Presentation is loading. Please wait.

Presentation is loading. Please wait.

IP Spoofing Sometimes on the internet, a girl named Alice is really a man named Yves.

Published byHeli Hänninen Modified over 6 years ago

Similar presentations

Presentation on theme: "IP Spoofing Sometimes on the internet, a girl named Alice is really a man named Yves."— Presentation transcript:

1 IP Spoofing Sometimes on the internet, a girl named Alice is really a man named Yves

2 Sources General Information: Mitnick Attack Sequence:
(See ppts on subject) Mitnick Attack Sequence: Session Hijack Sequence: DoS and DDoS attacks: Conversation with Todd ‘Hot Toddy’ Jackson Phrack Article:

3 Overview TCP/IP – in brief IP Spoofing Defending Against the Threat
Basic overview Examples Mitnick Attack Session Hijack DoS/DDoS Attack Defending Against the Threat Continuous Evolution Conclusion

4 TCP/IP in 3 minute or less
General use of term describes the Architecture upon which the Interweb is built. TCP/IP are specific protocols within that architecture.

5 TCP/IP in 3 minutes or less
Application Transport TCP Interweb IP Network Access Physical

6 TCP/IP in 3 minute or less
IP is the internet layer protocol. Does not guarantee delivery or ordering, only does its best to move packets from a source address to a destination address. IP addresses are used to express the source and destination. IP assumes that each address is unique within the network.

7 TCP/IP in 3 minutes or less
TCP is the transport layer protocol. It guarantees delivery and ordering, but relies upon IP to move packets to proper destination. Port numbers are used to express source and destination. Destination Port is assumed to be awaiting packets of data.

8 TCP/IP in 3 minutes or less
Client Using Mozilla Some Web Server HTTP - GET Application But what happens if someone is lying?? Application Transport Transport TCP – Port 80 Interweb Interweb IP – Network Access Network Access MAC – 00:11:22:33:44:55 Physical Physical

9 IP Spoofing – Basic Overview
Basically, IP spoofing is lying about an IP address. Normally, the source address is incorrect. Lying about the source address lets an attacker assume a new identity.

10 IP Spoofing – Basic Overview
Because the source address is not the same as the attacker’s address, any replies generated by the destination will not be sent to the attacker. Attacker must have an alternate way to spy on traffic/predict responses. To maintain a connection, Attacker must adhere to protocol requirements

11 IP Spoofing – Basic Overview
Difficulties for attacker: TCP sequence numbers One way communication Adherence to protocols for other layers

12 IP Spoofing – The Reset Victim - Bob Sucker - Alice Attacker - Eve
2. SYN ACK – Sure, what do you want to talk about? 3. RESET – Umm.. I have no idea why you are talking to me Victim - Bob Sucker - Alice 1. SYN – Let’s have a conversation 4. No connection – Guess I need to take Bob out of the picture… Attacker - Eve

13 IP Spoofing – Mitnick Attack
Merry X-mas! Mitnick hacks a Diskless Workstation on December 25th, 1994 The victim – Tsutomu Shinomura The attack – IP spoofing and abuse of trust relationships between a diskless terminal and login server.

14 Mitnick Attack Workstation Server Kevin Mitnick
6. Mitnick fakes the ACK using the proper TCP sequence number 4. Mitnick forges a SYN from the server to the terminal 5. Terminals responds with an ACK, which is ignored by the flooded port (and not visible to Mitnick) 7. Mitnick has now established a one way communications channel Workstation Server 3. Mitnick discovers that the TCP sequence number is incremented by each new connection 2. Mitnick Probes the Workstation to determine the behaviour of its TCP sequence number generator 1. Mitnick Flood’s server’s login port so it can no longer respond Kevin Mitnick

15 Mitnick Attack – Why it worked
Mitnick abused the trust relationship between the server and workstation He flooded the server to prevent communication between it and the workstation Used math skillz to determine the TCP sequence number algorithm (ie add ) This allowed Mitnick to open a connection without seeing the workstations outgoing sequence numbers and without the server interrupting his attack

16 IP Spoofing - Session Hijack
IP spoofing used to eavesdrop/take control of a session. Attacker normally within a LAN/on the communication path between server and client. Not blind, since the attacker can see traffic from both server and client.

