01-04-2010, 11:35 AM
IP SPOOFING
What is IP SPOOFING?
IP spoofing is the creation of IP packets using forged (spoofed) source IP address.
INTERNET PROTOCOL
The IP (Internet Protocol) header
TCP Header
3-WAY HANDSHAKE
The Client sends a SYN Packet with its Initial sequence number
SYN=1 ACK=0
The Host on receiving this packet will respond with an SYN/ACK Packet, with servers Initial Sequence Number.
SYN=1 ACK=1
The Client then replies with an ACK packet.
SYN=0 ACK=1
SPOOFING ATTACKS
IP spoofing in brief consists of several interim steps:
Selecting a target host ( or victim).
Identify a host that has a "trust" relationship with the target host.
The trusted host is then disabled.
The trusted host is then impersonated, the sequence numbers forged (after being calculated) .
A connection attempt is made to a service that only requires address-based authentication (no user id or password).
If a successful connection is made, the attacker executes a simple command to leave a backdoor.
1.NON-BLIND SPOOFING
The attacker is on the same subnet as the victim & thus the sequence and acknowledgement numbers can be sniffed
The biggest threat of spoofing in this instance would be session hijacking.
2.BLIND SPOOFING
This is a more sophisticated attack, because the sequence and acknowledgement numbers are unreachable
So several packets are sent to the target machine in order to sample sequence numbers.
It was relatively easy to discover the exact formula by studying packets and TCP sessions
3. MAN IN THE MIDDLE ATTACK
This is also called connection hijacking
A malicious party intercepts a legitimate communication between two hosts
Connection hijacking exploits a "desynchronized state" in TCP communication.
An Attacker can then inject forged packets with the correct sequence numbers and potentially modify or add messages to the communication
4. DENIAL OF SERVICE (DoS) ATTACK
They flood the victim with as many packets as possible in a short amount of time using spoofed IP Addresses.
MECHANISM OF THE ATTACK
DISABLING THE TRUSTED HOST
There is an upper limit of how many concurrent SYN requests TCP can process for a given socket. This limit is called the backlog .
If this backlog limit is reached, TCP will silently discard all incoming SYN requests.
SYN Flooding
The attacking host sends several SYN requests to the target(from forged IP Address), to fill its backlog queue with pending connections.
The target tries to respond each one of them with SYN/ACK packet.
It then waits for the ACK message from the forged IP Addresses.
Since these IP Addresses does not actually exists , the target never receives the ACK packets.
It thus queues up all these requests until it receives the ACK message & they are not removed until it receives the ACK message.
Hence these requests take up the valuable resource of the target machine.
As the target receives a number of connection requests , the memory of the target system gets hogged up , thus it is unable to cater request for legitimate users.
But according to the rules of TCP/IP , after a certain time, a time out takes place and the connection requests queued up by target system gets discarded , thus a part of the hogged memory gets freed up.
However in a typical SYN flooding attack , the attacker keeps on sending connection requests at a rate faster than the timed out of earlier connection requests.
As a result , even though due to timed out , the queued up connection requests gets discarded , the memory of the target does not get freed up , as the attacker is continuously sending more and more spoofed connections.
GETTING THE FINAL SEQUENCE NUMBER AND PREDICTING THE SUCCEEDING ONES
Sequence Numbers
A sequence number is a 32 bit number ranging from 1 to 2*32 - 1.
The host is assigned a sequence number called Initial Sequence Number (ISN) when the system is being bootstrapped.(Typically 1).
Once system is assigned a ISN value of 1 , this value goes on incrementing at the rate of 128,000/sec and with every connection established , it gets incremented by 64,000.
Every octet of data sent over a TCP connection has a sequence number.
ACKNOWLEDGMENT NUMBER
It is a 32-Bit Number.
It is mainly used to for two purposes:
1. The value of the next sequence number the host expects the client to send.
2. To acknowledge that all data up to this number (acknowledge Number) minus one has reached safely.
SEQUENCE NUMBERS AND CONNECTION ESTABLISHMENTS
The following three-steps are essential for a complete and successful connection to take place b/w host and client :
1. Client sends a SYN packet ,containing itâ„¢s ISN, to the server , requesting for a connection to be established .
2.The Host (Server) on receiving this packet will respond with a SYN/ACK packet containing itâ„¢s ISN . It will also contain the acknowledge number , which will be clientâ„¢s acknowledgement number plus one.
