Detecting Spoofed Packets

1
Detecting Spoofed Packets

• Steven Templeton
• UC Davis Security Lab

2
Motivation

• Next-generation ID approaches require greater
  information than predecessors.
• Appropriate IDS sensors are not available
• Require inference about external entities and
  local entities when direct sensing is not
  available
• Examples
• Knows/Has __________
• Same source
• Exploitable __________ exists
• Sniffer active
• Spoofed packet
• Successful exploit
• e.g. Forged TCP handshake

3
What is a Spoofed Packet

• Packets sent by an attacker such that the true
  source is not authentic
• MAC spoofing
• IP packet spoofing
• Email spoofing
• Not same as routing attacks
• These cause packets to be redirected
• e.g. DNS cache poisoning router table attacks
  ARP spoofing
• This talk will focus on IP source address
  spoofing

4
IP/TCP Header Review
IP Header Format
version
TOS
header length
total length
identification
fragment offset
flags
header checksum
TTL
protocol
20 bytes
source IP address
destination IP address
options (if any)
data
5
IP/TCP Header Review
TCP Header Format
source port number
destination port number
sequence number
acknowledgement number
20 bytes
header length
reserved
window size
TCP checksum
urgent pointer
options (if any)
data (if any)
6
Significance

• Spoofed packets are a part of many attacks
• SYN-flood
• Smurf Attack
• Connection Spoofing
• Bounce Scanning
• Stealth Communication

7
SYN-flood

• TCP Handshake Review
• client
• sends SYN packet to server
• waits for SYN-ACK from server
• server
• responds w/ SYN-ACK packet
• waits for ACK packet from client
• client
• sends ACK to server

SYN
SYN-ACK
ACK
8
SYN-flood
TCP Buffers

• Attacker causes TCP buffer to be exhausted w/
  half-open connections
• No reply from target needed, so source may be
  spoofed.
• Claimed source must not be an active host.

169.237.5.23
168.150.241.155
169.237.7.114
9
SYN-flood
TCP Buffers

• Attacker causes TCP buffer to be exhausted w/
  half-open connections
• No reply from target needed, so source may be
  spoofed.
• Claimed source must not be an active host.

128.120.254.1
128.120.254.2
128.120.254.3
128.120.254.4
128.120.254.5
128.120.254.6
128.120.254.7
128.120.254.8
128.120.254.9
128.120.254.10
128.120.254.11
128.120.254.12
128.120.254.13
128.120.254.14
169.237.7.114
128.120.254.15
10
Smurf Attack

• Allows attacker to send flood target w/ ICMP
  packets
• Attacker does not need to see returned packets.
• Uses network broadcast address as packet
  amplifier.
• Claimed source address is address of target.

Attacker sends an ICMP echo request to a
particular IP address Source address is set to
target host
11
Smurf Attack

• Allows attacker to send flood target w/ ICMP
  packets
• Attacker does not need to see returned packets.
• Uses network broadcast address as packet
  amplifier.
• Claimed source address is address of target.

ICMP echo request causes an ICMP echo reply to
be sent to target
12
Smurf Attack

• Allows attacker to send flood target w/ ICMP
  packets
• Attacker does not need to see returned packets.
• Uses network broadcast address as packet
  amplifier.
• Claimed source address is address of target.

13
TCP Connection Spoofing

• TCP Handshake Review
• client
• sends SYN packet and ACK number to server
• waits for SYN-ACK from server w/ matching ACK
  number
• server
• responds w/ SYN-ACK packet w/ initial random
  sequence number
• waits for ACK packet from client with matching
  sequence number
• client
• sends ACK to server w/ matching sequence number
  (and data)

SYN ack-number
SYN-ACK seq-number ack-number
ACK seq_number ack-numberdata
14
Connection Spoofing

• Allows attacker to send data to a target as if it
  originated with a trusted host
• Requires guessing sequence numbers.
• Attacker does not see returned packets attacker
  must infer/guess what is sent.

Attacker causes DOS on intermediate (the trusted
host)
15
Connection Spoofing

• Allows attacker to send data to a target as if it
  originated with a trusted host
• Requires guessing sequence numbers.
• Attacker does not see returned packets attacker
  must infer/guess what is sent.

Attacker sends spoofed packet to target with a
claimed source of the intermediate.
16
Connection Spoofing

• Allows attacker to send data to a target as if it
  originated with a trusted host
• Requires guessing sequence numbers.
• Attacker does not see returned packets attacker
  must infer/guess what is sent.

Target sends SYN-ACK reply to intermediate. Becaus
e of DOS, intermediate does not see packet and
does not reply (w/ RST)
17
Connection Spoofing

• Allows attacker to send data to a target as if it
  originated with a trusted host
• Requires guessing sequence numbers.
• Attacker does not see returned packets attacker
  must infer/guess what is sent.

