IIT Indore © Neminath Hubballi

Slides:



Advertisements
Similar presentations
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Advertisements

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Computer Security and Penetration Testing
CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
1 Reading Log Files. 2 Segment Format
CSCI 4550/8556 Computer Networks Comer, Chapter 23: An Error Reporting Mechanism (ICMP)
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Network Attacks Mark Shtern.
© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
© 2007 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.1 Computer Networks and Internets with Internet Applications, 4e By Douglas.
ICMP: Ping and Trace CCNA 1 version 3.0 Rick Graziani Spring 2005.
1 ICMP – Using Ping and Trace CCNA Semester
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Connecting Networks © 2004 Cisco Systems, Inc. All rights reserved. Defining the IP Packet Delivery Process INTRO v2.0—4-1.
CCNA Introduction to Networking 5.0 Rick Graziani Cabrillo College
IIT Indore © Neminath Hubballi
IIT Indore © Neminath Hubballi
1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.
DoS Seminar 2 Spoofed Packet Attacks and Detection Methods By Prateek Arora.
Network security Further protocols and issues. Protocols: recap There are a few main protocols that govern the internet: – Internet Protocol: IP – Transmission.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 2 Module 8 TCP/IP Suite Error and Control Messages.
Introduction to InfoSec – Recitation 11 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
1 Tao Wan Digital Security Group School of Computer Science Carleton University Oct 30, 2003 IP Spoofing Attacks & Defenses.
Guide to TCP/IP, Second Edition1 Guide To TCP/IP, Second Edition Chapter 4 Internet Control Message Protocol (ICMP)
ARP Spoofing Attacks Dr. Neminath Hubballi IIT Indore © Neminath Hubballi.
Internet Protocols. Address Resolution IP Addresses are not recognized by hardware. If we know the IP address of a host, how do we find out the hardware.
Verify that timestamps for debugging and logging messages has been enabled. Verify the severity level of events that are being captured. Verify that the.
1 An Error Reporting Mechanism (ICMP). 2 IP Semantics IP is best-effort Datagrams can be –Lost –Delayed –Duplicated –Delivered out of order –Corrupted.
1 Chapter 23 Internetworking Part 3 (Control Messages, Error Handling, ICMP)
ICMP Spoofing Attacks Dr. Neminath Hubballi IIT Indore © Neminath Hubballi.
TCP Security Vulnerabilities Phil Cayton CSE
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 8 TCP/IP Suite Error and Control Messages.
1 Figure 3-13: Internet Protocol (IP) IP Addresses and Security  IP address spoofing: Sending a message with a false IP address (Figure 3-17)  Gives.
Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.
Lecture 21: Network Primer 7/9/2003 CSCE 590 Summer 2003.
IP packet filtering Breno de Medeiros. Florida State University Fall 2005 Packet filtering Packet filtering is a network security mechanism that works.
Module 8 JEOPARDY CCNA2 v3 Module 8 RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands.
1 Chapter 23 Internetworking Part 3 (Control Messages, Error Handling, ICMP)
Presentation on ip spoofing BY
An Introduction To ARP Spoofing & Other Attacks
General Classes of TCP/IP Problems
COMP2322 Lab 5 IP Steven Lee March 22, 2017.
Network Tools and Utilities
CCNA 2 v3 JEOPARDY Module 8 CCNA2 v3 Module 8 K. Martin.
COMPUTER NETWORKS CS610 Lecture-33 Hammad Khalid Khan.
TCP/IP Internetworking
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Defending Against DDoS
Filtering Spoofed Packets
TCP/IP Internetworking
DHCP Starvation Attack and its Detection
DNS Cache Poisoning Attack
ICMP – Using Ping and Trace
ICMP – Using Ping and Trace
Defending Against DDoS
Management Issues in ICMP (Internet Control Message Protocol)
Advanced Computer Networks
Firewalls Purpose of a Firewall Characteristic of a firewall
Threats in Networks Jagdish S. Gangolly School of Business
DDoS Attack and Its Defense
46 to 1500 bytes TYPE CODE CHECKSUM IDENTIFIER SEQUENCE NUMBER OPTIONAL DATA ICMP Echo message.
Chapter 24 Mobile IP.
ITIS 6167/8167: Network and Information Security
Outline The spoofing problem Approaches to handle spoofing
TCP Connection Management
Presentation transcript:

IIT Indore © Neminath Hubballi IP Spoofing Dr. Neminath Hubballi IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi Outline Introduction IP address spoofing Mitigtion/Detection Techniques IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi IP Address Spoofing IP spoofing is the creation of IP packets using somebody else’s IP address as source address of a IP packet Absence of state information makes IP protocol vulnerable to spoofing Peer is not authenticated IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi Normal Interaction Source IP Destination IP 200.1.1.1 100.1.1.1 Source IP Destination IP 100.1.1.1 200.1.1.1 200.1.1.1 100.1.1.1 IIT Indore © Neminath Hubballi

Interaction Under Spoofing Source IP Destination IP 150.1.1.1 100.1.1.1 200.1.1.1 100.1.1.1 Source IP Destination IP 100.1.1.1 150.1.1.1 150.1.1.1 IIT Indore © Neminath Hubballi

Interaction Under Spoofing Source IP Destination IP 150.1.1.2 100.1.1.1 When attacker uses a non existing IP address as source address 200.1.1.1 100.1.1.1 Source IP Destination IP 100.1.1..1 150.1.1.2 I have no way forward IIT Indore © Neminath Hubballi

IP Address Spoofing-Implications Many network services use host names or address for identification and authentication Host wanting service prepare a message and send it to a remote service. Receiver either allows or disallows the service Many services are vulnerable to IP spoofing RPC (http://seclists.org/bugtraq/1995/Jan/182 ) NFS X window system Any service using IP address as authentication method IIT Indore © Neminath Hubballi

