IP SPOOFING

DECLARATION

I, Rajat Rana bearing Registration number 1600515038 student of Bachelor of Technology in

the Department of Computer Science Engineering, hereby declare that I own the full
responsibility for the information, conclusion, facts etc. provided in this technical seminar report
titled “IP Spoofing” submitted to the Computer Science Engineering Department, ABVGIET,
Pragatinagar for the award of the degree of Bachelor of Technology .

i
 IP SPOOFING

ABSTRACT
This paper includes IP Spoofing which refers to creation of Internet Protocol(IP) packets with a forged
source IP address called spoofing, with the purpose of concealing the identity of sender or
impersonating another computer system. This paper deals with the occurrence of IP Spoofing, its
working, usage, applications and how it can be prevented.IP spoofing hides the IP address by creating
IP packets that contain bogus IP addresses in an effort to impersonate other connections and hide
your identity when you send information. It is a common method that is used by spammers and
scammers to mislead others on the origin of the information they send

ii
 IP SPOOFING

TABLE OF CONTENT

Contents
DECLARATION ............................................................................................................................. i
ABSTRACT .................................................................................................................................... ii
TABLE OF CONTENT ................................................................................................................. iii
CHAPTER 1 ................................................................................................................................... 1
INTRODUCTION .......................................................................................................................... 1
1.1 OVERVIEW..................................................................................................................... 1
1.2 HISTORY......................................................................................................................... 3
CHAPTER 2 ................................................................................................................................... 4
2. TCP/IP PROTOCOL SUITE ...................................................................................................... 4
2.1 INTERNET PROTOCOL – IP .............................................................................................. 4
2.2 Transmission Control Protocol – TCP .................................................................................. 5
2.3 Consequences of the TCP/IP Design .................................................................................... 6
CHAPTER 3 ................................................................................................................................... 7
3. WHAT IS IP ADDRESS SPOOFING? ...................................................................................... 7
3.1 OTHER DEFINITION ....................................................................................................... 8
SPOOFING ................................................................................................................................ 8
CHAPTER 4 ................................................................................................................................. 11
4. APPLICATIONS AND LEGITIMATE USES ................................................................. 11
4.2 LEGITIMATE USES........................................................................................................ 13
4.2.1 ANTI-SPOOFING IN DDOS PROTECTION ............................................................ 13
Services vulnerable to IP spoofing ............................................................................................ 14
4.2.2Defense against spoofing attacks.................................................................................... 16
Upper layers ......................................................................................................................... 16
CHAPTER 5 ................................................................................................................................. 17
ADVANTAGES AND DISADVANTAGES ........................................................................... 17
5.1 ADVANTAGES.................................................................................................................. 17
5.2 DISADVANTAGES ....................................................................................................... 18
CHAPTER 6 ................................................................................................................................. 19
6.1 CONCLUSION ................................................................................................................... 19

iii
 IP SPOOFING

6.2 FUTURE SCOPE.................................................................................................................... 20

6.3 REFERENCES ....................................................................................................................... 21

iv
 IP SPOOFING

CHAPTER 1
INTRODUCTION
1.1 OVERVIEW

We use computers for everything from banking and investing to shopping and communicating
with others through email or chat programs. Although you may not consider your communications
"top secret," you probably do not want strangers reading your email, using your computer to attack
other systems, sending forged email from your computer, or examining personal information
stored on your computer, such as financial statements. Generally, when people use the Internet,
their activities and their personal information are not private anymore. Most of these online
activities are habitual processes you do without even thinking twice. For example, whenever you
fill out a magazine subscription, complete a product registration card, apply for a bank account or
a credit card, rent or purchase a property, make a purchase by using a credit card at a grocery store,
data about your personal information and your lifestyle/shopping habits is collected.

On the Internet, all of these activities can be saved to a database and then can be sold later to
various national marketing organizations against your wish. For example, your credit history is
stored as an electronic record and many companies check against it before opening a new account
for you. Or worse, a doctor can check your record to find out if you have ever filed a malpractice
suit before they accept you as a new patient. So your data is subject to be legally sold for marketing
purposes, stolen through internet piracy, or hacked from the databases of legitimate marketers or
service providers.

Security on the Internet and on Local Area Networks is now at the forefront of the computer related
issues. The technical jargon of the day is information warfare and network security, and there are
valid reasons for their rise in importance. Throughout the evolution of networking and the Internet,
the threats to information and networks have risen dramatically. Many of these threats have
become cleverly exercised attacks causing damage or committing theft. Consequently, the public
has become more conscious of the need for network security and so too has the government.