Attacker sends ACK packet to target with guessed
sequence number (data)
18
Bounce Scanning

• Allows attacker to scan a target without
  revealing the true source of the scan
• Requires an intermediate host with little traffic
• Relies on change pattern of IP ID (fragmentation
  ID)
• Attacker sees effects does not need to see
  actual returned packet

Attacker sends packets to intermediate,
monitoring IP ID in replies. (e.g. TCP SYN
Packets)
19
Bounce Scanning

• Allows attacker to scan a target without
  revealing the true source of the scan
• Requires an intermediate host with little traffic
• Relies on change pattern of IP ID (fragmentation
  ID)
• Attacker sees effects does not need to see
  actual returned packet

Attacker sends SYN packet with spoofed source
address to scan target
20
Bounce Scanning

• Allows attacker to scan a target without
  revealing the true source of the scan
• Requires an intermediate host with little traffic
• Relies on change pattern of IP ID (fragmentation
  ID)
• Attacker sees effects does not need to see
  actual returned packet

Target sends SYN-ACK to intermediate if port is
open, RST otherwise.
21
Bounce Scanning

• Allows attacker to scan a target without
  revealing the true source of the scan
• Requires an intermediate host with little traffic
• Relies on change pattern of IP ID (fragmentation
  ID)
• Attacker sees effects does not need to see
  actual returned packet

?
If intermediate receives a RST nothing happens.
If intermediate receives a SYN-ACK, it will send
a RST and increment its IP ID
22
Bounce Scanning

• Allows attacker to scan a target without
  revealing the true source of the scan
• Requires an intermediate host with little traffic
• Relies on change pattern of IP ID (fragmentation
  ID)
• Attacker sees effects does not need to see
  actual returned packet

Attacker sends packets to intermediate,
monitoring IP ID in replies. If ID incremented
by 1, port was closed If ID incremented by 2,
port was open
23
Stealth Communication

• Allows attacker to send data to a target as if it
  originated from an arbitrary host
• Uses TTL timeout.
• Attacker does not need to see returned packets.
• Packets sent to target do not have a spoofed
  source address.
• Info for target passed as ICMP data (original IP
  header 8 bytes data).

Attacker sends packet to arbitrary host, w/
source address spoofed to be target.
24
Stealth Communication

• Allows attacker to send data to a target as if it
  originated from an arbitrary host
• Uses TTL timeout.
• Attacker does not need to see returned packets.
• Packets sent to target do not have a spoofed
  source address.
• Info for target passed as ICMP data (original IP
  header 8 bytes data).

Packet is passed between routers toward
destination
25
Stealth Communication

• Allows attacker to send data to a target as if it
  originated from an arbitrary host
• Uses TTL timeout.
• Attacker does not need to see returned packets.
• Packets sent to target do not have a spoofed
  source address.
• Info for target passed as ICMP data (original IP
  header 8 bytes data).

Each hop decrements TTL. When TTL reaches zero,
packet is dropped and an ICMP TTL-expired message
is sent to claimed sender.
26
Detection Methods

• Routing-based
• Active
• proactive
• reactive
• Passive

27
Routing-based Methods

• For a given network topology certain source IP
  addresses should never be seen
• Internal addresses arriving on external interface
• External addresses arriving on internal interface
• IANA non-routable addresses on external interface
• Other special addresses

External NIC
Internal NIC
28
Special Addresses

• 0.0.0.0/8 - Historical Broadcast
• 10.0.0.0/8 - RFC 1918 Private Network
• 127.0.0.0/8 - Loopback
• 169.254.0.0/16 - Link Local Networks
• 172.16.0.0/12 - RFC 1918 Private Network
• 192.0.2.0/24 - TEST-NET
• 192.168.0.0/16 - RFC 1918 Private Network
• 240.0.0.0/5 - Class E Reserved
• 248.0.0.0/5 - Unallocated
• 255.255.255.255/32 - Broadcast

29
Routing-based Methods

• Most commonly used method
• firewalls, filtering routers
• Relies on knowledge of network topology and
  routing specs.
• Primarily used at organizational border.
• Cannot detect many examples of spoofing
• Externally spoofed external addresses
• Internally spoofed internal addresses

30
Proactive methods

• Looks for behavior that would not occur if client
  actually processed packet from client.
• Method change IP stack behavior
• Can observe suspicious activity
• Examples
• TCP window games
• SYN-Cookies (block w/o detection)

31
TCP Window Games
SYN ack-number

• Modified TCP Handshake
• client
• sends SYN packet and ACK number to server
• waits for SYN-ACK from server w/ matching ACK
  number
• server
• responds w/ SYN-ACK packet w/ initial random
  sequence number
• Sets window size to zero
• waits for ACK packet from client with matching
  sequence number
• client
• sends ACK to server w/ matching sequence number,
  but no data
• Waits for ACK w/ window gt 0
• After receiving larger window, client sends data.
• Spoofer will not see 0-len window and will send
  data without waiting.

