ip spoofing
DESCRIPTION
TRANSCRIPT
IP Spoofing
Sometimes on the internet, a girl named Alice is really a man named Yves
Sources General Information:
http://en.wikipedia.org/wiki/Ip_spoofing http://www.securityfocus.com/infocus/1674 http://tarpit.rmc.ca/knight/EE579index.htm (See ppts on subject)
Mitnick Attack Sequence: http://www.gulker.com/ra/hack/tsattack.html
Session Hijack Sequence: http://tarpit.rmc.ca/knight/EEE466Lectures/DA14/14%20-%20Security
%20I.ppt DoS and DDoS attacks:
http://tarpit.rmc.ca/knight/EEE466Lectures/DA14/14%20-%20Security%20I.ppt
Conversation with Todd ‘Hot Toddy’ Jackson Phrack Article:
http://www.phrack.org/issues.html?issue=64&id=15#article
Overview TCP/IP – in brief IP Spoofing
Basic overview Examples
Mitnick Attack Session Hijack DoS/DDoS Attack
Defending Against the Threat Continuous Evolution Conclusion
TCP/IP in 3 minute or less
General use of term describes the Architecture upon which the Interweb is built.
TCP/IP are specific protocols within that architecture.
TCP/IP in 3 minutes or less
Application
Transport
Interweb
Network Access
Physical
TCP
IP
TCP/IP in 3 minute or less IP is the internet layer protocol. Does not guarantee delivery or
ordering, only does its best to move packets from a source address to a destination address.
IP addresses are used to express the source and destination.
IP assumes that each address is unique within the network.
TCP/IP in 3 minutes or less
TCP is the transport layer protocol. It guarantees delivery and ordering,
but relies upon IP to move packets to proper destination.
Port numbers are used to express source and destination.
Destination Port is assumed to be awaiting packets of data.
TCP/IP in 3 minutes or less
Application
Transport
Interweb
Network Access
Physical
Application
Transport
Interweb
Network Access
Physical
Client Using Mozilla
HTTP - GET
Some Web Server
TCP – Port 80
IP – 10.24.1.1
MAC – 00:11:22:33:44:55
1101001001110100110100110101
But what happens if someone is
lying??
IP Spoofing – Basic Overview
Basically, IP spoofing is lying about an IP address.
Normally, the source address is incorrect.
Lying about the source address lets an attacker assume a new identity.
IP Spoofing – Basic Overview
Because the source address is not the same as the attacker’s address, any replies generated by the destination will not be sent to the attacker.
Attacker must have an alternate way to spy on traffic/predict responses.
To maintain a connection, Attacker must adhere to protocol requirements
IP Spoofing – Basic Overview
Difficulties for attacker: TCP sequence numbers One way communication Adherence to protocols for other layers
IP Spoofing – The Reset
Victim - BobSucker - Alice
Attacker - Eve
1. SYN – Let’s have a conversation
2. SYN ACK – Sure, what do you want to talk about?
3. RESET – Umm.. I have no idea why
you are talking to me
4. No connection – Guess I need to take Bob out of
the picture…
IP Spoofing – Mitnick Attack
Merry X-mas! Mitnick hacks a Diskless Workstation on December 25th, 1994
The victim – Tsutomu Shinomura The attack – IP spoofing and abuse of
trust relationships between a diskless terminal and login server.
Mitnick Attack
1. Mitnick Flood’s server’s login port so it can no longer respond
2. Mitnick Probes the Workstation to determine the behaviour of its TCP sequence number generator
3. Mitnick discovers that the TCP sequence number is incremented by 128000 each new connection
4. Mitnick forges a SYN from the server to the terminal
5. Terminals responds with an ACK, which is ignored by the flooded port (and not visible to Mitnick)
ServerWorkstation
Kevin Mitnick
6. Mitnick fakes the ACK using the proper TCP sequence number
7. Mitnick has now established a one way communications channel
Mitnick Attack – Why it worked Mitnick abused the trust relationship
between the server and workstation He flooded the server to prevent
communication between it and the workstation
Used math skillz to determine the TCP sequence number algorithm (ie add 128000)
This allowed Mitnick to open a connection without seeing the workstations outgoing sequence numbers and without the server interrupting his attack
IP Spoofing - Session Hijack
IP spoofing used to eavesdrop/take control of a session.