Defenses Against IP Address Spoofing Ingress filtering Egress filtering Avoiding trust relationship based on IP address Unicast Reverse Path Forwarding TTL Value Packet marking IPSec Randomized Initial Sequence Number in TCP IIT Indore © Neminath Hubballi

Normal Scenario Source (192.168.1.1) Destination (192.168.2.1) Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 32 Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 30 Source (192.168.1.1) Destination (192.168.2.1) Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 31 Destination as me. I should verify this packet (ttl=30) using TCP probe request

Normal Scenario (contd.) I received a TCP Syn. I should reply back with SYN-ACK. Source IP Destination IP TTL value 192.168.2.1 192.168.1.1 1 Source (192.168.1.1) Destination (192.168.2.1) Source IP Destination IP TTL value 192.168.2.1 192.168.1.1 Source IP Destination IP TTL value 192.168.2.1 192.168.1.1 (32-30)=2

Normal Scenario (contd.) Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 32 Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 30 Source (192.168.1.1) Destination (192.168.2.1) Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 31 I received probe reply from the same IP address with same TTL value, i.e. 30. Packet genuine.

Spoofing Scenario 1 Genuine source (192.168.1.1) Spoofer (192.168.1.1) Destination as me. I should verify this packet (ttl = 29) using TCP probe request. Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 32 Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 30 Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 31 Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 29 Spoofer (192.168.1.1) Destination (192.168.2.1)

Spoofing Scenario 1 (contd.) Genuine source (192.168.1.1) Source IP Destination IP TTL value 192.168.2.1 192.168.1.1 1 I received a TCP Syn. I should reply back with SYN-ACK. Source IP Destination IP TTL value 192.168.2.1 192.168.1.1 (32-29)=3 Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 2 Spoofer (192.168.1.1) Destination (192.168.2.1)

Spoofing Scenario 1 (contd.) Genuine source (192.168.1.1) Source IP Destination IP TTL value 192.168.2.1 192.168.1.1 31 Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 32 I received probe reply from the same IP address but different TTL value, i.e. 30 (not 29). Packet Spoofed. Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 30 Spoofer (192.168.1.1) Destination (192.168.2.1)

Spoofing Scenario 2 Genuine source (192.168.1.1) Spoofer (192.168.1.1) Destination as me. I should verify this packet (ttl = 29) using TCP probe request. Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 32 Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 30 Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 31 Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 29 Spoofer (192.168.1.1) Destination (192.168.2.1)

Spoofing Scenario 2 (contd.) Genuine source (192.168.1.1) Source IP Destination IP TTL value 192.168.2.1 192.168.1.1 1 I received a TCP Syn. I should reply back with SYN-ACK. Source IP Destination IP TTL value 192.168.2.1 192.168.1.1 (32-29)=3 Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 2 Spoofer (192.168.1.1) Destination (192.168.2.1)

Spoofing Scenario 2 (contd.) Genuine source (192.168.1.1) Source IP Destination IP TTL value 192.168.2.1 192.168.1.1 31 I received two different TTL values for one probe request from the same IP address. Spoofing Scenario 2 detected Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 32 Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 30 Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 29 Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 32 Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 30 Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 31 Spoofer (192.168.1.1) Destination (192.168.2.1)

Spoofing Scenario 3 Genuine source (192.168.1.1) Spoofer (192.168.1.1) Destination as me. I should verify this packet (ttl = 30) using TCP probe request. Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 32 Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 30 Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 31 Spoofer (192.168.1.1) Destination (192.168.2.1)

Spoofing Scenario 3 (contd.) Genuine source (192.168.1.1) Source IP Destination IP TTL value 192.168.2.1 192.168.1.1 ICMP Time Exceeded Message? Means that packet was spoofed one. Source IP Destination IP TTL value 192.168.2.1 192.168.1.1 (32-30)=2 Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 1 TTL=0. I should return ICMP Time Exceeded message back to 192.168.2.1 Spoofer (192.168.1.1) Destination (192.168.2.1)

Spoofing Scenario 4 Genuine source (192.168.1.1) Spoofer (192.168.1.1) Destination as me. I should verify this packet (ttl = 30) using TCP probe request. Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 32 Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 30 Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 31 Spoofer (192.168.1.1) Destination (192.168.2.1)

Spoofing Scenario 4 (contd.) Genuine source (192.168.1.1) Source IP Destination IP TTL value 192.168.2.1 192.168.1.1 TTL=0. I should return ICMP Time Exceeded message back to 192.168.2.1 ICMP Time Exceeded Message and TTL=30 both? Means attacker is sending the reply with guess. Source IP Destination IP TTL value 192.168.2.1 192.168.1.1 (32-30)=2 Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 30 Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 1 Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 32 Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 31 Spoofer (192.168.1.1) Destination (192.168.2.1)

Spoofing Scenario 5 Spoofer (192.168.1.1) Destination (192.168.2.1) Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 32 Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 30 Spoofer (192.168.1.1) Destination (192.168.2.1) Source IP Destination IP TTL value 192.168.1.1 192.168.2.1 31 Destination as me. I should verify this packet (ttl=30) using TCP probe request

Spoofing Scenario 5 (contd.) I don’t know the route to destination so I should forward it to the default router by reducing TTL=0 I don’t know the route to destination so I should forward it to the default router by reducing TTL=1 The TTL value=0 so I should send back an ICMP Time Exceeded message back to the source. Any intermediate router Spoofer (192.168.1.1) Destination (192.168.2.1) ICMP Time Exceeded Message? That means the packet was spoofed one Source IP Destination IP TTL value 192.168.2.1 192.168.1.1 (32-30)=2

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.