Free Essay

Ip Spoofing

In: Computers and Technology

Submitted By surbhigupta
Words 1398
Pages 6
IP Spoofing: An Introduction Criminals have long employed the tactic of masking their true identity, from disguises to aliases to caller-id blocking. It should come as no surprise then, that criminals who conduct their nefarious activities on networks and computers should employ such techniques. IP spoofing is one of the most common forms of on-line camouflage. In IP spoofing, an attacker gains unauthorized access to a computer or a network by making it appear that a malicious message has come from a trusted machine by “spoofing” the IP address of that machine. In this article, we will examine the concepts of IP spoofing: why it is possible, how it works, what it is used for and how to defend against it.Internet Protocol – IP Internet protocol (IP) is a network protocol operating at layer 3 (network) of the OSI model. It is a connectionless model, meaning there is no information regarding transaction state, which is used to route packets on a network. Additionally, there is no method in place to ensure that a packet is properly delivered to the destination.Examining the IP header, we can see that the first 12 bytes (or the top 3 rows of the header) contain various information about the packet. The next 8 bytes (the next 2 rows), however, contains the source and destination IP addresses. Using one of several tools, an attacker can easily modify these addresses – specifically the “source address” field. It's important to note that each datagram is sent independent of all others due to the stateless nature of IP. Keep this fact in mind as we examine TCP in the next section.Transmission Control Protocol – TCP IP can be thought of as a routing wrapper for layer 4 (transport), which contains the Transmission Control Protocol (TCP). Unlike IP, TCP uses a connection-oriented design. This means that the participants in a TCP session must first build a connection - via the 3-way handshake (SYN-SYN/ACK-ACK) - then update one another on progress - via sequences and acknowledgements. This “conversation”, ensures data reliability, since the sender receives an OK from the recipient after each packet exchange.As you can see above, a TCP header is very different from an IP header. We are concerned with the first 12 bytes of the TCP packet, which contain port and sequencing information. Much like an IP datagram, TCP packets can be manipulated using software. The source and destination ports normally depend on the network application in use (for example, HTTP via port 80). What's important for our understanding of spoofing are the sequence and acknowledgement numbers. The data contained in these fields ensures packet delivery by determining whether or not a packet needs to be resent. The sequence number is the number of the first byte in the current packet, which is relevant to the data stream. The acknowledgement number, in turn, contains the value of the next expected sequence number in the stream. This relationship confirms, on both ends, that the proper packets were received. It’s quite different than IP, since transaction state is closely monitored.Consequences of the TCP/IP Design Now that we have an overview of the TCP/IP formats, let's examine the consequences. Obviously, it's very easy to mask a source address by manipulating an IP header. This technique is used for obvious reasons and is employed in several of the attacks discussed below. Another consequence, specific to TCP, is sequence number prediction, which can lead to session hijacking or host impersonating. This method builds on IP spoofing, since a session, albeit a false one, is built. We will examine the ramifications of this in the attacks discussed below.Spoofing Attacks There are a few variations on the types of attacks that successfully employ IP spoofing. Although some are relatively dated, others are very pertinent to current security concerns.Non-Blind Spoofing This type of attack takes place when the attacker is on the same subnet as the victim. The sequence and acknowledgement numbers can be sniffed, eliminating the potential difficulty of calculating them accurately. The biggest threat of spoofing in this instance would be session hijacking. This is accomplished by corrupting the datastream of an established connection, then re-establishing it based on correct sequence and acknowledgement numbers with the attack machine. Using this technique, an attacker could effectively bypass any authentication measures taken place to build the connection.Blind Spoofing This is a more sophisticated attack, because the sequence and acknowledgement numbers are unreachable. In order to circumvent this, several packets are sent to the target machine in order to sample sequence numbers. While not the case today, machines in the past used basic techniques for generating sequence numbers. It was relatively easy to discover the exact formula by studying packets and TCP sessions. Today, most OSs implement random sequence number generation, making it difficult to predict them accurately. If, however, the sequence number was compromised, data could be sent to the target. Several years ago, many machines used host-based authentication services (i.e. Rlogin). A properly crafted attack could add the requisite data to a system (i.e. a new user account), blindly, enabling full access for the attacker who was impersonating a trusted host.Man In the Middle Attack Both types of spoofing are forms of a common security violation known as a man in the middle (MITM) attack. In these attacks, a malicious party intercepts a legitimate communication between two friendly parties. The malicious host then controls the flow of communication and can eliminate or alter the information sent by one of the original participants without the knowledge of either the original sender or the recipient. In this way, an attacker can fool a victim into disclosing confidential information by “spoofing” the identity of the original sender, who is presumably trusted by the recipient.Denial of Service Attack IP spoofing is almost always used in what is currently one of the most difficult attacks to defend against – denial of service attacks, or DoS. Since crackers are concerned only with consuming bandwidth and resources, they need not worry about properly completing handshakes and transactions. Rather, they wish to flood the victim with as many packets as possible in a short amount of time. In order to prolong the effectiveness of the attack, they spoof source IP addresses to make tracing and stopping the DoS as difficult as possible. When multiple compromised hosts are participating in the attack, all sending spoofed traffic, it is very challenging to quickly block traffic.Misconceptions of IP Spoofing While some of the attacks described above are a bit outdated, such as session hijacking for host-based authentication services, IP spoofing is still prevalent in network scanning and probes, as well as denial of service floods. However, the technique does not allow for anonymous Internet access, which is a common misconception for those unfamiliar with the practice. Any sort of spoofing beyond simple floods is relatively advanced and used in very specific instances such as evasion and connection hijacking.Defending Against Spoofing There are a few precautions that can be taken to limit IP spoofing risks on your network, such as:Filtering at the Router - Implementing ingress and egress filtering on your border routers is a great place to start your spoofing defense. You will need to implement an ACL (access control list) that blocks private IP addresses on your downstream interface. Additionally, this interface should not accept addresses with your internal range as the source, as this is a common spoofing technique used to circumvent firewalls. On the upstream interface, you should restrict source addresses outside of your valid range, which will prevent someone on your network from sending spoofed traffic to the Internet.Encryption and Authentication - Implementing encryption and authentication will also reduce spoofing threats. Both of these features are included in Ipv6, which will eliminate current spoofing threats. Additionally, you should eliminate all host-based authentication measures, which are sometimes common for machines on the same subnet. Ensure that the proper authentication measures are in place and carried out over a secure (encrypted) channel.Conclusion IP Spoofing is a problem without an easy solution, since it’s inherent to the design of the TCP/IP suite. Understanding how and why spoofing attacks are used, combined with a few simple prevention methods, can help protect your network from these malicious cloaking and cracking techniques.. |