Attacker normally within a LAN/on the communication path between server and client.
Not blind, since the attacker can see traffic from both server and client.
Session Hijack
Alice Bob
Eve
I’m Bob! I’m
Alice!
1. Eve assumes a man-in-the-middle position through some mechanism. For example, Eve could use Arp Poisoning, social engineering, router hacking etc...
2. Eve can monitor traffic between Alice and Bob without altering the packets or sequence numbers.
3. At any point, Eve can assume the identity of either Bob or Alice through the Spoofed IP address. This breaks the pseudo connection as Eve will start modifying the sequence numbers
IP Spoofing – DoS/DDoS
Denial of Service (DoS) and Distributed Denial of Service (DDoS) are attacks aimed at preventing clients from accessing a service.
IP Spoofing can be used to create DoS attacks
DoS AttackServer
Attacker Legitimate Users
Interweb
Fake IPs
Service Requests
Flood of Requests from
Attacker
Server queue full, legitimate
requests get dropped
Service Requests
DoS Attack
The attacker spoofs a large number of requests from various IP addresses to fill a Services queue.
With the services queue filled, legitimate user’s cannot use the service.
DDoS Attack Server (already DoS’d)
AttackerTarget Servers
Interweb1. Attacker makes large number of SYN connection requests to target servers on behalf of a DoS’d server
2. Servers send SYN ACK to spoofed server, which cannot respond as it is already DoS’d. Queue’s quickly fill, as each connection request will have to go through a process of sending several SYN ACKs before it times out
SYN
SYN SYN SYN
SYN ACK
SYN ACKSYN
ACK
SYN ACK
Queue Full
DDoS Attack
Many other types of DDoS are possible.
DoS becomes more dangerous if spread to multiple computers.
IP Spoofing – Defending IP spoofing can be defended against in a number of
ways: As mentioned, other protocols in the Architectural
model may reveal spoofing. TCP sequence numbers are often used in this manner New generators for sequence numbers are a lot more
complicated than ‘add 128000’ Makes it difficult to guess proper sequence numbers if
the attacker is blind “Smart” routers can detect IP addresses that are
outside its domain. “Smart” servers can block IP ranges that appear to
be conducting a DoS.
IP Spoofing continues to evolve IP spoofing is still possible today, but
has to evolve in the face of growing security.
New issue of Phrack includes a method of using IP spoofing to perform remote scans and determine TCP sequence numbers
This allows a session Hijack attack even if the Attacker is blind
Conclusion
IP Spoofing is an old school Hacker trick that continues to evolve.
Can be used for a wide variety of purposes.
Will continue to represent a threat as long as each layer continues to trust each other and people are willing to subvert that trust.
Questions?
Application
Transport
Interweb
Network Access
Physical
Application
Transport
Interweb
Network Access
Physical
Victim - Bob
Sucker - Alice
Attacker - Eve
Victim - Bob
Sucker - Alice
Attacker - Eve
Interweb
IP header0 16 31
Options and Padding
Source Address
Destination Address
Total Length
Fragment Offset
Header ChecksumTime to Live Protocol
Identification
Type of Service
Flags
Version IHL
Stolen from: http://tarpit.rmc.ca/knight/EE579/mitnik.ppt
TCP header
Stolen from: http://tarpit.rmc.ca/knight/EE579/mitnik.ppt
0 16 31
Source Port Destination Port
Sequence Number
Acknowledgement Number
Window
Urgent Pointer
Options and Padding
Checksum
FlagsReservedDataOffset
TCP Sequence Numbers
Client ServerStart SEQ - 1892 Start SEQ - 15562
1. Client transmits 50 bytes
SEQ – 1892
ACK – 15562
Size - 50
SEQ – 15562
ACK – 1942
Size - 25
2. Server transmits 20 bytes3. Client ACKs, sends no data
SEQ – 1942
ACK – 15587
Size - 0
End SEQ - 1942 End SEQ - 15587