IP Spoofing

Sometimes on the internet, a girl

named Alice is really a man named
Yves
Sources
 General Information:
 http://en.wikipedia.org/wiki/Ip_spoofing
 http://www.securityfocus.com/infocus/1674
 http://tarpit.rmc.ca/knight/EE579index.htm (See ppts on subject)
 Mitnick Attack Sequence:
 http://www.gulker.com/ra/hack/tsattack.html
 Session Hijack Sequence:
 http://tarpit.rmc.ca/knight/EEE466Lectures/DA14/14%20-
%20Security%20I.ppt
 DoS and DDoS attacks:
 http://tarpit.rmc.ca/knight/EEE466Lectures/DA14/14%20-
%20Security%20I.ppt
 Conversation with Todd ‘Hot Toddy’ Jackson
 Phrack Article:
 http://www.phrack.org/issues.html?issue=64&id=15#article
Overview
 TCP/IP – in brief
 IP Spoofing
 Basic overview
 Examples
 Mitnick Attack
 Session Hijack
 DoS/DDoS Attack
 Defending Against the Threat
 Continuous Evolution
 Conclusion
TCP/IP in 3 minute or less
 General use of term describes the
Architecture upon which the Interweb
is built.
 TCP/IP are specific protocols within
that architecture.
TCP/IP in 3 minutes or less

Application

Transport TCP

Interweb IP

Network
Access

Physical
TCP/IP in 3 minute or less
 IP is the internet layer protocol.
 Does not guarantee delivery or
ordering, only does its best to move
packets from a source address to a
destination address.
 IP addresses are used to express the
source and destination.
 IP assumes that each address is
unique within the network.
TCP/IP in 3 minutes or less
 TCP is the transport layer protocol.
 It guarantees delivery and ordering,
but relies upon IP to move packets to
proper destination.
 Port numbers are used to express
source and destination.
 Destination Port is assumed to be
awaiting packets of data.
 TCP/IP in 3 minutes or less
Client Using Mozilla Some Web Server

HTTP - GET Application But what Application

happens if
TCP – Port 80 Transport Transport
someone is
Interweb
lying?? Interweb
IP – 10.24.1.1

MAC – Network Network

00:11:22:33:44:55 Access Access

11010010011101 Physical Physical

00110100110101
IP Spoofing – Basic Overview
 Basically, IP spoofing is lying about an
IP address.
 Normally, the source address is
incorrect.
 Lying about the source address lets
an attacker assume a new identity.
IP Spoofing – Basic Overview
 Because the source address is not the
same as the attacker’s address, any
replies generated by the destination
will not be sent to the attacker.
 Attacker must have an alternate way
to spy on traffic/predict responses.
 To maintain a connection, Attacker
must adhere to protocol requirements
IP Spoofing – Basic Overview
 Difficulties for attacker:
 TCP sequence numbers
 One way communication
 Adherence to protocols for other layers
IP Spoofing – The Reset

2.3.SYN
RESET
ACK––
Sure,
Umm..whatI have
do
no
youidea
want why
to
Sucker - Alice you
talkare
about?
talking Victim - Bob
to me

1. SYN –
Let’s have a
4. No connection –
conversation
Guess I need to take
Bob out of the picture…

Attacker - Eve
IP Spoofing – Mitnick Attack
 Merry X-mas! Mitnick hacks a Diskless
Workstation on December 25th, 1994
 The victim – Tsutomu Shinomura
 The attack – IP spoofing and abuse of
trust relationships between a diskless
terminal and login server.
 Mitnick Attack
6. Mitnick fakes
4. forgesthe
a SYN
ACKfrom
using
the
server
the proper
to the
TCP
terminal
sequence number

5. Terminals responds with an

ACK, which is ignored by the
7. Mitnick has now
flooded port (and not visible to
Workstation established a one way Server
Mitnick)
communications channel
3. Mitnick discovers
2. Probes thethat the 1. Mitnick Flood’s
Workstation
TCP sequencetonumber
determine
is the server’s login port so it
behaviour of by
incremented its TCP
128000
sequence
each can no longer respond
number
new connection
generator

