind Spoofing
This type of attack happens when the attacker is on the same IP network subdivision as the victim. The sequence and acknowledgement numbers can be easily identified, eliminating the possible difficulty of calculating them accurately. The biggest risk of spoofing in this case would be session hijacking. This is capable by corrupting the data stream of an established connection, then re-establishing it based on correct sequence and acknowledgement numbers with the machine used for the attack. Using this technique, an attacker could successfully bypass any authentication measures taken place to build the connection.
Blind Spoofing
This is a more sophisticated attack, because the sequence and acknowledgement numbers are unreachable. In order to circumvent this, several packets are sent to the target machine in order to sample sequence numbers. While not the case today, machines in the past used basic techniques for generating sequence numbers. It was relatively easy to discover the exact formula by studying packets and TCP sessions. Today, most OSs implement random sequence number generation, making it difficult to predict them accurately. If, however, the sequence number was compromised, data could be sent to the target. Several years ago, many machines used host-based authentication services (i.e. Rlogin). A properly crafted attack could add the requisite data to a system (i.e. a new user account), blindly, enabling full access for the attacker who was impersonating a trusted host.
Man In the Middle Attack
Both types of spoofing are forms of a common security violation known as a man in the middle (MITM) attack. In these attacks, a malicious party intercepts a legitimate communication between two friendly parties. The malicious host then controls the flow of communication and can eliminate or alter the information sent by one of the original participants without the knowledge of either the original sender or the recipient. In this way, an attacker can fool a victim into disclosing confidential information by “spoofing” the identity of the original sender, who is presumably trusted by the recipient.
Denial of Service Attack
IP spoofing is almost always used in what is currently one of the most difficult attacks to defend against – denial of service attacks, or DoS. Since crackers are concerned only with consuming bandwidth and resources, they need not worry about properly completing handshakes and transactions. Rather, they wish to flood the victim with as many packets as possible in a short amount of time. In order to prolong the effectiveness of the attack, they spoof source IP addresses to make tracing and stopping the DoS as difficult as possible. When multiple compromised hosts are participating in the attack, all sending spoofed traffic, it is very challenging to quickly block traffic.
Defending Against Spoofing
There are a few precautions that can be taken to limit IP spoofing risks on your network, such as:
Filtering at the Router – Implementing ingress and egress filtering on your border routers is a great place to start your spoofing defense. You will need to implement an ACL (access control list) that blocks private IP addresses on your downstream interface. Additionally, this interface should not accept addresses with your internal range as the source, as this is a common spoofing technique used to circumvent firewalls. On the upstream interface, you should restrict source addresses outside of your valid range, which will prevent someone on your network from sending spoofed traffic to the Internet.
Encryption and Authentication – Implementing encryption and authentication will also reduce spoofing threats. Both of these features are included in Ipv6, which will eliminate current spoofing threats. Additionally, you should eliminate all host-based authentication measures, which are sometimes common for machines on the same subnet. Ensure that the proper authentication measures are in place and carried out over a secure (encrypted) channel.
Sources:
http://www.symantec.com/connect/articles/ip-spoofing-introduction
http://en.wikipedia.org/wiki/IP_address_spoofing
http://www.spamlaws.com/how-IP-spoofing-works.html
http://tldp.org/LDP/LG/issue63/sharma.html
Autonomic and Trusted Computing: 5th International Conference, ATC 2008 … By Chunming Rong, Martin Gilje Jaatun, Frode Eika Sandnes, Laurence T. Yang, Jianhua Ma
Order Now