1
 IP SPOOFING

Protective tools and techniques exist to combat security threats; nevertheless, only with the proper
implementation will they succeed.

Currently the greatest asset of corporations and governments is information. Information

encompasses a wide range of diverse pieces including: computer data, marketing strategies, tax
and personnel records, military strategies, financial data, communications, and business plans.
Loss of information can be devastating for a corporation or government. Information security is
the necessary means by which critical information is controlled and its loss is prevented.
.Information security deals with those administrative policies and procedures for identifying,
controlling, and protecting information from unauthorized manipulation.

Network security is the most vital component in information security because it is responsible for
securing all information passed through networked computers. .Network security refers to all
hardware and software functions, characteristics, features, operational procedures, accountability
measures, access controls, and administrative and management policy required to provide an
acceptable level of protection for hardware, software, and information in a network

Criminals have long employed the tactic of masking their true identity, from disguises to aliases
to caller-id blocking. It should come as no surprise then, that criminals who conduct their nefarious
activities on networks and computers should employ such techniques. IP spoofing is one of the
most common forms of on-line camouflage. In IP spoofing, an attacker gains unauthorized access
to a computer or a network by making it appear that a malicious message has come from a trusted
machine by “spoofing” the IP address of that machine

2
 IP SPOOFING

1.2 HISTORY

The concept of IP spoofing was initially discussed in academic circles in the 1980's. In the
April 1989 article entitled: “Security Problems in the TCP/IP Protocol Suite”, author S. M
Bellovin of AT & T Bell labs was among the first to identify IP spoofing as a real risk to
computer networks. Bellovin describes how Robert Morris, creator of the now infamous
Internet Worm, figured out how TCP created sequence numbers and forged a TCP packet
sequence. This TCP packet included the destination address of his “victim” and using an IP
spoofing attack Morris was able to obtain root access to his targeted system without a User
ID or password. Another infamous attack, Kevin Mitnick's Christmas Day crack of Tsutomu
Shimomura's machine, employed the IP spoofing and TCP sequence prediction techniques.
While the popularity of such cracks has decreased due to the demise of the services they
exploited, spoofing can still be used and needs to be addressed by all security administrators.
A common misconception is that "IP spoofing" can be used to hide your IP address while
surfing the Internet, chatting on-line, sending e-mail, and so forth. This is generally not true.
Forging the source IP address causes the responses to be misdirected, meaning you cannot
create a normal network connection. However, IP spoofing is an integral part of many
network attacks that do not need to see responses (blind spoofing).

3
 IP SPOOFING

CHAPTER 2
2. TCP/IP PROTOCOL SUITE

IP Spoofing exploits the flaws in TCP/IP protocol suite. In order to completely understand how
these attacks can take place, one must examine the structure of the TCP/IP protocol suite. A basic
understanding of these headers and network exchanges is crucial to the process.

2.1 INTERNET PROTOCOL – IP

The Internet Protocol (or IP as it generally known), is the network layer of the Internet. IP provides
a connection-less service. The job of IP is to route and send a packet to the packet's destination. IP
provides no guarantee whatsoever, for the packets it tries to deliver. The IP packets are usually
termed datagrams. The datagrams go through a series of routers before they reach the destination.
At each node that the datagram passes through, the node determines the next hop for the datagram
and routes it to the next hop. Since the network is dynamic, it is possible that two datagrams from
the same source take different paths to make it to the destination. Since the network has variable
delays, it is not guaranteed that the datagrams will be received in sequence. IP only tries for a best-
effort delivery. It does not take care of lost packets; this is left to the higher layer protocols. There
is no state maintained between two datagrams; in other words, IP is connection-less.

4
 IP SPOOFING

Figure 1: IP packet Header

The IP Header is shown above. The Version is currently set to 4. In order to distinguish it from the
new version IPv6, IP is also referred to as IPv4. The source address and the destination address
are 4-byte Internet addresses. The Options field contains various options such as source based
routing, and record route. The source based routing allows the sender to specify the path the
datagram should take to reach the destination. Record route allows the sender to record the route
the datagram is taking. None of the IP fields are encrypted and there no authentication. It would
be extremely easy to set an arbitrary destination address (or the source address), and IP would send
the datagram. The destination has no way of ascertaining the fact that the datagram actually
originated from an IP address other than the one in the source address field. It is easy to see why
any authentication scheme based on IP-addresses would fail.

