IP Spoofing

1
IP Spoofing

• Sometimes on the internet, a girl named Alice is
  really a man named Yves

2
Sources

• General Information
• http//en.wikipedia.org/wiki/Ip_spoofing
• http//www.securityfocus.com/infocus/1674
• http//tarpit.rmc.ca/knight/EE579index.htm (See
  ppts on subject)
• Mitnick Attack Sequence
• http//www.gulker.com/ra/hack/tsattack.html
• Session Hijack Sequence
• http//tarpit.rmc.ca/knight/EEE466Lectures/DA14/14
  20-20Security20I.ppt
• DoS and DDoS attacks
• http//tarpit.rmc.ca/knight/EEE466Lectures/DA14/14
  20-20Security20I.ppt
• Conversation with Todd Hot Toddy Jackson
• Phrack Article
• http//www.phrack.org/issues.html?issue64id15a
  rticle

3
Overview

• TCP/IP in brief
• IP Spoofing
• Basic overview
• Examples
• Mitnick Attack
• Session Hijack
• DoS/DDoS Attack
• Defending Against the Threat
• Continuous Evolution
• Conclusion

4
TCP/IP in 3 minute or less

• General use of term describes the Architecture
  upon which the Interweb is built.
• TCP/IP are specific protocols within that
  architecture.

5
TCP/IP in 3 minutes or less
Application
Transport
TCP
Interweb
IP
Network Access
Physical
6
TCP/IP in 3 minute or less

• IP is the internet layer protocol.
• Does not guarantee delivery or ordering, only
  does its best to move packets from a source
  address to a destination address.
• IP addresses are used to express the source and
  destination.
• IP assumes that each address is unique within the
  network.

7
TCP/IP in 3 minutes or less

• TCP is the transport layer protocol.
• It guarantees delivery and ordering, but relies
  upon IP to move packets to proper destination.
• Port numbers are used to express source and
  destination.
• Destination Port is assumed to be awaiting
  packets of data.

8
TCP/IP in 3 minutes or less
Client Using Mozilla
Some Web Server
HTTP - GET
But what happens if someone is lying??
Application
Application
Transport
Transport
TCP Port 80
Interweb
Interweb
IP 10.24.1.1
Network Access
Network Access
MAC 001122334455
Physical
Physical
1101001001110100110100110101
9
IP Spoofing Basic Overview

• Basically, IP spoofing is lying about an IP
  address.
• Normally, the source address is incorrect.
• Lying about the source address lets an attacker
  assume a new identity.

10
IP Spoofing Basic Overview

• Because the source address is not the same as the
  attackers address, any replies generated by the
  destination will not be sent to the attacker.
• Attacker must have an alternate way to spy on
  traffic/predict responses.
• To maintain a connection, Attacker must adhere to
  protocol requirements

11
IP Spoofing Basic Overview

• Difficulties for attacker
• TCP sequence numbers
• One way communication
• Adherence to protocols for other layers

12
IP Spoofing The Reset
2. SYN ACK Sure, what do you want to talk about?
3. RESET Umm.. I have no idea why you are
talking to me
Victim - Bob
Sucker - Alice
1. SYN Lets have a conversation
4. No connection Guess I need to take Bob out
of the picture
Attacker - Eve
13
IP Spoofing Mitnick Attack

• Merry X-mas! Mitnick hacks a Diskless Workstation
  on December 25th, 1994
• The victim Tsutomu Shinomura
• The attack IP spoofing and abuse of trust
  relationships between a diskless terminal and
  login server.

14
Mitnick Attack
4. Mitnick forges a SYN from the server to the
terminal
6. Mitnick fakes the ACK using the proper TCP
sequence number
5. Terminals responds with an ACK, which is
ignored by the flooded port (and not visible to
Mitnick)
7. Mitnick has now established a one way
communications channel
Server
Workstation
2. Mitnick Probes the Workstation to determine
the behaviour of its TCP sequence number generator
3. Mitnick discovers that the TCP sequence number
is incremented by 128000 each new connection
1. Mitnick Floods servers login port so it can
no longer respond
Kevin Mitnick
15
Mitnick Attack Why it worked

• Mitnick abused the trust relationship between the
  server and workstation
• He flooded the server to prevent communication
  between it and the workstation
• Used math skillz to determine the TCP sequence
  number algorithm (ie add 128000)
• This allowed Mitnick to open a connection without
  seeing the workstations outgoing sequence numbers
  and without the server interrupting his attack

16
IP Spoofing - Session Hijack

• IP spoofing used to eavesdrop/take control of a
  session.
• Attacker normally within a LAN/on the
  communication path between server and client.
• Not blind, since the attacker can see traffic
  from both server and client.