3.The Client then replies with an ACK packet . Here the acknowledgement number will be Serverâ„¢s ISN plus one.
Consider the following Example:
Client----->SYN(250000)------->Host
Host ------->SYN(500000)&ACK(250001)------->Client
Client------->ACK(500001)------>Host
PREDICTION OF SEQUENCE NUMBERS
The attacker connects to a TCP port on the target (SMTP is a good choice).
So he can Receive packets sent by the target & record Sequencing number of the last packet sent by the target.
The attacker must then calculate the Round Trip Time (RTT).
Round Trip Time (RTT)
It is the time taken by a packet to travel from source to destination and then back.
So the time taken by the packet to reach from source to destination is RTT/2.
Steps to perform prediction effectively
Record the RTT and , in turn , the time taken for a packet to travel from attacker to target.
Once you have logged the last sequence number of the target , calculate the next sequence number.
For example if the last sequence number recorded is Ëœsâ„¢
and RTT/2=Ëœtâ„¢ , then the next sequence number the target expects is = s + t * 128000.
Once you have calculated the last sequence number , start the attack immediately , since there is a chance of another system in the internet to establish connection with the target ,and hence increasing its sequence number by 64,000 more than what you have predicted.
When the spoofed segment makes its way to the target, several different things may happen depending on the accuracy of the attacker's prediction:
METHODS TO PREVENT IP SPOOFING
1. Packet filtering
One way to mitigate the threat of IP spoofing is by inspecting packets at the border routers when they the leave and enter a network looking for invalid source IP addresses.
Egress filtering checks the source IP address of packets to ensure they come from a valid IP address range within the internal network. When the router receives a packet that contains an invalid source address, the packet is simply discarded and does not leave the network boundary.
Ingress filtering checks the source IP address of packets that enter the network to ensure they do not come from sources that are not permitted to access the network.
2. Encryption and Authentication
Implementing encryption and authentication will also reduce spoofing threats.
Both of these features are included in Ipv6, which will eliminate current spoofing threats.
Eliminate all host-based authentication measures.
3. Initial Sequence Number Randomizing
The following formula is being suggested to calculate the sequence number : ISN=M+F(localhost,localport,remotehost,remoteport)
Where M is the 4 microsecond timer F is a cryptographic hash of the connection-id and a secret vector (a random number, or a host related secret combined with the machine's boot time).
APPLICATIONS OF IP SPOOFING
1. Asymmetric routing (Splitting routing)
Asymmetric routing is when the response to a packet follows a different path from one host to another than the original packet did.
Satellite DSL (SAT DSL) makes use of asymmetric routing
2. NETWORK ADDRESS TRANSLATION (NAT)
NAT is essentially the translation of IP addresses in one network into those for a different network.
NAT replaces the internal network IP address (Source) for each Internet Protocol (IP) packet passing through the firewall with a dummy one from a fixed pool of addresses.
The actual IP addresses of computers on the private network are thus hidden from users
IP Masquerade
NAT technique that is frequently implemented on Linux machines
All the IP addresses of the private network are hidden to outsiders, who can access only the single IP address of the interface exposed to the public network.
So arbitrary number of Transmission Control Protocol (TCP) connections can be multiplexed through the single IP address by assigning each connection a different port numbers
SERVICES VULNERABLE TO IP SPOOFING
RPC (Remote Procedure Call services
Any service that uses IP address authentication
The X Window system
The R services suite (rlogin, rsh, etc.)
TCP AND IP SPOOFING TOOLS
1) Mendax for Linux
Mendax is an easy-to-use tool for TCP sequence number prediction and rshd spoofing.
2)  spoofit.h
spoofit.h is a nicely commented library for including IP spoofing functionality into your programs.
3) ipspoof ipspoof is a TCP and IP spoofing utility.
4) hunt hunt is a sniffer which also offers many spoofing functions.
5) dsniff dsniff is a collection of tools for network auditing and penetration testing.