2.2 Transmission Control Protocol – TCP

IP can be thought of as a routing wrapper for layer 4 (transport), which contains the
Transmission Control Protocol (TCP). Unlike IP, TCP uses a connection-oriented design. This
means that the participants in a TCP session must first build a connection - via the 3-way
handshake (SYN-SYN/ACK-ACK) - then update one another on progress - via sequences and
acknowledgements. This “conversation”, ensures data reliability, since the sender receives an OK
from the recipient after each packet exchange.

Figure 2:TCP IP PACKET HEADER

5
 IP SPOOFING

As you can see above, a TCP header is very different from an IP header. We are concerned with
the first 12 bytes of the TCP packet, which contain port and sequencing information. Much like an
IP datagram, TCP packets can be manipulated using software. The source and destination ports
normally depend on the network application in use (for example, HTTP via port 80). What's
important for our understanding of spoofing are the sequence and acknowledgement numbers. The
data contained in these fields ensures packet delivery by determining whether or not a packet needs
to be resent. The sequence number is the number of the first byte in the current packet, which is
relevant to the data stream. The acknowledgement number, in turn, contains the value of the next
expected sequence number in the stream. This relationship confirms, on both ends, that the proper
packets were received. It’s quite different than IP, since transaction state is closely monitored.

2.3 Consequences of the TCP/IP Design

Now that we have an overview of the TCP/IP formats, let's examine the consequences. Obviously,
it's very easy to mask a source address by manipulating an IP header. This technique is used for
obvious reasons and is employed in several of the attacks discussed below. Another consequence,
specific to TCP, is sequence number prediction, which can lead to session hijacking or host
impersonating. This method builds on IP spoofing, since a session, albeit a false one, is built. We
will examine the ramifications of this in the attacks discussed below.

6
 IP SPOOFING

CHAPTER 3
3. WHAT IS IP ADDRESS SPOOFING?

IP address spoofing is the creation of IP packets using somebody else’s IP source addresses. This
technique is used for obvious reasons and is employed in several attacks. Examining the IP header,
we can see that the first 12 bytes contain various information about the packet. The next 8 bytes,
however, contains the source and destination IP addresses. Using one of several tools, an attacker
can easily modify these addresses – specifically the “source address” field.

A common misconception is that "IP spoofing" can be used to hide our IP address while surfing
the Internet, chatting on-line, sending e-mail, and so forth. This is generally not true. Forging the
source IP address causes the responses to be misdirected, meaning you cannot create a normal
network connection as shown in the following example.

Figure 3 illustrates a typical interaction between a workstation with a valid source IP address
requesting web pages and the web server executing the requests. When the workstation requests a
page from the web server the request contains both the workstation’s IP address (i.e. source IP
address 192.168.0.5) and the address of the web server executing the request (i.e. destination IP
address 10.0.0.23). The web server returns the web page using the source IP address specified in
the request as the destination IP address, 192.168.0.5 and its own IP address as the source IP
address, 10.0.0.23.

Internet

Figure 3: Valid source IP address

7
 IP SPOOFING

Figure 4 illustrates the interaction between a workstation requesting web pages using a spoofed
source IP address and the web server executing the requests. If a spoofed source IP address (i.e.
172.16.0.6) is used by the workstation, the web server executing the web page request will attempt
to execute the request by sending information to the IP address of what it believes to be the
originating system (i.e. the workstation at 172.16.0.6). The system at the spoofed IP address will
receive unsolicited connection attempts from the web server that it will simply discard.

Internet

Figure 4: Spoofed source IP address

3.1 OTHER DEFINITION

SPOOFING

Spoofing is an impersonation of a user, device or client on the Internet. It’s often used during a
cyberattack to disguise the source of attack traffic.
The most common forms of spoofing are:

8
 IP SPOOFING

 DNS server spoofing – Modifies a DNS server in order to redirect a domain name to a
different IP address. It’s typically used to spread viruses.
 ARP spoofing – Links a perpetrator’s MAC address to a legitimate IP address through
spoofed ARP messages. It’s typically used in denial of service (DoS) and man-in-the-
middle assaults.

IP address spoofing – Disguises an attacker’s origin IP. It’s typically used in DoS assaults.

IP SPOOFING

In computer networking, IP address spoofing or IP spoofing is the creation of Internet

Protocol (IP) packets with a false source IP address, for the purpose of impersonating another
computing system.

Computer networks communicate through the exchange of network data packets, each containing
multiple headers used for routing and to ensure transmission continuity. One such header is the
‘Source IP Address’, which indicates the IP address of the packet’s sender.

