Sunteți pe pagina 1din 24

IP Spoofing

Submmited by: Deepak Kumar Saini 411061 Submmited to: Mr. Rajinder kumar (Asst. professor)

Contents
History
Introduction Spoofing Attacks Mitnick attack Session hijack DOS attack and DDOS attack Mechanism of the attacks Methods to prevent spoofing attacks Conclusion

Brief History
S. M Bellovin of AT & T Bell labs was among the first to identify IP spoofing as a real risk to computer networks.

Mitnick hacked a Diskless Workstation on December 25th,1994 The attack was of trust relationships between a diskless terminal and login server.

IP Spoofing
IP Spoofing is a technique used to gain unauthorized

access to computers.
IP: Internet Protocol Spoofing: using somebody elses information

Exploits the trust relationships Intruder sends messages to a computer with an IP

address of a trusted host.

IP Spoofing Basic Overview


Basically, IP spoofing is lying about an IP address. Normally, the source address is incorrect. Lying about the source address lets an attacker assume

a new identity.

Cont.
Since the source address is not the same as the

attackers address, any replies generated by the destination will not be sent to the attacker.
Attacker must have an alternate way to spy on

traffic/predict responses.
To maintain a connection, Attacker must adhere to

protocol requirements

IP Spoofing Attacks
Non-blind Spoofing Blind Spoofing Routing Redirect Source Routing Attack Man in the middle Flooding / Smurfing

Spoofing Attacks
Non-Blind Spoofing: This type of attack takes place when the attacker is on the same subnet as the victim. Blind Spoofing : This is a more sophisticated attack, because the sequence and acknowledgement numbers are unreachable.
gateway gateway Host A Trust relationship Host C Blind spoofing Host B

Cont.
Routing re-direct: redirects routing information from the original host to the attackers host. Source routing: The attacker redirects individual packets by the hackers host.
router

A
Internet B B replies A through attacker Forged IP address With source routing attacker Source Routing Attack

Cont.
Man in the middle:Packet sniffs on link between the two endpoints, and therefore can pretend to be one end of the connection.
gateway gateway Attacker controls this gateway Host C Host A gateway

Man in middle Attack

IP Spoofing The Reset


2. SYN ACK what do you want to talk about? 3. RESET I have no idea why you are talking to me

Victim

Source
1. SYN Lets have a conversation 4. No connection need to take Victim out of the picture

Attacker

Mitnick Attack
6. Mitnick faked the ACK using the proper TCP sequence number 4. Mitnick forged a SYN from the server to the terminal 5. Terminals responds with an ACK, which is ignored by the flooded port (and not visible to Mitnick)

Workstation

Server

2. Mitnick Probed the Workstation to determine the behaviour of its TCP sequence number generator

7. Mitnick now established a one way communications 1. Mitnick Flooded channel

3. Mitnick discovered that the TCP sequence number was incremented by 128000 each new connection

servers login port so it could no longer respond

Kevin Mitnick

IP Spoofing - Session Hijack


IP spoofing used to take control of a session. Attacker normally within a LAN/on the

communication path between server and client.


The attacker can see traffic from both server and

client.

Session Hijack
3. At any point, Eve can assume the identity of either victim or Source through the Spoofed IP address. This breaks the pseudo connection as Eve will start modifying the sequence numbers 2. Eve can monitor traffic between Source and victim without altering the packets or sequence numbers. 1. Eve assumes a man-in-themiddle position through some mechanism. For example, Eve could use Arp Poisoning, social Im engineering, router hacking etc...

Source

victim

victim!

Im Source!

Attacker

IP Spoofing DOS/DDOS
Denial of Service (DOS) and Distributed Denial of

Service (DDOS) are attacks aimed at preventing clients from accessing a service.
IP Spoofing can be used to create DOS attacks

DOS Attack
Service Requests
Flood of Requests from Attacker

Server

Interweb

Server queue full, legitimate requests get dropped

Fake IPs

Service Requests

Attacker

Legitimate Users

DOS Attack
The attacker spoofs a large number of requests from

various IP addresses to fill a Services queue.

With the services queue filled, legitimate users

cannot use the service.

DDOS Attack
SYN ACK

Queue Full

Server (already DoSd)

1. Attacker makes large number of SYN connection requests to target servers on behalf of a DoSd server SYN
SYN

Interweb
SYN ACK SYN ACK

SYN ACK SYN

SYN

2. Servers send SYN ACK to spoofed server, which cannot respond as it is already DoSd. Queues quickly fill, as each connection request will have to go through a process of sending several SYN ACKs before it times out

Attacker

Target Servers

Mechanism of the attack


The attacker selects a host(target/victim) Trust relationships are reviewed; identify a host that has a trust relationship with the target host Trusted host is disabled The target TCP sequence numbers are sampled Trusted host is impersonated(sequence numbers copied) An address based authentication connection attempted. A successful Connection is made Attacker executes a simple command and leaves a backdoor

METHODS TO PREVENT IP SPOOFING ATTACK


Packet filtering:
The router that connects a network to another

network is known as a border router. One way to mitigate the threat of IP spoofing is by inspecting packets when they leave and enter a network looking for invalid source IP addresses. If this type of filtering will be performed on all border routers, IP address spoofing would be greatly reduced.

Cont.
Filtering at the Router: If your site has a direct connection to the Internet,

you can use your router to help you out. First make sure only hosts on your internal LAN can participate in trust-relationships (no internal host should trust a host outside the LAN). Then simply filter out all traffic from the outside (the Internet) that purports to come from the inside (the LAN).

Conclusion
IP-Spoofing is an exploitation of trust-based relationship

and can be curbed effectively if proper measures are used .


Many security experts are predicting a shift from IP

spoofing attacks to application-related spoofing in which hackers can exploit a weakness in a particular service to send and receive information under false identities.

Queries?

S-ar putea să vă placă și