THANKS to ONE and ALL
What is IP SPOOFING?
IP spoofing is the creation of IP packets using forged (spoofed) source IP address.
INTERNET PROTOCOL
The IP (Internet Protocol) header
TCP Header
3-WAY HANDSHAKE
The Client sends a SYN Packet with its Initial sequence number
SYN=1 ACK=0
The Host on receiving this packet will respond with an SYN/ACK Packet, with servers Initial Sequence Number.
SYN=1 ACK=1
The Client then replies with an ACK packet.
SYN=0 ACK=1
SPOOFING ATTACKS
IP spoofing in brief consists of several interim steps:
Selecting a target host ( or victim).
Identify a host that has a "trust" relationship with the target host.
The trusted host is then disabled.
The trusted host is then impersonated, the sequence numbers forged (after being calculated) .
A connection attempt is made to a service that only requires address-based authentication (no user id or password).
If a successful connection is made, the attacker executes a simple command to leave a backdoor.
1.NON-BLIND SPOOFING
The attacker is on the same subnet as the victim & thus the sequence and acknowledgement numbers can be sniffed
The biggest threat of spoofing in this instance would be session hijacking.
2.BLIND SPOOFING
This is a more sophisticated attack, because the sequence and acknowledgement numbers are unreachable
So several packets are sent to the target machine in order to sample sequence numbers.
It was relatively easy to discover the exact formula by studying packets and TCP sessions
3. MAN IN THE MIDDLE ATTACK
This is also called connection hijacking
A malicious party intercepts a legitimate communication between two hosts
Connection hijacking exploits a "desynchronized state" in TCP communication.
An Attacker can then inject forged packets with the correct sequence numbers and potentially modify or add messages to the communication
4. DENIAL OF SERVICE (DoS) ATTACK
They flood the victim with as many packets as possible in a short amount of time using spoofed IP Addresses.
MECHANISM OF THE ATTACK
DISABLING THE TRUSTED HOST
There is an upper limit of how many concurrent SYN requests TCP can process for a given socket. This limit is called the backlog .
If this backlog limit is reached, TCP will silently discard all incoming SYN requests.
SYN Flooding
The attacking host sends several SYN requests to the target(from forged IP Address), to fill its backlog queue with pending connections.
The target tries to respond each one of them with SYN/ACK packet.
It then waits for the ACK message from the forged IP Addresses.
Since these IP Addresses does not actually exists , the target never receives the ACK packets.
It thus queues up all these requests until it receives the ACK message & they are not removed until it receives the ACK message.
Hence these requests take up the valuable resource of the target machine.
As the target receives a number of connection requests , the memory of the target system gets hogged up , thus it is unable to cater request for legitimate users.
But according to the rules of TCP/IP , after a certain time, a time out takes place and the connection requests queued up by target system gets discarded , thus a part of the hogged memory gets freed up.
However in a typical SYN flooding attack , the attacker keeps on sending connection requests at a rate faster than the timed out of earlier connection requests.
As a result , even though due to timed out , the queued up connection requests gets discarded , the memory of the target does not get freed up , as the attacker is continuously sending more and more spoofed connections.
GETTING THE FINAL SEQUENCE NUMBER AND PREDICTING THE SUCCEEDING ONES
Sequence Numbers
A sequence number is a 32 bit number ranging from 1 to 2*32 - 1.
The host is assigned a sequence number called Initial Sequence Number (ISN) when the system is being bootstrapped.(Typically 1).
Once system is assigned a ISN value of 1 , this value goes on incrementing at the rate of 128,000/sec and with every connection established , it gets incremented by 64,000.
Every octet of data sent over a TCP connection has a sequence number.
ACKNOWLEDGMENT NUMBER
It is a 32-Bit Number.
It is mainly used to for two purposes:
1. The value of the next sequence number the host expects the client to send.
2. To acknowledge that all data up to this number (acknowledge Number) minus one has reached safely.
SEQUENCE NUMBERS AND CONNECTION ESTABLISHMENTS
The following three-steps are essential for a complete and successful connection to take place b/w host and client :
1. Client sends a SYN packet ,containing itâ„¢s ISN, to the server , requesting for a connection to be established .
2.The Host (Server) on receiving this packet will respond with a SYN/ACK packet containing itâ„¢s ISN . It will also contain the acknowledge number , which will be clientâ„¢s acknowledgement number plus one.