9
 IP SPOOFING

IP address spoofing is the act of falsifying the content in the Source IP header, usually with
randomized numbers, either to mask the sender’s identity or to launch a reflected DDoS attack, as
described below. IP spoofing is a default feature in most DDoS malware kits and attack scripts,
making it a part of most network layer distributed denial of service DDoS attacks.

10
 IP SPOOFING

CHAPTER 4

4. APPLICATIONS AND LEGITIMATE USES

4.1 APPLICATION

Many other attacks rely on IP spoofing mechanism to launch an attack, for example SMURF
attack (also known as ICMP flooding) is when an intruder sends a large number of ICMP echo
requests (pings) to the broadcast address of the reflector subnet.

The source addresses of these packets are spoofed to be the address of the target victim. For each
packet sent by the attacker, hosts on the reflector subnet respond to the target victim, thereby
flooding the victim network and causing congestion that results in a denial of service (DoS).

Therefore, it is essential best practice to implement anti spoofing mechanisms to prevent IP

spoofing wherever feasible.

Anti spoofing control measures should be implemented at every point in the network where
practical, but they are usually most effective at the borders among large address blocks or among
domains of network administration.

SPOOFING ATTACKS

There are a few variations on the types of attacks that successfully employ IP spoofing.
Although some are relatively dated, others are very pertinent to current security concerns.

NON-BLIND SPOOFING
This type of attack takes place when the attacker is on the same subnet as the victim. The
sequence and acknowledgement numbers can be sniffed, eliminating the potential difficulty of

11
 IP SPOOFING

calculating them accurately. The biggest threat of spoofing in this instance would be session
hijacking.

This is accomplished by corrupting the data stream of an established connection, then

reestablishing it based on correct sequence and acknowledgement numbers with the attack
machine. Using this technique, an attacker could effectively bypass any authentication measures
taken place to build the connection.

BLIND SPOOFING
This is a more sophisticated attack, because the sequence and acknowledgement numbers are
unreachable. In order to circumvent this, several packets are sent to the target machine in order
to sample sequence numbers.

While not the case today, machines in the past used basic techniques for generating sequence
numbers. It was relatively easy to discover the exact formula by studying packets and TCP
sessions. Today, most OSs implement random sequence number generation, making it difficult
to predict them accurately.

If, however, the sequence number was compromised, data could be sent to the target. Several
years ago, many machines used host-based authentication services (i.e. Rlogin). A properly
crafted attack could add the requisite data to a system (i.e. a new user account), blindly, enabling
full access for the attacker who was impersonating a trusted host.

MAN IN THE MIDDLE ATTACK

Both types of spoofing are forms of a common security violation known as a man in the middle
(MITM) attack. In these attacks, a malicious party intercepts a legitimate communication
between two friendly parties.

The malicious host then controls the flow of communication and can eliminate or alter the
information sent by one of the original participants without the knowledge of either the original
sender or the recipient.

In this way, an attacker can fool a victim into disclosing confidential information by “spoofing”
the identity of the original sender, who is presumably trusted by the recipient.

12
 IP SPOOFING

DENIAL OF SERVICE ATTACK

IP spoofing is almost always used in what is currently one of the most difficult attacks to defend
against – denial of service attacks, or DoS. Since crackers are concerned only with consuming
bandwidth and resources, they need not worry about properly completing handshakes and
transactions.

Rather, they wish to flood the victim with as many packets as possible in a short amount of time.
In order to prolong the effectiveness of the attack, they spoof source IP addresses to make
tracing and stopping the DoS as difficult as possible.

When multiple compromised hosts are participating in the attack, all sending spoofed traffic; it
is very challenging to quickly block traffic.

4.2 LEGITIMATE USES

The use of packets with a false source IP address is not always evidence of malicious intent. For
example, in performance testing of websites, hundreds or even thousands of "vusers" (virtual
users) may be created, each executing a test script against the website under test, in order to
simulate what will happen when the system goes "live" and a large number of users log on at once.

Since each user will normally have its own IP address, commercial testing products (such as HP
LoadRunner, WebLOAD, and others) can use IP spoofing, allowing each user its own "return
address" as well.

