PRESENTATION ON IP SPOOFING: PRESENTATION ON IP SPOOFING Submitted By: Chinmaya Panigrahi Spoofing: Spoofing Is a situation in which one person or program Successfully inserts false or misleading information in e-mail or Netnews headers.Also known as “header forgery”. Overview: Overview TCP/IP – in brief IP Spoofing Basic overview Examples Mitnick Attack Session Hijack DoS/DDoS Attack Defending Against the Threat Continuous Evolution Conclusion TCP/IP in 3 minute or less: TCP/IP in 3 minute or less General use of term describes the Architecture upon which the Interweb is built. TCP/IP are specific protocols within that architecture. TCP/IP in 3 minutes or less: TCP/IP in 3 minutes or less TCP IP TCP/IP in 3 minute or less: TCP/IP in 3 minute or less IP is the internet layer protocol. Does not guarantee delivery or ordering, only does its best to move packets from a source address to a destination address. IP addresses are used to express the source and destination. IP assumes that each address is unique within the network. IP header: IP header IP Header TCP/IP in 3 minutes or less: TCP/IP in 3 minutes or less TCP is the transport layer protocol. It guarantees delivery and ordering, but relies upon IP to move packets to proper destination. Port numbers are used to express source and destination. Destination Port is assumed to be awaiting packets of data. TCP header: TCP header 0 16 31 Source Port Destination Port Sequence Number Acknowledgement Number Window Urgent Pointer Options and Padding Checksum Flags Reserved Data Offset IP Spoofing – Basic Overview: IP Spoofing – Basic Overview Basically, IP spoofing is lying about an IP address. Normally, the source address is incorrect. Lying about the source address lets an attacker assume a new identity. IP Spoofing-Basic Overview: IP Spoofing-Basic Overview IP spoofing occurs when a hacker inside or outside a network impersonates the conversations of a trusted computer. Two general techniques are used during IP spoofing: A hacker uses an IP address that is within the range of trusted IP addresses. A hacker uses an authorized external IP address that is trusted. Uses for IP spoofing include the following: A hacker changes the routing tables to point to the spoofed IP address, then the hacker can receive all the network packets that are addressed to the spoofed address and reply just as any trusted user can. Basic Concept of IP Spoofing : Basic Concept of IP Spoofing A 10.10.10.1 B 188.8.131.52 10.10.10.1 Src_IP 184.108.40.206 dst_IP Any (>1024) Src_port 80 dst_port 220.127.116.11 Src_IP 18.104.22.168 dst_IP Any (>1024) Src_port 80 dst_port spoofed IP Spoofing – Basic Overview: IP Spoofing – Basic Overview Spoofing Attacks: : Spoofing Attacks: There are a few variations on the types of attacks that using IP spoofing. Spoofing is classified into :- 1.non-blind spoofing This attack takes place when the attacker is on the same subnet as the target that could see sequence and acknowledgement of packets. Spoofing Attacks:: Spoofing Attacks: sender ip spoofed packet victim partner dst: victim src : partner Oh, my partner sent me a packet. I’ll process this. Impersonation Spoofing Attacks:: Spoofing Attacks: 2. Blind spoofing This attack may take place from outside where sequence and acknowledgement numbers are unreachable. Attackers usually send several packets to the target machine in order to sample sequence numbers, which is doable in older days . Using the spoofing to interfere with a connection (or creating one), that does not send packets along your cable. Spoofing Attacks:: Spoofing Attacks: sender victim ip spoofed packet dst: victim src: random Oops, many packets are coming. But, who is the real source? flooding attack Spoofing Attacks:: Spoofing Attacks: 3.Denial of Service Attack conducting the attack, attackers spoof source IP addresses to make tracing and stopping the DoS as difficult as possible. When multiple compromised hosts are participating in the attack, all sending spoofed traffic, it is very challenging to quickly block the traffic. IP spoofing is almost always used in denial of service attacks ( DoS ), in which attackers are concerned with consuming bandwidth and resources by flooding the target with as many packets as possible in a short amount of time. To effectively DoS Attack: DoS Attack Server Attacker Legitimate Users Interweb Fake IPs Service Requests Flood of Requests from Attacker Server queue full, legitimate requests get dropped Service Requests IP Spoofing – Defending : IP Spoofing – Defending IP spoofing can be defended against in a number of ways: As mentioned, other protocols in the Architectural model may reveal spoofing. TCP sequence numbers are often used in this manner New generators for sequence numbers are a lot more complicated than ‘add 128000’ Makes it difficult to guess proper sequence numbers if the attacker is blind “Smart” routers can detect IP addresses that are outside its domain. “Smart” servers can block IP ranges that appear to be conducting a DoS . IP Spoofing-Defending: IP Spoofing-Defending Encryption And Authentication Authentication is a mechanism whereby the receiver of a transaction or message can be confident of the identity of sender and the integrity of message. Use of encryption schemes. Verification of identity of incoming packets. IP Spoofing continues to evolve: IP Spoofing continues to evolve IP spoofing is still possible today, but has to evolve in the face of growing security. New issue of Phrack includes a method of using IP spoofing to perform remote scans and determine TCP sequence numbers This allows a session Hijack attack even if the Attacker is blind Conclusion: Conclusion IP Spoofing is an old school Hacker trick that continues to evolve. Can be used for a wide variety of purposes. Will continue to represent a threat as long as each layer continues to trust each other and people are willing to subvert that trust. Questions?: Questions?