IP Spoofing - PowerPoint PPT Presentation

About This Presentation
Title:

IP Spoofing

Description:

Clean up .rhost files and /etc/host.equiv ... An Internet Con Game, http://bau2.uibk.ac.at/matic/spoofing.htm. IP Spoofing, CS265 ... – PowerPoint PPT presentation

Number of Views:6548
Avg rating:3.0/5.0
Slides: 24
Provided by: BAO66
Learn more at: http://www.cs.sjsu.edu
Category:

less

Transcript and Presenter's Notes

Title: IP Spoofing


1
IP Spoofing
  • Bao Ho
  • ToanTai Vu
  • CS 265 - Security Engineering
  • Spring 2003
  • San Jose State University

2
Presentation Outline
  • Introduction, Background
  • Attacks with IP Spoofing
  • Counter Measures
  • Summary

3
IP Spoofing
  • IP Spoofing is a technique used to gain
    unauthorized access to computers.
  • IP Internet Protocol
  • Spoofing using somebdody elses information
  • Exploits the trust relationships
  • Intruder sends messages to a computer with an IP
    address of a trusted host.

4
IP / TCP
  • IP is connectionless, unreliable
  • TCP connection-oriented
  • TCP/IP handshake

A ? B SYN my number is X B ? A ACK now
X1 SYN my number is Y A? B
ACK now Y1
5
A blind Attack
  • Host I cannot see what Host V send back

6
IP Spoofing Steps
  • Selecting a target host (the victim)
  • Identify a host that the target trust
  • Disable the trusted host, sampled the targets
    TCP sequence
  • The trusted host is impersonated and the ISN
    forged.
  • Connection attempt to a service that only
    requires address-based authentication.
  • If successfully connected, executes a simple
    command to leave a backdoor.

7
IP Spoofing Attacks
  • Man in the middle
  • Routing
  • Flooding / Smurfing

8
Attacks
  • Man - in - the - middle
  • Packet sniffs on link between the two endpoints,
    and therefore can pretend to be one end of the
    connection.

9
Attacks
  • Routing re-direct redirects routing information
    from the original host to the attackers host.
  • Source routing The attacker redirects individual
    packets by the hackers host.

10
Attacks
  • Flooding SYN flood fills up the receive queue
    from random source addresses.
  • Smurfing ICMP packet spoofed to originate from
    the victim, destined for the broadcast address,
    causing all hosts on the network to respond to
    the victim at once.

11
IP-Spoofing Facts
  • IP protocol is inherently weak
  • Makes no assumption about sender/recipient
  • Nodes on path do not check senders identity
  • There is no way to completely eliminate IP
    spoofing
  • Can only reduce the possibility of attack

12
IP-SpoofingCounter-measures
  • No insecure authenticated services
  • Disable commands like ping
  • Use encryption
  • Strengthen TCP/IP protocol
  • Firewall
  • IP traceback

13
No insecure authenticated services
  • r services are hostname-based or IP-based
  • Other more secure alternatives, i.e., ssh
  • Remove binary files
  • Disable in inet, xinet
  • Clean up .rhost files and /etc/host.equiv
  • No application with hostname/IP-based
    authentication, if possible

14
Disable ping command
  • ping command has rare use
  • Can be used to trigger a DOS attack by flooding
    the victim with ICMP packets
  • This attack does not crash victim, but consume
    network bandwidth and system resources
  • Victim fails to provide other services, and halts
    if runs out of memory

15
DOS using Ping
16
Use Encryption
  • Encrypt traffic, especially TCP/IP packets and
    Initial Sequence Numbers
  • Kerberos is free, and is built-in with OS
  • Limit session time
  • Digital signature can be used to identify the
    sender of the TCP/IP packet.

17
Strengthen TCP/IP protocol
  • Use good random number generators to generate ISN
  • Shorten time-out value in TCP/IP request
  • Increase request queue size
  • Cannot completely prevent TCP/IP
    half-open-connection attack
  • Can only buy more time, in hope that the attack
    will be noticed.

18
Firewall
  • Limit traffic to services that are offered
  • Control access from within the network
  • Free software ipchains, iptables
  • Commercial firewall software
  • Packet filters router with firewall built-in
  • Multiple layer of firewall

19
Network layout with Firewall
20
IP Trace-back
  • To trace back as close to the attackers location
    as possible
  • Limited in reliability and efficiency
  • Require cooperation of many other network
    operators along the routing path
  • Generally does not receive much attention from
    network operators

21
Summary/Conclusion
  • IP spoofing attacks is unavoidable.
  • Understanding how and why spoofing attacks are
    used, combined with a few simple prevention
    methods, can help protect your network from these
    malicious cloaking and cracking techniques.

22
References
  • IP-spoofing Demystified (Trust-Relationship
    Exploitation), Phrack Magazine Review, Vol. 7,
    No. 48, pp. 48-14, www.networkcommand.com/docs/ips
    poof.txt
  • Security Enginerring A Guide to Building
    Dependable Distributed Systems, Ross Anderson,
    pp. 371
  • Introduction to IP Spoofing, Victor Velasco,
    November 21, 2000, www.sans.org/rr/threats/intro_s
    poofing.php
  • A Large-scale Distributed Intrusion Detection
    Framework Based on Attack Strategy Analysis,
    Ming-Yuh Huang, Thomas M. Wicks, Applied Research
    and Technology, The Boeing Company
  • Internet Vulnerabilities Related to TCP/IP and
    T/TCP, ACM SIGCOMM, Computer Communication Review
  • IP Spoofing, www.linuxgazette.com/issue63/sharma.h
    tml
  • Distributed System Concepts and Design, Chapter
    7, by Coulouris, Dollimore, and Kindberg
  • FreeBSD IP Spoofing, www.securityfocus.com/advisor
    ies/2703
  • IP Spoofing Attacks and Hijacked Terminal
    Connections, www.cert.org/advisories/CA-1995-01.ht
    ml
  • Network support for IP trace-back, IEEE/ACM
    Transactions on Networking, Vol. 9, No. 3, June
    2001
  • An Algebraic Approach to IP Trace-back, ACM
    Transactions on Information and System Security,
    Vol. 5, No. 2, May 2002
  • Web Spoofing. An Internet Con Game,
    http//bau2.uibk.ac.at/matic/spoofing.htm

23
Questions / Answers
Write a Comment
User Comments (0)
About PowerShow.com