SYN-ACK seq-number, ack-number window 0
ACK seq_number, ack-number (no data)
ACK seq-number, ack-number window 4096
ACK seq_number, ack-number w/ data
32
SYN-Cookies
SYN ack-number

• Modified TCP Handshake
• Example of stateless handshake
• client
• sends SYN packet and ACK number to server
• waits for SYN-ACK from server w/ matching ACK
  number
• server
• responds w/ SYN-ACK packet w/ initial SYN-cookie
  sequence number
• Sequence number is cryptographically generated
  value based on client address, port, and time.
• No TCP buffers are allocated
• client
• sends ACK to server w/ matching sequence number
• server
• If ACK is to an unopened socket, server validates
  returned sequence number as SYN-cookie
• If value is reasonable, a buffer is allocated and
  socket is opened.
• .
• Spoofed packets will not consume TCP buffers

SYN-ACK seq-number as SYN-cookie, ack-number NO
BUFFER ALLOCATED
ACK seq_number ack-numberdata
SYN-ACK seq-number, ack-number TCP BUFFER
ALLOCATED
33
Reactive methods

• When a suspicious packet is received, a probe of
  the source is conducted to verify if the packet
  was spoofed
• May use same techniques as proactive methods
• Example probes
• Is TTL appropriate?
• Is ID appropriate?
• Is host up?
• Change window size

34
Passive Methods

• Learn expected values for observed packets
• When an anomalous packet is received, treat it as
  suspicious
• Example values
• Expected TTL
• Expected client port
• Expected client OS idiosyncrasies

35
Experiments

• determine the validity of various spoofed-packet
  detection methods
• Predictability of TTL
• Predictability of TTL (active)
• Predictability of ID (active)

36
Experiment Description - Passive

• Monitor network traffic
• Record
• Source IP address
• TTL
• Protocol
• Count occurrences of all unique combinations
• Statistically analyze predictability of the data

37
Results - Passive

• Data collected over several 2 week periods
• data being reported finals spring break
• Seclab traffic at Olympus
• 23,000,000 IP packets observed
• 23461 source IP addresses
• 110 internal
• 23351 external

38
Results - Passive

• Predictability measure
• Conditional Entropy (unpredictability)
• Values closer to zero indicate higher
  predictability

39
Results - Passive
40
Results - Passive
41
Results - Passive
42
Results - Passive
43
Results - Passive
44
Results - Passive

• TTL differs by protocol
• UDP most unreliable
• traceroute is major contributor (can be filtered)
• certain programs set TTL anomalously
• ToS may be useful in reducing inconsistencies
• TTL on local network highly regular
• must filter traceroute traffic

45
ToS Review
priority
minimize delay
reserved
Minimize cost
maximize throughput
maximize reliability

• May differ by protocol and service
• Telnet 1 0 0 0
• DNS - UDP 1 0 0 0
• DNS - TCP 0 0 0 0
• NNTP 0 0 0 1

46
Experiment Description - Reactive

• Monitor network traffic
• Record IP address, Protocol, TTL and ID
• Send probe packet(s)
• ICMP echo reply packet
• TCP syn packet
• UDP packet
• Note the differences between the stored TTL/ID to
  that of the returning probes.

47
Results - Reactive

• Evaluate
• initial vs. probe reply TTL
• Initial vs. probe reply ID (delta from original)
• Predictability measure
• Conditional Entropy (unpredictability)
• Values closer to zero indicate higher
  predictability

48
Results - Reactive

• Preliminary only
• Ran for 18 hours
• 8058 probes sent
• 218 unique addresses
• 173 external
• 45 internal

49
Results - Reactive

• TTL off by
• Total probes 8058 1591
• /- 2 or less 6467 371 80
• /-1 or less 6096 986 75
• 0 5110 63

50
Results - Reactive

• ID off by
• Total probes 8058

• Offset Count
• 1 601
• 2 57
• 4 21
• 6 16
• 5 14
• 7 11
• 8 9

• Offset Count
• 256 73
• 512 5
• 768 22
• 1280 10

51
Future and Ongoing Work

• Complete and evaluate reactive experiments
• Evaluate predictability of unobserved IP
  addresses using neural network or other ML
  method.
• Complete and test SPD program
• Monitor network traffic
• Determine if packet is suspicious using passive
  system
• If suspicious, use reactive methods to determine
  if packet was spoofed.

52
Conclusion

• Spoofed-packets used in many different attacks
• Spoofed-packets can be detected by a number of
  methods
• High predictability in TTL and ID allow use of
  passive and active methods