1 / 23

IP Spoofing

IP Spoofing. Bao Ho ToanTai Vu CS 265 - Security Engineering Spring 2003 San Jose State University. Presentation Outline. Introduction, Background Attacks with IP Spoofing Counter Measures Summary. IP Spoofing. IP Spoofing is a technique used to gain unauthorized access to computers.

tibor
Download Presentation

IP Spoofing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. IP Spoofing Bao Ho ToanTai Vu CS 265 - Security Engineering Spring 2003 San Jose State University IP Spoofing, CS265

  2. Presentation Outline • Introduction, Background • Attacks with IP Spoofing • Counter Measures • Summary IP Spoofing, CS265

  3. IP Spoofing • IP Spoofing is a technique used to gain unauthorized access to computers. • IP: Internet Protocol • Spoofing: using somebdody else’s information • Exploits the trust relationships • Intruder sends messages to a computer with an IP address of a trusted host. IP Spoofing, CS265

  4. IP / TCP • IP is connectionless, unreliable • TCP connection-oriented TCP/IP handshake A  B: SYN; my number is X B  A: ACK; now X+1 SYN; my number is Y A B: ACK; now Y+1 IP Spoofing, CS265

  5. A blind Attack Host I cannot see what Host V send back IP Spoofing, CS265

  6. IP Spoofing Steps • Selecting a target host (the victim) • Identify a host that the target “trust” • Disable the trusted host, sampled the target’s TCP sequence • The trusted host is impersonated and the ISN forged. • Connection attempt to a service that only requires address-based authentication. • If successfully connected, executes a simple command to leave a backdoor. IP Spoofing, CS265

  7. IP Spoofing Attacks • Man in the middle • Routing • Flooding / Smurfing IP Spoofing, CS265

  8. Attacks Man - in - the - middle: Packet sniffs on link between the two endpoints, and therefore can pretend to be one end of the connection. IP Spoofing, CS265

  9. Attacks • Routing re-direct: redirects routing information from the original host to the attacker’s host. • Source routing: The attacker redirects individual packets by the hacker’s host. IP Spoofing, CS265

  10. Attacks • Flooding: SYN flood fills up the receive queue from random source addresses. • Smurfing: ICMP packet spoofed to originate from the victim, destined for the broadcast address, causing all hosts on the network to respond to the victim at once. IP Spoofing, CS265

  11. IP-Spoofing Facts • IP protocol is inherently weak • Makes no assumption about sender/recipient • Nodes on path do not check sender’s identity • There is no way to completely eliminate IP spoofing • Can only reduce the possibility of attack IP Spoofing, CS265

  12. IP-SpoofingCounter-measures • No insecure authenticated services • Disable commands like ping • Use encryption • Strengthen TCP/IP protocol • Firewall • IP traceback IP Spoofing, CS265

  13. No insecure authenticated services • r* services are hostname-based or IP-based • Other more secure alternatives, i.e., ssh • Remove binary files • Disable in inet, xinet • Clean up .rhost files and /etc/host.equiv • No application with hostname/IP-basedauthentication, if possible IP Spoofing, CS265

  14. Disable ping command • ping command has rare use • Can be used to trigger a DOS attack by flooding the victim with ICMP packets • This attack does not crash victim, but consume network bandwidth and system resources • Victim fails to provide other services, and halts if runs out of memory IP Spoofing, CS265

  15. DOS using Ping IP Spoofing, CS265

  16. Use Encryption • Encrypt traffic, especially TCP/IP packets and Initial Sequence Numbers • Kerberos is free, and is built-in with OS • Limit session time • Digital signature can be used to identify the sender of the TCP/IP packet. IP Spoofing, CS265

  17. Strengthen TCP/IP protocol • Use good random number generators to generate ISN • Shorten time-out value in TCP/IP request • Increase request queue size • Cannot completely prevent TCP/IP half-open-connection attack • Can only buy more time, in hopethat the attack will be noticed. IP Spoofing, CS265

  18. Firewall • Limit traffic to services that are offered • Control access from within the network • Free software: ipchains, iptables • Commercial firewall software • Packet filters: router with firewall built-in • Multiple layer of firewall IP Spoofing, CS265

  19. Network layout with Firewall IP Spoofing, CS265

  20. IP Trace-back • To trace back as close to the attacker’s location as possible • Limited in reliability and efficiency • Require cooperation of many other network operators along the routing path • Generally does not receive much attention from network operators IP Spoofing, CS265

  21. Summary/Conclusion • IP spoofing attacks is unavoidable. • Understanding how and why spoofing attacks are used, combined with a few simple prevention methods, can help protect your network from these malicious cloaking and cracking techniques. IP Spoofing, CS265

  22. References • IP-spoofing Demystified (Trust-Relationship Exploitation),Phrack Magazine Review, Vol. 7, No. 48, pp. 48-14, www.networkcommand.com/docs/ipspoof.txt • Security Enginerring: A Guide to Building Dependable Distributed Systems, Ross Anderson, pp. 371 • Introduction to IP Spoofing, Victor Velasco, November 21, 2000, www.sans.org/rr/threats/intro_spoofing.php • A Large-scale Distributed Intrusion Detection Framework Based on Attack Strategy Analysis,Ming-Yuh Huang, Thomas M. Wicks, Applied Research and Technology, The Boeing Company • Internet Vulnerabilities Related to TCP/IP and T/TCP, ACM SIGCOMM, Computer Communication Review • IP Spoofing, www.linuxgazette.com/issue63/sharma.html • Distributed System: Concepts and Design, Chapter 7, by Coulouris, Dollimore, and Kindberg • FreeBSD IP Spoofing, www.securityfocus.com/advisories/2703 • IP Spoofing Attacks and Hijacked Terminal Connections, www.cert.org/advisories/CA-1995-01.html • Network support for IP trace-back, IEEE/ACM Transactions on Networking, Vol. 9, No. 3, June 2001 • An Algebraic Approach to IP Trace-back, ACM Transactions on Information and System Security, Vol. 5, No. 2, May 2002 • Web Spoofing. An Internet Con Game, http://bau2.uibk.ac.at/matic/spoofing.htm IP Spoofing, CS265

  23. Questions / Answers IP Spoofing, CS265

More Related