Kevin Mitnick
Mitnick Attack – Why it worked
 Mitnick abused the trust relationship
between the server and workstation
 He flooded the server to prevent
communication between it and the
workstation
 Used math skillz to determine the TCP
sequence number algorithm (ie add
128000)
 This allowed Mitnick to open a connection
without seeing the workstations outgoing
sequence numbers and without the server
interrupting his attack
IP Spoofing - Session Hijack
 IP spoofing used to eavesdrop/take
control of a session.
 Attacker normally within a LAN/on the
communication path between server
and client.
 Not blind, since the attacker can see
traffic from both server and client.
Session Hijack

3. At
1.
2. Eveany
assumes
canpoint,
monitor
Eve
a man-in-the-
traffic
can assume
betweenthe
middle
Alice
identity
and
position
ofBob
either
without
through
Bob or
altering
some
Alice the
mechanism.
packets
through or
thesequence
Spoofed
For example,
numbers.
IP address.
Eve could
use Arp
This breaks
Poisoning,
the pseudo
socialconnection
engineering,
as Eve will start
router
modifying
hackingtheetc...
Alice sequence numbers Bob
I’m
Bob! I’m
Alice!

Eve
IP Spoofing – DoS/DDoS
 Denial of Service (DoS) and
Distributed Denial of Service (DDoS)
are attacks aimed at preventing
clients from accessing a service.
 IP Spoofing can be used to create
DoS attacks
DoS Attack Server

Flood of
Requests from
Attacker
Service
Requests
Interweb
Server queue full,
legitimate
requests get
dropped

Service
Fake IPs Requests

Attacker Legitimate Users

DoS Attack
 The attacker spoofs a large number of
requests from various IP addresses to
fill a Services queue.
 With the services queue filled,
legitimate user’s cannot use the
service.
 DDoS Attack Queue
Server
(already DoS’d)
Full

SYN ACK

1. Attacker makes Interweb

large number of SYN
connection requests
SYN ACK 2. Servers send SYN ACK to
to target servers on spoofed server, which cannot
SYN
behalf of a DoS’d SYN ACK respond as it is already DoS’d.
server SYN
ACK Queue’s quickly fill, as each
SYN SYN SYN
connection request will have to go
through a process of sending
several SYN ACKs before it times
out

Target Servers
Attacker
DDoS Attack
 Many other types of DDoS are
possible.
 DoS becomes more dangerous if
spread to multiple computers.
IP Spoofing – Defending
 IP spoofing can be defended against in a number of
ways:
 As mentioned, other protocols in the Architectural
model may reveal spoofing.
 TCP sequence numbers are often used in this manner
 New generators for sequence numbers are a lot more
complicated than ‘add 128000’
 Makes it difficult to guess proper sequence numbers if
the attacker is blind
 “Smart” routers can detect IP addresses that are
outside its domain.
 “Smart” servers can block IP ranges that appear to
be conducting a DoS.
IP Spoofing continues to evolve
 IP spoofing is still possible today, but
has to evolve in the face of growing
security.
 New issue of Phrack includes a
method of using IP spoofing to
perform remote scans and determine
TCP sequence numbers
 This allows a session Hijack attack
even if the Attacker is blind
Conclusion
 IP Spoofing is an old school Hacker
trick that continues to evolve.
 Can be used for a wide variety of
purposes.
 Will continue to represent a threat as
long as each layer continues to trust
each other and people are willing to
subvert that trust.
Questions?
Application Application

Transport Transport

Interweb Interweb

Network Network
Access Access

Physical Physical
Sucker - Alice
Victim -
Bob

Attacker
- Eve
Sucker - Alice
Interweb
Victim -
Bob

Attacker
- Eve
 Stolen from: http://tarpit.rmc.ca/knight/EE579/mitnik.ppt

IP header
0 16 31

Version IHL Type of Service Total Length

Identification Flags Fragment Offset

Time to Live Protocol Header Checksum

Source Address

Destination Address

Options and Padding

 Stolen from: http://tarpit.rmc.ca/knight/EE579/mitnik.ppt

TCP header
0 16 31

Source Port Destination Port

Sequence Number

Acknowledgement Number

Data Reserved Flags Window

Offset

Checksum Urgent Pointer

Options and Padding

TCP Sequence Numbers
Client 2.
3.
1. Server
Client
Client ACKs,
transmits
transmits
sends50
20no
bytes
bytes
data Server
Start SEQ - 1892 Start SEQ - 15562

SEQ – 1892
ACK – 15562
Size - 50

SEQ – 15562
ACK – 1942
Size - 25

SEQ – 1942
ACK – 15587
Size - 0

End SEQ - 1942 End SEQ - 15587