Similar Documents

Premium Essay

Ip Spoofing

...12/7/2014 IP Spoofing ­ Cisco Systems The Internet Protocol Journal, Volume 10, No. 4 IP Spoofing HOME ABOUT CISCO PUBLICATIONS AND MERCHANDISE THE INTERNET PROTOCOL JOURNAL ISSUES VOLUME 10, NUMBER 4, DECEMBER 2007 Book Review Call for Papers Download PDF Fragments From the Editor IP Spoofing Looking Toward the Future Remembering Itojun Security Standards Layers above IP use the source address in an incoming packet to identify the sender. To communicate with the sender, the receiving station sends a reply by using the source address in the datagram. Because IP makes no effort to validate whether the source address in the packet generated by a node is actually the source address of the node, you can spoof the source address and the receiver will think the packet is coming from that spoofed address. Many programs for preparing spoofed IP datagrams are available for free on the Internet; for example, hping lets you prepare spoofed IP datagrams with just a one­line command, and you can send them to almost anybody in the world. You can spoof at various network layers; for example, you can use Address Resolution Protocol (ARP) spoofing to divert the traffic intended for one station to someone else. The Simple Mail Transfer Protocol (SMTP) is also a target for spoofing; because SMTP does not verify the sender's address, you can send any e­mail to anybody pretending to be someone else. This article focuses on the various types of attacks that involve IP spoofing on networks...