17 Session Hijack Bob Alice I’m Bob! I’m Alice! Eve
3. At any point, Eve can assume the identity of either Bob or Alice through the Spoofed IP address. This breaks the pseudo connection as Eve will start modifying the sequence numbers 2. Eve can monitor traffic between Alice and Bob without altering the packets or sequence numbers. 1. Eve assumes a man-in-the-middle position through some mechanism. For example, Eve could use Arp Poisoning, social engineering, router hacking etc... Bob Alice I’m Bob! I’m Alice! Eve

18 IP Spoofing – DoS/DDoS Denial of Service (DoS) and Distributed Denial of Service (DDoS) are attacks aimed at preventing clients from accessing a service. IP Spoofing can be used to create DoS attacks

19 DoS Attack Server Interweb Attacker Legitimate Users Service Requests
Flood of Requests from Attacker Service Requests Interweb Server queue full, legitimate requests get dropped Service Requests Fake IPs Attacker Legitimate Users

20 DoS Attack The attacker spoofs a large number of requests from various IP addresses to fill a Services queue. With the services queue filled, legitimate user’s cannot use the service.

21 Server (already DoS’d)
DDoS Attack Server (already DoS’d) Queue Full SYN ACK Interweb 1. Attacker makes large number of SYN connection requests to target servers on behalf of a DoS’d server 2. Servers send SYN ACK to spoofed server, which cannot respond as it is already DoS’d. Queue’s quickly fill, as each connection request will have to go through a process of sending several SYN ACKs before it times out SYN ACK SYN ACK SYN ACK SYN SYN SYN SYN Target Servers Attacker

22 DDoS Attack Many other types of DDoS are possible.
DoS becomes more dangerous if spread to multiple computers.

23 IP Spoofing – Defending
IP spoofing can be defended against in a number of ways: As mentioned, other protocols in the Architectural model may reveal spoofing. TCP sequence numbers are often used in this manner New generators for sequence numbers are a lot more complicated than ‘add ’ Makes it difficult to guess proper sequence numbers if the attacker is blind “Smart” routers can detect IP addresses that are outside its domain. “Smart” servers can block IP ranges that appear to be conducting a DoS.

24 IP Spoofing continues to evolve
IP spoofing is still possible today, but has to evolve in the face of growing security. New issue of Phrack includes a method of using IP spoofing to perform remote scans and determine TCP sequence numbers This allows a session Hijack attack even if the Attacker is blind

25 Conclusion IP Spoofing is an old school Hacker trick that continues to evolve. Can be used for a wide variety of purposes. Will continue to represent a threat as long as each layer continues to trust each other and people are willing to subvert that trust.

26 Questions?

27 Application Application Transport Transport Interweb Interweb
Extra slide for questions – Two TCP/IP protocol Stacks Network Access Network Access Physical Physical

28 Sucker - Alice Victim - Bob Attacker - Eve
Extra Slide for Questions – Alice Bob Eve w/o interweb Attacker - Eve

29 Interweb Sucker - Alice Victim - Bob Attacker - Eve
Extra Slide for Questions – Alice Bob Eve with interweb Attacker - Eve

30 IP header 0 16 31 Version IHL Total Length Type of Service
Stolen from: IP header Version IHL Type of Service Total Length Identification Flags Fragment Offset Time to Live Header Checksum Protocol IP Header for Questions Source Address Destination Address Options and Padding

31 TCP header 0 16 31 Source Port Destination Port Sequence Number
Stolen from: TCP header Source Port Destination Port Sequence Number Acknowledgement Number Data Offset Reserved Flags Window TCP header for questions Checksum Urgent Pointer Options and Padding

32 TCP Sequence Numbers Client Server 2. Server transmits 20 bytes
1. Client transmits 50 bytes 3. Client ACKs, sends no data Start SEQ Start SEQ SEQ – 1892 ACK – 15562 Size - 50 SEQ – 15562 ACK – 1942 Size - 25 TCP Sequence number demonstration – for questions SEQ – 1942 ACK – 15587 Size - 0 End SEQ End SEQ

Download ppt "IP Spoofing Sometimes on the internet, a girl named Alice is really a man named Yves."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
TCP/IP Christopher Zacky. lolwut Decimal Numbers.

TCP/IP Christopher Zacky. lolwut Decimal Numbers.
CISCO NETWORKING ACADEMY Chabot College ELEC 99.05 Transport Layer (4)

CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Transmission Control Protocol (TCP)

Transmission Control Protocol (TCP)
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.

Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
1 CS 4396 Computer Networks Lab Transmission Control Protocol (TCP) Part I.

1 CS 4396 Computer Networks Lab Transmission Control Protocol (TCP) Part I.
Instructor: Sam Nanavaty TCP/IP protocol. Instructor: Sam Nanavaty Version – Allows for the evolution of the protocol IHL (Internet header length) – Length.

Instructor: Sam Nanavaty TCP/IP protocol. Instructor: Sam Nanavaty Version – Allows for the evolution of the protocol IHL (Internet header length) – Length.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:

CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.

TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities.

Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities.
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen

1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
1 LAN Protocols (Week 3, Wednesday 9/10/2003) © Abdou Illia, Fall 2003.

1 LAN Protocols (Week 3, Wednesday 9/10/2003) © Abdou Illia, Fall 2003.

Similar presentations

Ads by Google