IP Spoofing

BY

ARUN KANADE
BE – IT
 IP SPOOFING ?
• IP Spoofing is a technique used to gain
unauthorized access to computers.
– IP: Internet Protocol
– Spoofing: using somebody else’s information
• Exploits the trust relationships
• Intruder sends messages to a computer with
an IP address of a trusted host.
IP SPOOFING
WHY IP SPOOFING IS EASY ?

• Problem with the Routers.

• Routers look at Destination addresses
only.
• Authentication based on Source addresses
only.
• To change source address field in IP
header field is easy
 IP SPOOFING STEPS
• Selecting a target host (the victim)
• Identify a host that the target “trust”
• Disable the trusted host, sampled the target’s
TCP sequence
• The trusted host is impersonated and the ISN
forged.
• Connection attempt to a service that only
requires address-based authentication.
• If successfully connected, executes a simple
command to leave a backdoor.
 Spoofing Attacks
Spoofing is classified into :-

1. Non-blind spoofing :

This attack takes place when the attacker

is on the same subnet as the target that
could see sequence and acknowledgement
of packets.
CONTD…

2. Blind spoofing :
This attack may take place from outside
where sequence and acknowledgement
numbers are unreachable. Attackers
usually send several packets to the target
machine in order to sample sequence
numbers, which is doable in older days .
COTND…

• 3. Denial of Service Attack :

IP spoofing is almost always used in denial
of service attacks (DoS), in which attackers
are concerned with consuming bandwidth
and resources by flooding the target with as
many packets as possible in a short amount
of time.
CONTD…

• 4. SMURF ATTACK :
Send ICMP ping packet with spoofed IP
source address to a LAN which will
broadcast to all hosts on the LAN
Each host will send a reply packet to the
spoofed IP address leading to denial of
service
CONTD…

5. Man - in - the – middle :

Packet sniffs on link between the two
endpoints, and therefore can pretend to
be one end of the connection.
 Detection of IP Spoofing

1. If you monitor packets using network-

monitoring software such as netlog, look
for a packet on your external interface
that has both its source and destination IP
addresses in your local domain. If you find
one, you are currently under attack.
 Detection of IP Spoofing
2. Another way to detect IP spoofing is to
compare the process accounting logs between
systems on your internal network. If the IP
spoofing attack has succeeded on one of your
systems, you may get a log entry on the victim
machine showing a remote access; on the
apparent source machine, there will be no
corresponding entry for initiating that remote
access .
 IP-Spoofing Counter-measures
• No insecure authenticated services
• Disable commands like ping
• Use encryption
• Strengthen TCP/IP protocol
• Firewall
• IP trace back
 IP Trace-back
• To trace back as close to the attacker’s location
as possible
• Limited in reliability and efficiency
• Require cooperation of many other network
operators along the routing path
• Generally does not receive much attention from
network operators
 Misconception of IP Spoofing
A common misconception is that "IP Spoofing" can
be used to hide your IP address while surfing the
Internet, chatting on-line, sending e-mail, and so
forth.

This is generally not true. Forging the source IP

address causes the responses to be misdirected,
meaning you cannot create a normal network
connection. However, IP spoofing is an integral part of
many networks that do not need to see responses.
 IP-Spoofing Facts
• IP protocol is inherently weak
• Makes no assumption about sender/recipient
• Nodes on path do not check sender’s identity
• There is no way to completely eliminate IP
spoofing
• Can only reduce the possibility of attack
 Applications

• Asymmetric routing (Splitting routing)

• SAT DSL

• NAT

• IP Masquerade
 ADVANTAGES

• Multiple Servers :
Sometimes you want to change where
packets heading into your network will go.
Frequently this is because you have only
one IP address, but you want people to be
able to get into the boxes behind the one
with the `real' IP address.
 ADVANTAGES
• Transparent Proxying :

Sometimes you want to pretend that each

packet which passes through your Linux box
is destined for a program on the Linux box
itself. This is used to make transparent
proxies: a proxy is a program which stands
between your network and the outside world,
shuffling communication between the two.
The transparent part is because your network
won't even know it's talking to a proxy,
unless of course, the proxy doesn't work.
 DISADVANTAGES

• Blind to Replies :
A drawback to ip source address spoofing
is that reply packet will go back to the
spoofed ip address rather than to the
attacker. This is fine for many type of
attack packet. However in the scanning
attack as we will see next the attacker may
need to see replies .in such cases ,the
attacker can not use ip address spoofing .
 DISADVANTAGE

• Serial attack platforms :

However, the attacker can still maintain
anonymity by taking over a chain of attack hosts.
The attacker attacks the target victim using a
point host-the last host in the attack chain .Even
if authorities learn the point host’s identity .They
might not be able to track the attack through the
chain of attack hosts all the way back to the
attackers base host.
 CONCLUSION

• IP spoofing attacks is unavoidable.

• Understanding how and why spoofing

attacks are used, combined with a few
simple prevention methods, can help
protect your network from these malicious
cloaking and cracking techniques.
 References
• IP-spoofing Demystified (Trust-Relationship Exploitation),
www.networkcommand.com/docs/ipspoof.txt

• Introduction to IP Spoofing, Victor Velasco,

www.sans.org/rr/threats/intro_spoofing.php

• Internet Vulnerabilities Related to TCP/IP and T/TCP, ACM

SIGCOMM, Computer Communication Review

• IP Spoofing, www.linuxgazette.com/issue63/sharma.html

• FreeBSD IP Spoofing, www.securityfocus.com/advisories/2703

• IP Spoofing Attacks and Hijacked Terminal Connections,
www.cert.org/advisories/CA-1995-01.html

• Network support for IP trace-back

• Web Spoofing. An Internet Con Game,
http://bau2.uibk.ac.at/matic/spoofing.htm
THANK YOU !