Words: 3181 - Pages: 13

Free Essay

Information Security Threat Mitigation

...Information Security Threats Mitigation By Francis Nsofwa Mubanga Keller Graduate School of Management Devry University Professor Sandra Kirkland SE572 July 14th, 2011  Table of Contents Introduction 1 Steps 1 Denial-of-Service attacks (DoS) 1 Distributed Denial-of-Service attacks (DDoS) 1 Masquerading and IP Spoofing attacks 2 Smurf attacks 2 Land .c attacks 2 Man-in-the-Middle attacks 3 Conclusion 3 References 4 Introduction Our company faces the largest information security threat and we need to take steps to mitigate the risks associated with each one of them. Steps Denial-of-Service attacks (DoS) We will analyze the attack as best as we can and implement the correct defense. We will ask ourselves if there are any common packet signatures that are easy to filter against. We will ask ourselves if all attackers hitting a single target if they can be sacrificed. We will also need to find out as to which network the attack is coming from, and if we can verify it (remember that spoofed packets can come from anywhere, including our own network). Once we’ve found a reasonable match for the attack, pass the filters to our upstream provider(s) and seek their help getting them propagated outwards. We will need to make sure we filter or redirect traffic with a minimum amount of actual downtime (Kaeo, 2004). Distributed Denial-of-Service attacks (DDoS) CluB: a Cluster-Based architecture is the method we will use to prevent DDoS attacks...

Words: 789 - Pages: 4

Premium Essay

Network Support for Ip Traceback

...226 IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 9, NO. 3, JUNE 2001 Network Support for IP Traceback Stefan Savage, David Wetherall, Member, IEEE, Anna Karlin, and Tom Anderson Abstract--This paper describes a technique for tracing anonymous packet flooding attacks in the Internet back toward their source. This work is motivated by the increased frequency and sophistication of denial-of-service attacks and by the difficulty in tracing packets with incorrect, or "spoofed," source addresses. In this paper, we describe a general purpose traceback mechanism based on probabilistic packet marking in the network. Our approach allows a victim to identify the network path(s) traversed by attack traffic without requiring interactive operational support from Internet Service Providers (ISPs). Moreover, this traceback can be performed "post mortem"--after an attack has completed. We present an implementation of this technology that is incrementally deployable, (mostly) backward compatible, and can be efficiently implemented using conventional technology. Index Terms--Computer network management, computer network security, network servers, stochastic approximation, wide-area networks. I. INTRODUCTION D ENIAL-OF-SERVICE attacks consume the resources of a remote host or network, thereby denying or degrading service to legitimate users. Such attacks are among the hardest security problems to address because they are simple to implement, difficult to prevent, and very difficult...

Words: 11860 - Pages: 48

Free Essay

Fxt2 Task 2

...they never would have imagined. A financial auditor performing their daily tasks identified an error within the company’s financial amounts. They identified that multiple paychecks with modified amounts were sent to an individual. In their attempts to notify appropriate personnel via email, the emails were sniffed; modified and fictitious communications were conducted between the auditor and the attacker. The attacker was then able to gain additional access into more financial records, whereby more modifications were conducted; to include the presidents and other’s salary and then took those deductions and added them to their paycheck. IT personnel were able to identify that an internal system was conducting a man-in-the-middle attack by spoofing an internal Internet Protocol address, whereby all traffic that was sent to a specific location was involuntarily sent to another system. The culprit was lack of access controls, central reporting systems, authentication controls, and a lack of host based intrusion prevention systems. These controls and systems would have prevented this type or at minimal detected this type of attack and could have saved the company many hours of labor costs. -Identify who needs to be notified based on the type and severity of the incident: In incidents such as this, Management must be notified and kept abreast of the situation each step of the way as they will ultimately be held responsible if fault is identified on their end. The Computer Emergency...

Words: 2798 - Pages: 12

Free Essay

Fxt2 Task 2

...-Describe the nature of the event: A highly technical interference was discovered in the organization's financial reports that rounds off several stealthy methods which puts the company at great risk. This discovery was as a result of an audit carried out by professionals on a routine basis. They noticed that many paychecks which had been doctored were made to a particular person. In a bid to notify the right personnel through mail, the mails were intercepted and fraudulent communications were between the auditor and the attacker. Through this the attacker then gained access to a lot of financial records and altered them; adding the name of the president and that of others in order to deduct money from theirs to add to their own paycheck. However the IT personnel was able to dictate that an internal system had done a middle man attack through an internal internet Protocol address, whereby all traffic meant for a particular location was sent to another system unknowingly. The suspect didn't have the right access control central reporting systems, authentication controls, and a lack of host based intrusion prevention systems. These controls and systems are actually meant to act as guide against this kind of attack and save the company several hours of labor costs. -Who should be notified? In cases like this, the top hierarchy should be alerted and kept informed of the casewhen any move is made becauseeverything stops at their table. The Computer Emergency Response Team or...