3.The Client then replies with an ACK packet . Here the acknowledgement number will be Serverâ„¢s ISN plus one.
Consider the following Example:
Client----->SYN(250000)------->Host
Host ------->SYN(500000)&ACK(250001)------->Client
Client------->ACK(500001)------>Host
PREDICTION OF SEQUENCE NUMBERS
The attacker connects to a TCP port on the target (SMTP is a good choice).
So he can Receive packets sent by the target & record Sequencing number of the last packet sent by the target.
The attacker must then calculate the Round Trip Time (RTT).
Round Trip Time (RTT)
It is the time taken by a packet to travel from source to destination and then back.
So the time taken by the packet to reach from source to destination is RTT/2.
Steps to perform prediction effectively
Record the RTT and , in turn , the time taken for a packet to travel from attacker to target.
Once you have logged the last sequence number of the target , calculate the next sequence number.
For example if the last sequence number recorded is Ëœsâ„¢
and RTT/2=Ëœtâ„¢ , then the next sequence number the target expects is = s + t * 128000.
Once you have calculated the last sequence number , start the attack immediately , since there is a chance of another system in the internet to establish connection with the target ,and hence increasing its sequence number by 64,000 more than what you have predicted.
When the spoofed segment makes its way to the target, several different things may happen depending on the accuracy of the attacker's prediction:
METHODS TO PREVENT IP SPOOFING
1. Packet filtering
One way to mitigate the threat of IP spoofing is by inspecting packets at the border routers when they the leave and enter a network looking for invalid source IP addresses.
Egress filtering checks the source IP address of packets to ensure they come from a valid IP address range within the internal network. When the router receives a packet that contains an invalid source address, the packet is simply discarded and does not leave the network boundary.
Ingress filtering checks the source IP address of packets that enter the network to ensure they do not come from sources that are not permitted to access the network.
2. Encryption and Authentication
Implementing encryption and authentication will also reduce spoofing threats.
Both of these features are included in Ipv6, which will eliminate current spoofing threats.
Eliminate all host-based authentication measures.
3. Initial Sequence Number Randomizing
The following formula is being suggested to calculate the sequence number : ISN=M+F(localhost,localport,remotehost,remoteport)
Where M is the 4 microsecond timer F is a cryptographic hash of the connection-id and a secret vector (a random number, or a host related secret combined with the machine's boot time).
APPLICATIONS OF IP SPOOFING
1. Asymmetric routing (Splitting routing)
Asymmetric routing is when the response to a packet follows a different path from one host to another than the original packet did.
Satellite DSL (SAT DSL) makes use of asymmetric routing
2. NETWORK ADDRESS TRANSLATION (NAT)
NAT is essentially the translation of IP addresses in one network into those for a different network.
NAT replaces the internal network IP address (Source) for each Internet Protocol (IP) packet passing through the firewall with a dummy one from a fixed pool of addresses.
The actual IP addresses of computers on the private network are thus hidden from users
IP Masquerade
NAT technique that is frequently implemented on Linux machines
All the IP addresses of the private network are hidden to outsiders, who can access only the single IP address of the interface exposed to the public network.
So arbitrary number of Transmission Control Protocol (TCP) connections can be multiplexed through the single IP address by assigning each connection a different port numbers
SERVICES VULNERABLE TO IP SPOOFING
RPC (Remote Procedure Call services
Any service that uses IP address authentication
The X Window system
The R services suite (rlogin, rsh, etc.)
TCP AND IP SPOOFING TOOLS
1) Mendax for Linux
Mendax is an easy-to-use tool for TCP sequence number prediction and rshd spoofing.
2)  spoofit.h
spoofit.h is a nicely commented library for including IP spoofing functionality into your programs.
3) ipspoof ipspoof is a TCP and IP spoofing utility.
4) hunt hunt is a sniffer which also offers many spoofing functions.
5) dsniff dsniff is a collection of tools for network auditing and penetration testing.
THANKS to ONE and ALL
