Documente Academic
Documente Profesional
Documente Cultură
Application
Transport TCP
Interweb IP
Network
Access
Physical
TCP/IP in 3 minute or less
IP is the internet layer protocol.
Does not guarantee delivery or
ordering, only does its best to move
packets from a source address to a
destination address.
IP addresses are used to express the
source and destination.
IP assumes that each address is
unique within the network.
TCP/IP in 3 minutes or less
TCP is the transport layer protocol.
It guarantees delivery and ordering,
but relies upon IP to move packets to
proper destination.
Port numbers are used to express
source and destination.
Destination Port is assumed to be
awaiting packets of data.
TCP/IP in 3 minutes or less
Client Using Mozilla Some Web Server
happens if
TCP – Port 80 Transport Transport
someone is
Interweb
lying?? Interweb
IP – 10.24.1.1
2.3.SYN
RESET
ACK––
Sure,
Umm..whatI have
do
no
youidea
want why
to
Sucker - Alice you
talkare
about?
talking Victim - Bob
to me
1. SYN –
Let’s have a
4. No connection –
conversation
Guess I need to take
Bob out of the picture…
Attacker - Eve
IP Spoofing – Mitnick Attack
Merry X-mas! Mitnick hacks a Diskless
Workstation on December 25th, 1994
The victim – Tsutomu Shinomura
The attack – IP spoofing and abuse of
trust relationships between a diskless
terminal and login server.
Mitnick Attack
6. Mitnick fakes
4. forgesthe
a SYN
ACKfrom
using
the
server
the proper
to the
TCP
terminal
sequence number
Kevin Mitnick
Mitnick Attack – Why it worked
Mitnick abused the trust relationship
between the server and workstation
He flooded the server to prevent
communication between it and the
workstation
Used math skillz to determine the TCP
sequence number algorithm (ie add
128000)
This allowed Mitnick to open a connection
without seeing the workstations outgoing
sequence numbers and without the server
interrupting his attack
IP Spoofing - Session Hijack
IP spoofing used to eavesdrop/take
control of a session.
Attacker normally within a LAN/on the
communication path between server
and client.
Not blind, since the attacker can see
traffic from both server and client.
Session Hijack
3. At
1.
2. Eveany
assumes
canpoint,
monitor
Eve
a man-in-the-
traffic
can assume
betweenthe
middle
Alice
identity
and
position
ofBob
either
without
through
Bob or
altering
some
Alice the
mechanism.
packets
through or
thesequence
Spoofed
For example,
numbers.
IP address.
Eve could
use Arp
This breaks
Poisoning,
the pseudo
socialconnection
engineering,
as Eve will start
router
modifying
hackingtheetc...
Alice sequence numbers Bob
I’m
Bob! I’m
Alice!
Eve
IP Spoofing – DoS/DDoS
Denial of Service (DoS) and
Distributed Denial of Service (DDoS)
are attacks aimed at preventing
clients from accessing a service.
IP Spoofing can be used to create
DoS attacks
DoS Attack Server
Flood of
Requests from
Attacker
Service
Requests
Interweb
Server queue full,
legitimate
requests get
dropped
Service
Fake IPs Requests
SYN ACK
Target Servers
Attacker
DDoS Attack
Many other types of DDoS are
possible.
DoS becomes more dangerous if
spread to multiple computers.
IP Spoofing – Defending
IP spoofing can be defended against in a number of
ways:
As mentioned, other protocols in the Architectural
model may reveal spoofing.
TCP sequence numbers are often used in this manner
New generators for sequence numbers are a lot more
complicated than ‘add 128000’
Makes it difficult to guess proper sequence numbers if
the attacker is blind
“Smart” routers can detect IP addresses that are
outside its domain.
“Smart” servers can block IP ranges that appear to
be conducting a DoS.
IP Spoofing continues to evolve
IP spoofing is still possible today, but
has to evolve in the face of growing
security.
New issue of Phrack includes a
method of using IP spoofing to
perform remote scans and determine
TCP sequence numbers
This allows a session Hijack attack
even if the Attacker is blind
Conclusion
IP Spoofing is an old school Hacker
trick that continues to evolve.
Can be used for a wide variety of
purposes.
Will continue to represent a threat as
long as each layer continues to trust
each other and people are willing to
subvert that trust.
Questions?
Application Application
Transport Transport
Interweb Interweb
Network Network
Access Access
Physical Physical
Sucker - Alice
Victim -
Bob
Attacker
- Eve
Sucker - Alice
Interweb
Victim -
Bob
Attacker
- Eve
Stolen from: http://tarpit.rmc.ca/knight/EE579/mitnik.ppt
IP header
0 16 31
Source Address
Destination Address
TCP header
0 16 31
Sequence Number
Acknowledgement Number
SEQ – 1892
ACK – 15562
Size - 50
SEQ – 15562
ACK – 1942
Size - 25
SEQ – 1942
ACK – 15587
Size - 0