Words: 2778 - Pages: 12

Free Essay

Nt1210 Lab 6. 1-4

...the ps3 so you get a depredation of signal and loss of data packets as the connection goes on. 2. If a previously stated standard is not compatible with your adapter you could have issues with your connection not connecting Lab 6.3 Review 1. Um well I could write a book but simply a guest having access to your network could result in any imaginable results on your network to name a few rootkits,Trojan droppers, Remote Access Terminals, Keyloggers, Viruse’s. 2. Setting a MAC filter is a good way to filter who has access to your network its simply like saying Fred has access to the building with his fingerprint being scanned by a biometric scanner. Although this can be spoofed by spoofing your mac but you would still have to find out which macs are allowed and have to make sure the mac your spoofing is not connected so that you do not receive a duplicate error. Lab Review 6.4 1. A AP’s signal would fade naturally the farther from the signal source you go but with the signal going through walls will further degrade the signal depending on the thickness of the wall. So you would have to account for walls or objects that could further degrade your signal from the source. 2. A student in classroom b connect to AP3. The student in classroom A will connect to AP2. A...

Words: 393 - Pages: 2

Free Essay

Threat and Risk Assesment

...protection from this type of attack. Spoofing: In 2006 banks were targeted by attackers with a spoofing attack. An article written by McMillan (2006) stated that the attackers were able to hack into the banks' ISP servers and redirect traffic from the legitimate banks' websites to a bogus server. The attackers were able to affect about 20 customers by being able to get them to enter in PINs and other personal information (para. 2). There is an article by Zetter (2012) in which a mathematician noticed that several technology companies and other types of companies used a weak DomainKeys Identified Mail (DKIM) that he was able to break and then use to pretend to be high up personnel in that company. In our report we noted you had in-house servers and the firewalls seem properly configured for outside attacks. In 2014, AOL had its mail service attacked, and the attackers used the email address book to send spam to everyone in the address book as the owner of the email. Spoofing is still a viable attack and even with properly configured network and validation methods human error is still a major contributing factor to spoofing. The major threat here comes from employees surfing the internet such as Facebook and answering personal emails. Under the right conditions, a spoofing attack can be extremely dangerous and the credentials stolen can lead to serious system impact. The major financial loss will come from the public perception of a spoofing attack. Exposure...

Words: 2034 - Pages: 9

Free Essay

Gps Devices

...The things in this summary include the demonstration and capabilities of GPS Dots, wave bubbles, and GPS Spoofs. GPS Dots are little dots the size of your thumb that have the capabilities to track down the things it is attached to. This is helpful to find the things that are valuable and essential. It is predicted that in the next few years, everyone would have lots of GPS dots for everything they need. Wave bubbles are invisible “bubbles” that stretch for miles and jams or disables the transmissions that are sent from satellites to prevent a person from seeing where you go or what you do. It also prevents satellites from giving information to GPS signal receivers. Wave bubbles are illegal to use. GPS Spoofs are some devices that are easily assembled and they target GPS receivers in which they send bogus information to make the GPS show information that is not sent by the satellite, but sent from the GPS Spoof device. This is used to hack others GPS’. GPS’S effect my life a little. They help me to find places where I want to go (by my IPod) like going to a store, my friends house or finding my friend were he/she is (by the app called “find my Iphone”, where another iOS device can find your device and data. For my parents, it helps them go to places they never been before, and helps them go to the work places or university (since it is far). For my whole family we usually use for recreational purposes, like finding restaurants or theatres. GPS dots would affect me greatly...