4.2.1 ANTI-SPOOFING IN DDOS PROTECTION

As mentioned, IP address spoofing is commonly used to bypass basic security measures that rely
on IP blacklisting— the blocking of addresses known to have been previously involved in an
attack.
To overcome this, modern mitigation solutions rely on deep packet inspection (DPI), which uses
granular analysis of all packet headers rather than just source IP address. With DPI, mitigation

13
 IP SPOOFING

solutions are able to cross-examine the content of different packet headers to uncover other metrics
to identify and filter out malicious traffic.
For example, a mitigation service can employ DPI to observe a DDoS traffic stream and identify
an influx of packets with suspiciously-identical TTLs and Total Length headers that don’t match
a normal pattern. By tracking such small abnormalities, the service can create a granular profile of
an attacking packet and use it to weed out malicious traffic without impacting regular visitor flow.
The downside of DPI is that the process is very resource intensive. When performed on scale, such
as during a DDoS attack, DPI is likely to cause performance degradation—sometimes even making
the protected network almost completely unresponsive.
To overcome this, Imperva scrubbing is performed by a purpose-built mitigation hardware
(codename Behemoth) that runs DPI against ~100 million packets per second.

A cluster of Behemoth scrubbers mitigates a 470 Gbps DDoS attack—one of the largest on record.
Built from the ground up, every Behemoth scrubber provides granular visibility of all incoming
data, thus ensuring that attack traffic never enters your network. Meanwhile, your valid visitor
traffic flows through unimpeded.

Services vulnerable to IP spoofing

14
 IP SPOOFING

Configuration and services that are vulnerable to IP spoofing:

 RPC (Remote procedure call services).

 Any service that uses IP address authentication.
 The X Window System.
 The R services suite (rlogin, rsh, etc.).

15
 IP SPOOFING

4.2.2Defense against spoofing attacks

Packet filtering is one defense against IP spoofing attacks. The gateway to a network usually
performs ingress filtering, which is blocking of packets from outside the network with a source
address inside the network. This prevents an outside attacker spoofing the address of an internal
machine. Ideally the gateway would also perform egress filtering on outgoing packets, which is
blocking of packets from inside the network with a source address that is not inside. This prevents
an attacker within the network performing filtering from launching IP spoofing attacks against
external machines.

It is also recommended to design network protocols and services so that they do not rely on the
source IP address for authentication.

Upper layers

Some upper layer protocols provide their own defense against IP spoofing attacks. For
example, Transmission Control Protocol (TCP) uses sequence numbers negotiated with the remote
machine to ensure that arriving packets are part of an established connection. Since the attacker
normally cannot see any reply packets, the sequence number must be guessed in order to hijack
the connection. The poor implementation in many older operating systems and network devices,
however, means that TCP sequence numbers can be predicted.

16
 IP SPOOFING

CHAPTER 5
ADVANTAGES AND DISADVANTAGES

5.1 ADVANTAGES

MULTIPLE SERVERS

Sometimes you want to change where packets heading into your network will go. Frequently
this is because you have only one IP address, but you want people to be able to get into the
boxes behind the one with the `real' IP address.

TRANSPARENT PROXYING

Sometimes you want to pretend that each packet which passes through your Linux box is destined
for a program on the Linux box itself.

This is used to make transparent proxies: a proxy is a program which stands between your network
and the outside world, shuffling communication between the two.

The transparent part is because your network won't even know it's talking to a proxy, unless of
course, the proxy doesn't work.

17
 IP SPOOFING

5.2 DISADVANTAGES

BLIND TO REPLIES

A drawback to ip source address spoofing is that reply packet will go back to the spoofed ip
address rather than to the attacker.

This is fine for many type of attack packet. However in the scanning attack as we will see next
the attacker may need to see replies .in such cases, the attacker can not use ip address spoofing.

SERIAL ATTACK PLATFORMS

However, the attacker can still maintain anonymity by taking over a chain of attack hosts. The
attacker attacks the target victim using a point host-the last host in the attack chain.

Even if authorities learn the point host’s identity .They might not be able to track the attack
through the chain of attack hosts all the way back to the attackers base host.

18
 IP SPOOFING

CHAPTER 6

6.1 CONCLUSION
IP spoofing is less of a threat today due to the patches to the Unix Operating system and the
widespread use of random sequence receive numbering.

Many security experts are predicting a shift from IP spoofing attacks to application-related
spoofing in which hackers can exploit a weakness in a particular service to send and
information under false identities.

As Security professionals, we must remain current with the Operating Systems that we use
in our day to day activities. A steady stream of changes and new challenges is assured as the
hacker community continues to seek out vulnerabilities and weaknesses in our systems and
our networks.

19
 IP SPOOFING

6.2 FUTURE SCOPE

If the suggestion as given in my paper will be implemented practically; it is the most chances to
free our internet from IP Spoofed Attack and also chances to explore my idea in future to enhance
the security in the field of Internet & Network too.

20
 IP SPOOFING

6.3 REFERENCES

 ^ Tanase, Matthew (March 10, 2003). "IP Spoofing: An Introduction". Symantec.

Retrieved September 25, 2015.

21