17
Session Hijack
1. Eve assumes a man-in-the-middle position
through some mechanism. For example, Eve could
use Arp Poisoning, social engineering, router
hacking etc...
2. Eve can monitor traffic between Alice and Bob
without altering the packets or sequence numbers.
3. At any point, Eve can assume the identity of
either Bob or Alice through the Spoofed IP
address. This breaks the pseudo connection as
Eve will start modifying the sequence numbers
Bob
Alice
Im Bob!
Im Alice!
Eve
18
IP Spoofing DoS/DDoS

• Denial of Service (DoS) and Distributed Denial of
  Service (DDoS) are attacks aimed at preventing
  clients from accessing a service.
• IP Spoofing can be used to create DoS attacks

19
DoS Attack
Server
Flood of Requests from Attacker
Service Requests
Interweb
Server queue full, legitimate requests get dropped
Service Requests
Fake IPs
Attacker
Legitimate Users
20
DoS Attack

• The attacker spoofs a large number of requests
  from various IP addresses to fill a Services
  queue.
• With the services queue filled, legitimate users
  cannot use the service.

21
DDoS Attack
Server (already DoSd)
Queue Full
SYN ACK
Interweb
1. Attacker makes large number of SYN connection
requests to target servers on behalf of a DoSd
server
2. Servers send SYN ACK to spoofed server, which
cannot respond as it is already DoSd. Queues
quickly fill, as each connection request will
have to go through a process of sending several
SYN ACKs before it times out
SYN ACK
SYN ACK
SYN ACK
SYN
SYN
SYN
SYN
Target Servers
Attacker
22
DDoS Attack

• Many other types of DDoS are possible.
• DoS becomes more dangerous if spread to multiple
  computers.

23
IP Spoofing Defending

• IP spoofing can be defended against in a number
  of ways
• As mentioned, other protocols in the
  Architectural model may reveal spoofing.
• TCP sequence numbers are often used in this
  manner
• New generators for sequence numbers are a lot
  more complicated than add 128000
• Makes it difficult to guess proper sequence
  numbers if the attacker is blind
• Smart routers can detect IP addresses that are
  outside its domain.
• Smart servers can block IP ranges that appear
  to be conducting a DoS.

24
IP Spoofing continues to evolve

• IP spoofing is still possible today, but has to
  evolve in the face of growing security.
• New issue of Phrack includes a method of using IP
  spoofing to perform remote scans and determine
  TCP sequence numbers
• This allows a session Hijack attack even if the
  Attacker is blind

25
Conclusion

• IP Spoofing is an old school Hacker trick that
  continues to evolve.
• Can be used for a wide variety of purposes.
• Will continue to represent a threat as long as
  each layer continues to trust each other and
  people are willing to subvert that trust.

26
Questions?
27
Application
Application
Transport
Transport
Interweb
Interweb
Network Access
Network Access
Physical
Physical
28
Sucker - Alice
Victim - Bob
Attacker - Eve
29
Interweb
Sucker - Alice
Victim - Bob
Attacker - Eve
30
IP header
Stolen from http//tarpit.rmc.ca/knight/EE579/mit
nik.ppt
0 16 31
Version
Total Length
IHL
Type of Service
Identification
Fragment Offset
Flags
Header Checksum
Time to Live
Protocol
Source Address
Destination Address
Options and Padding
31
TCP header
Stolen from http//tarpit.rmc.ca/knight/EE579/mit
nik.ppt
0 16 31
Source Port
Destination Port
Sequence Number
Acknowledgement Number
Data Offset
Window
Reserved
Flags
Urgent Pointer
Checksum
Options and Padding
32
TCP Sequence Numbers
Client
Server
1. Client transmits 50 bytes
2. Server transmits 20 bytes
3. Client ACKs, sends no data
Start SEQ - 1892
Start SEQ - 15562
End SEQ - 1942
End SEQ - 15587