Words: 514 - Pages: 3

Premium Essay

Firewall

...Firewalls protecting a single computer are called host based firewalls, software firewalls or client firewalls. While there are many ways to categorize perimeter firewalls, perhaps the most effective way is to look at them in terms of functionality. From a functional standpoint firewalls can be divided into Access Control List based, State Based and Application Proxy firewalls. The easiest way to understand the Access Control based firewall is to consider the fact that they can restrict traffic based on the source IP address of the packet. You would not want a packet coming in from the outside that has an IP address that should be INSIDE your organization. This might be from someone using a “SPOOFED” source IP address to attack your internal network resources. If you were receiving numerous packets from a single IP address this might be from someone trying to perform a Denial of Service (DoS) attack on you. Obviously you would want to block traffic from that IP address. Sometimes this functionality is used to divide departments inside an organization as well. For instance you might want to block the ‘students’ part of your network from the ‘administration’ part of your network in a college or university. 1 In a Sate Based firewall, the firewall keeps track of all outgoing requests coming from inside the network. It keeps them in an area of memory called the ‘state table’. When an...

Words: 421 - Pages: 2

Premium Essay

It Infrastructure.

...threats and vulnerabilities found within the Workstation, LAN, and Systems/Applications Domains.1. What are the differences between ZeNmap GUI (Nmap) and Nessus?ZeNmap is used to map a network and Nessus is used to Test a network for vulnerabilities.2. Which scanning application is better for performing a network discovery reconnaissance probing of an IP network infrastructure? Nmaps sole purpose is just that, network probing and recon.3. Which scanning application is better for performing a software vulnerability assessment with suggested remediation steps? Nessus would be a better tool for this operation. While you can find network vulnerabilities with Nmap, it is not used as such.4. How many total scripts (i.e., test scans) does the Intense Scan using ZenMap GUI perform?Port Scanning, OS detection, Version detection, Network Distance, TCP sequence prediction, Trace route5. From the ZenMap GUI pdf report page 6, what ports and services are enabled on the Cisco Security Appliance device? 443/tcp open ssl/http, No exact OS matches for host, Aggressive OS guesses: Cisco Catalyst 1900 Switch, Software v9.00.03 (89%).6. What is the source IP address of the Cisco Security Appliance device (refer to page 6 of the pdf report)? Nmap scan report for 172.30.0.17. How...

Words: 310 - Pages: 2

Premium Essay

Ip Spoof

...On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 6 IP source address spoofing has plagued the Internet for many years. Attackers spoof source addresses to mount attacks and redirect blame. Researchers have proposed many mechanisms to defend against spoofing, with varying levels of success. With the defense mechanisms available today, where do we stand? How do the various defense mechanisms compare? This article first looks into the current state of IP spoofing, then thoroughly surveys the current state of IP spoofing defense. It evaluates data from the Spoofer Project, and describes and analyzes host-based defense methods, router-based defense methods, and their combinations. It further analyzes what obstacles stand in the way of deploying those modern solutions and what areas require further research. Categories and Subject Descriptors: C.2.0 [Computer-Communication Networks]: General— Security and protection General Terms: Performance, Security Additional Key Words and Phrases: IP spoofing, spoofing defense, spoofing packet, packet filtering ACM Reference Format: Ehrenkranz, T. and Li, J. 2009. On the state of IP spoofing defense. ACM Trans. Internet Technol. 9, 2, Article 6 (May 2009), 29 pages. DOI = 10.1145/1516539.1516541 http://doi.acm.org/10.1145/1516539.1516541 1. INTRODUCTION In today’s Internet, attackers can forge the source address of IP packets to both maintain their anonymity and redirect the blame for attacks. When attackers inject...

Words: 14721 - Pages: 59

Premium Essay

Ip Spoffing

...IP Spoofing by Farha Ali, Lander University The Internet Protocol, or IP, is the main protocol used to route information across the Internet. The role of IP is to provide best-effort services for the delivery of information to its destination. IP depends on upper-level TCP/IP suite layers to provide accountability and reliability. The heart of IP is the IP datagram, a packet sent over the Internet in a connectionless manner. An IP datagram carries enough information about the network to get forwarded to its destination; it consists of a header followed by bytes of data . The header contains information about the type of IP datagram, how long the datagram should stay on the network (or how many hops it should be forwarded to), special flags indicating any special purpose the datagram is supposed to serve, the destination and source addresses, and several other fields, as shown in Figure 1. Figure 1: The IP Header Layers above IP use the source address in an incoming packet to identify the sender. To communicate with the sender, the receiving station sends a reply by using the source address in the datagram. Because IP makes no effort to validate whether the source address in the packet generated by a node is actually the source address of the node, you can spoof the source address and the receiver will think the packet is coming from that spoofed address. Many programs for preparing spoofed IP datagrams are available for free on the Internet; for example, hping lets...

