IP Spoofing, CS2651 IP Spoofing Bao Ho ToanTai Vu CS Security Engineering Spring 2003 San Jose State University
IP Spoofing, CS2652 Presentation Outline n Introduction, Background n Attacks with IP Spoofing n Counter Measures n Summary
IP Spoofing, CS2653 IP Spoofing n IP Spoofing is a technique used to gain unauthorized access to computers. –IP: Internet Protocol –Spoofing: using somebdody else’s information n Exploits the trust relationships n Intruder sends messages to a computer with an IP address of a trusted host.
IP Spoofing, CS2654 IP / TCP n IP is connectionless, unreliable n TCP connection-oriented TCP/IP handshake A B: SYN; my number is X B A: ACK; now X+1 SYN; my number is Y A B: ACK; now Y+1
IP Spoofing, CS2655 A blind Attack Host I cannot see what Host V send back
IP Spoofing, CS2656 IP Spoofing Steps n Selecting a target host (the victim) n Identify a host that the target “trust” n Disable the trusted host, sampled the target’s TCP sequence n The trusted host is impersonated and the ISN forged. n Connection attempt to a service that only requires address-based authentication. n If successfully connected, executes a simple command to leave a backdoor.
IP Spoofing, CS2657 IP Spoofing Attacks n Man in the middle n Routing n Flooding / Smurfing
IP Spoofing, CS2658 Attacks Man - in - the - middle: Packet sniffs on link between the two endpoints, and therefore can pretend to be one end of the connection.
IP Spoofing, CS2659 Attacks n Routing re-direct: redirects routing information from the original host to the attacker’s host. n Source routing: The attacker redirects individual packets by the hacker’s host.
IP Spoofing, CS26510 Attacks n Flooding: SYN flood fills up the receive queue from random source addresses. n Smurfing: ICMP packet spoofed to originate from the victim, destined for the broadcast address, causing all hosts on the network to respond to the victim at once.
IP Spoofing, CS26511 IP-Spoofing Facts n IP protocol is inherently weak n Makes no assumption about sender/recipient n Nodes on path do not check sender’s identity n There is no way to completely eliminate IP spoofing n Can only reduce the possibility of attack
IP Spoofing, CS26512 IP-Spoofing Counter-measures n No insecure authenticated services n Disable commands like ping n Use encryption n Strengthen TCP/IP protocol n Firewall n IP traceback
IP Spoofing, CS26513 No insecure authenticated services n r* services are hostname-based or IP-based n Other more secure alternatives, i.e., ssh n Remove binary files n Disable in inet, xinet n Clean up.rhost files and /etc/host.equiv n No application with hostname/IP-based authentication, if possible
IP Spoofing, CS26514 Disable ping command n ping command has rare use n Can be used to trigger a DOS attack by flooding the victim with ICMP packets n This attack does not crash victim, but consume network bandwidth and system resources n Victim fails to provide other services, and halts if runs out of memory
IP Spoofing, CS26515 DOS using Ping
IP Spoofing, CS26516 Use Encryption n Encrypt traffic, especially TCP/IP packets and Initial Sequence Numbers n Kerberos is free, and is built-in with OS n Limit session time n Digital signature can be used to identify the sender of the TCP/IP packet.
IP Spoofing, CS26517 Strengthen TCP/IP protocol n Use good random number generators to generate ISN n Shorten time-out value in TCP/IP request n Increase request queue size n Cannot completely prevent TCP/IP half-open- connection attack n Can only buy more time, in hope that the attack will be noticed.
IP Spoofing, CS26518 Firewall n Limit traffic to services that are offered n Control access from within the network n Free software: ipchains, iptables n Commercial firewall software n Packet filters: router with firewall built-in n Multiple layer of firewall
IP Spoofing, CS26519 Network layout with Firewall
IP Spoofing, CS26520 IP Trace-back n To trace back as close to the attacker’s location as possible n Limited in reliability and efficiency n Require cooperation of many other network operators along the routing path n Generally does not receive much attention from network operators
IP Spoofing, CS26521 Summary/Conclusion n IP spoofing attacks is unavoidable. n Understanding how and why spoofing attacks are used, combined with a few simple prevention methods, can help protect your network from these malicious cloaking and cracking techniques.
IP Spoofing, CS26522 References n IP-spoofing Demystified (Trust-Relationship Exploitation), Phrack Magazine Review, Vol. 7, No. 48, pp , n Security Enginerring: A Guide to Building Dependable Distributed Systems, Ross Anderson, pp. 371 n Introduction to IP Spoofing, Victor Velasco, November 21, 2000, n A Large-scale Distributed Intrusion Detection Framework Based on Attack Strategy Analysis, Ming-Yuh Huang, Thomas M. Wicks, Applied Research and Technology, The Boeing Company n Internet Vulnerabilities Related to TCP/IP and T/TCP, ACM SIGCOMM, Computer Communication Review n IP Spoofing, n Distributed System: Concepts and Design, Chapter 7, by Coulouris, Dollimore, and Kindberg n FreeBSD IP Spoofing, n IP Spoofing Attacks and Hijacked Terminal Connections, n Network support for IP trace-back, IEEE/ACM Transactions on Networking, Vol. 9, No. 3, June 2001 n An Algebraic Approach to IP Trace-back, ACM Transactions on Information and System Security, Vol. 5, No. 2, May 2002 n Web Spoofing. An Internet Con Game,
IP Spoofing, CS26523 Questions / Answers