Download presentation
Presentation is loading. Please wait.
1
IP Spoofing, CS2651 IP Spoofing Bao Ho ToanTai Vu CS 265 - Security Engineering Spring 2003 San Jose State University
2
IP Spoofing, CS2652 Presentation Outline n Introduction, Background n Attacks with IP Spoofing n Counter Measures n Summary
3
IP Spoofing, CS2653 IP Spoofing n IP Spoofing is a technique used to gain unauthorized access to computers. –IP: Internet Protocol –Spoofing: using somebdody else’s information n Exploits the trust relationships n Intruder sends messages to a computer with an IP address of a trusted host.
4
IP Spoofing, CS2654 IP / TCP n IP is connectionless, unreliable n TCP connection-oriented TCP/IP handshake A B: SYN; my number is X B A: ACK; now X+1 SYN; my number is Y A B: ACK; now Y+1
5
IP Spoofing, CS2655 A blind Attack Host I cannot see what Host V send back
6
IP Spoofing, CS2656 IP Spoofing Steps n Selecting a target host (the victim) n Identify a host that the target “trust” n Disable the trusted host, sampled the target’s TCP sequence n The trusted host is impersonated and the ISN forged. n Connection attempt to a service that only requires address-based authentication. n If successfully connected, executes a simple command to leave a backdoor.
7
IP Spoofing, CS2657 IP Spoofing Attacks n Man in the middle n Routing n Flooding / Smurfing
8
IP Spoofing, CS2658 Attacks Man - in - the - middle: Packet sniffs on link between the two endpoints, and therefore can pretend to be one end of the connection.
9
IP Spoofing, CS2659 Attacks n Routing re-direct: redirects routing information from the original host to the attacker’s host. n Source routing: The attacker redirects individual packets by the hacker’s host.
10
IP Spoofing, CS26510 Attacks n Flooding: SYN flood fills up the receive queue from random source addresses. n Smurfing: ICMP packet spoofed to originate from the victim, destined for the broadcast address, causing all hosts on the network to respond to the victim at once.
11
IP Spoofing, CS26511 IP-Spoofing Facts n IP protocol is inherently weak n Makes no assumption about sender/recipient n Nodes on path do not check sender’s identity n There is no way to completely eliminate IP spoofing n Can only reduce the possibility of attack
12
IP Spoofing, CS26512 IP-Spoofing Counter-measures n No insecure authenticated services n Disable commands like ping n Use encryption n Strengthen TCP/IP protocol n Firewall n IP traceback
13
IP Spoofing, CS26513 No insecure authenticated services n r* services are hostname-based or IP-based n Other more secure alternatives, i.e., ssh n Remove binary files n Disable in inet, xinet n Clean up.rhost files and /etc/host.equiv n No application with hostname/IP-based authentication, if possible
14
IP Spoofing, CS26514 Disable ping command n ping command has rare use n Can be used to trigger a DOS attack by flooding the victim with ICMP packets n This attack does not crash victim, but consume network bandwidth and system resources n Victim fails to provide other services, and halts if runs out of memory
15
IP Spoofing, CS26515 DOS using Ping
16
IP Spoofing, CS26516 Use Encryption n Encrypt traffic, especially TCP/IP packets and Initial Sequence Numbers n Kerberos is free, and is built-in with OS n Limit session time n Digital signature can be used to identify the sender of the TCP/IP packet.
17
IP Spoofing, CS26517 Strengthen TCP/IP protocol n Use good random number generators to generate ISN n Shorten time-out value in TCP/IP request n Increase request queue size n Cannot completely prevent TCP/IP half-open- connection attack n Can only buy more time, in hope that the attack will be noticed.
18
IP Spoofing, CS26518 Firewall n Limit traffic to services that are offered n Control access from within the network n Free software: ipchains, iptables n Commercial firewall software n Packet filters: router with firewall built-in n Multiple layer of firewall
19
IP Spoofing, CS26519 Network layout with Firewall
20
IP Spoofing, CS26520 IP Trace-back n To trace back as close to the attacker’s location as possible n Limited in reliability and efficiency n Require cooperation of many other network operators along the routing path n Generally does not receive much attention from network operators
21
IP Spoofing, CS26521 Summary/Conclusion n IP spoofing attacks is unavoidable. n Understanding how and why spoofing attacks are used, combined with a few simple prevention methods, can help protect your network from these malicious cloaking and cracking techniques.
22
IP Spoofing, CS26522 References n IP-spoofing Demystified (Trust-Relationship Exploitation), Phrack Magazine Review, Vol. 7, No. 48, pp. 48- 14, www.networkcommand.com/docs/ipspoof.txt n Security Enginerring: A Guide to Building Dependable Distributed Systems, Ross Anderson, pp. 371 n Introduction to IP Spoofing, Victor Velasco, November 21, 2000, www.sans.org/rr/threats/intro_spoofing.php n A Large-scale Distributed Intrusion Detection Framework Based on Attack Strategy Analysis, Ming-Yuh Huang, Thomas M. Wicks, Applied Research and Technology, The Boeing Company n Internet Vulnerabilities Related to TCP/IP and T/TCP, ACM SIGCOMM, Computer Communication Review n IP Spoofing, www.linuxgazette.com/issue63/sharma.html www.linuxgazette.com/issue63/sharma.html n Distributed System: Concepts and Design, Chapter 7, by Coulouris, Dollimore, and Kindberg n FreeBSD IP Spoofing, www.securityfocus.com/advisories/2703 www.securityfocus.com/advisories/2703 n IP Spoofing Attacks and Hijacked Terminal Connections, www.cert.org/advisories/CA-1995-01.html n Network support for IP trace-back, IEEE/ACM Transactions on Networking, Vol. 9, No. 3, June 2001 n An Algebraic Approach to IP Trace-back, ACM Transactions on Information and System Security, Vol. 5, No. 2, May 2002 n Web Spoofing. An Internet Con Game, http://bau2.uibk.ac.at/matic/spoofing.htm http://bau2.uibk.ac.at/matic/spoofing.htm
23
IP Spoofing, CS26523 Questions / Answers
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.