Words: 3368 - Pages: 14

Premium Essay

Myrtle & Associates/Bellview Law Group to Mab Law Firm Network Integration

...Group Utilized Access To the Internet via a Digital Subscribers Line(DSL) 2. Myrtle & Associates & Bellview Law Group are separated by a considerable geographical distance. 3. Current Novell Servers Used by Bellview Law Group are Old. 4. All internal hard cabling runs will be wired with CAT 5e. Current Network Diagram Please See Exhibit (A-1 & A-2) Diagram of Proposed Network Integration Please See Exhibit (B) Challenges to Integrating the Current LANs, Challenges integrating the Myrtle & Associates and Bellview Law Group networks will be presented by the following: * The geographical distance between the two offices (L2TP/IPsec) * Bellview Law Group use of Novell and IPX/SPX instead of TCP/IP Integrating these two networks will be faced by the geographical distance between the two offices where the law firms reside. One solution would be to lease a dedicated line however; this option would be a very expensive one and is unnecessary due to new Virtual Private Network (VPN) technologies such as Layer 2 Tunneling Protocol (L2TP). Layer 2 Tunneling Protocol (L2TP) is a VPN technology allows for communication between two LAN segments separated by geographic distance by means of Point to Point Protocol (PPP) & encryption. Encryption, which is the process of converting the senders “plaintext” to a unreadable altered version of that plaintext called “ciphertext.” This feat is accomplished by using an algorithm, also called a...

Words: 2057 - Pages: 9

Premium Essay

Selecting Security Countermeasures

...03/30/2014 IS3220 Unit 2 Assignment 1 Selecting Security Countermeasures The primary components that make up a network infrastructure are routers, firewalls, and switches. An attacker may exploit poorly configured network devices. Common vulnerabilities include weak default installation settings, wide open access controls, and devices lacking the latest security patches. Top network level threats include: •Information gathering •Sniffing •Spoofing •Session hijacking •Denial of service Information Gathering Network devices can be discovered and profiled in much the same way as other types of systems. Attackers usually start with port scanning. After they identify open ports, they use banner grabbing and enumeration to detect device types and to determine operating system and application versions. Armed with this information, an attacker can attack known vulnerabilities that may not be updated with security patches. Countermeasures to prevent information gathering include: •Configure routers to restrict their responses to footprinting requests. •Configure operating systems that host network software (for example, software firewalls) to prevent footprinting by disabling unused protocols and unnecessary ports. Sniffing or eavesdropping is the act of monitoring traffic on the network for data such as plaintext passwords or configuration information. With a simple packet sniffer, an attacker can easily read all plaintext traffic. Also, attackers can crack packets...

Words: 650 - Pages: 3

Free Essay

Information Security Threat

...of unrecoverable revenue associated with site downtime and possible compromise of sensitive confidential data. It is imperative today’s corporate network is configured and prepared to protect itself from external cyber-attacks. Since there is no 100% method to stop external cyber-attacks, attention to detail must be made in regards to proper configuration of the network to include state of the art hardware and software. To include current security patches for both software and hardware respectively. Additionally, hardware and software measures will be limited in their effectiveness without network policies and techniques to protect against external cyber-attacks such as Denial of Service, Distributed Denial of Service, Masquerading and IP Spoofing, Smurf Attacks, Land c Attacks, and Man-in-the-Middle attacks. In close coordination with our IS team engineers and IT network director an approved plan has been incorporated to minimize risk of an effective cyber-attack on our network. Specifically this plan covers a comprehensive review of current network design and interdependencies, Standard Operating Procedures, Emergency Operating Procedures, detailed analysis of every program, service, host, router, switch to include interaction between these services and resources. Testing current system and policies by a certified third...

Words: 735 - Pages: 3