03-03-2011, 03:06 PM
PRESENTED BY :
Prashant Singh
[attachment=9459]
ip spoofing
What is IP Spoofing?
IP spoofing is a technique used to gain unauthorized access to computers, where by the attacker sends messages to a computer with a forging IP address indicating that the message is coming from a trusted host
Attacker puts an internal, or trusted, IP address as its source. The access control device sees the IP address as trusted and lets it through
When Spoofing occurs?
IP spoofing occurs when a hacker inside or outside a network impersonates the conversations of a trusted computer.
Two general techniques of IP spoofing:
• A hacker uses an IP address that is within the range of trusted IP addresses.
• A hacker uses an authorized external IP address that is trusted
3-Way Handshake in TCP/IP
The client selects and transmits an initial sequence number ISNC ,the server acknowledges it and sends its own sequence number ISNS ,and the client acknowledges it.
The exchange may show schematically as follows
CàS: SYN(ISNC)
SàC: SYN(ISNS) , ACK(ISNC)
CàS: ACK(ISNS)
CàS: DATA
OR
SàC: DATA
How Spoofing take place?
Suppose, there is a way for an intruder X to predict ISNS .In this case , it could send the following sequence to impersonate trusted host T :
XàS: SYN(ISNX ) , SRC=T
SàT: SYN(ISNS) , ACK(ISNX)
XàS: ACK(ISNS) , SRC=T
XàS: ACK(ISNS) , SRC=T , nasty data
• Basic Concept of IP Spoofing
• IP Spoofing
• Why IP Spoofing is so easy?
Problem with the Routers.
Routers look at Destination addresses only.
Authentication based on Source addresses only.
To change source address field in IP header field is easy by the use of the software.
• Types of Spoofing Attack
The number of IP Spoofing attacks are:
Non-Blinding Attack
This attack take place when the Victim and the Attacker are on the same network.
In this the we have to make the assumption to find the sequence number passed from Target to Victim.
• Non- Blinding Spoofing
• Spoofing Attacks
Blind Spoofing
It is mainly used to abuse the trust relationship between hosts.
Today, most OSs implement random sequence number generation, making it difficult to predict them accurately.
In this many packet are sent to the victim
• Spoofing Attacks:
• Blinding Attack
• Spoofing Attacks:
Man in the Middle Attack( Connection Hijacking)
In this the attacker control the gateway that is in the delivery route, he can
• sniff the traffic
• intercept / block / delay traffic
• modify traffic:
Spoofing Attacks:
ICMP Echo attacks
• Map the hosts of a network
The attack sends ICMP echo datagram to all the hosts in a subnet, then he collects the replies and determines which hosts are alive.
• Denial of service attack (SMURF attack)
The attack sends spoofed (with victim‘s IP address) ICMP Echo Requests to subnets, the victim will get ICMP Echo Replies from every machine.
Smurf Attack
Spoofing Attacks:
ICMP Redirect attacks
• ICMP redirect messages can be used to re-route traffic on specific routes or to a specific host that is not a router at all.
• The ICMP redirect attack is very simple: just send a spoofed ICMP redirect message that appears to come from the host‘s default gateway.
ICMP Redirect attacks
ICMP destination unreachable attacks
ICMP destination unreachable message is used by gateways to state that the datagram cannot be delivered. It can be used to “cut” out nodes from the network. It is a denial of service attack (DOS)
Example:
An attacker injects many forged destination unreachable messages stating that 100.100.100.100 is unreachable) into a subnet (e.g. 128.100.100.*). If someone from the 128.100.100.* net tries to contact 100.100.100.100, he will immediately get an ICMP Time Exceeded from the attacker‘s host. For 128.100.100.* this means that there is no way to contact 100.100.100.100, and therefore communication fails.
ICMP destination unreachable attacks
Stopping IP address spoofing attack
Packet filtering
The router that connects a network to another network is known as a border router. One way to mitigate the threat of IP spoofing is by inspecting packets when they leave and enter a network looking for invalid source IP addresses. If this type of filtering were performed on all border routers, IP address spoofing would be greatly reduced.
• Ingress Filtering
• Egress Filtering
Packet filtering
Detection of IP Spoofing
If you monitor packets using network-monitoring software such as netlog, look for a packet on your external interface that has both its source and destination IP addresses in your local domain. If you find one, you are currently under attack
Detection of IP Spoofing
Another way to detect IP spoofing is to compare the process accounting logs between systems on your internal network. If the IP spoofing attack has succeeded on one of your systems, you may get a log entry on the victim machine showing a remote access; on the apparent source machine, there will be no corresponding entry for initiating that remote access
How we prevent IP Spoofing?
To prevent IP spoofing happen in your network, the following are some common practices:
1- Avoid using the source address authentication. Implement cryptographic authentication system-wide.
2- Configuring your network to reject packets from the Net that claim to originate from a local address.
3- Implementing ingress and egress filtering on the border routers and implement an ACL (access control list) that blocks private IP addresses on your downstream interface.
If you allow outside connections from trusted hosts, enable encryption sessions
Our Misconception
Software for IP Spoofing
Mac Spoofing
Macaroni Screen Saver Bundle
SpoofMAC
sTerm
MAC Change
Software to Stop IP Spoofing
StopCut
Find Mac Address pro
SecurityGateway for Exchange / SMTP
PacketCreator
Responder Pro
Prashant Singh
[attachment=9459]
ip spoofing
What is IP Spoofing?
IP spoofing is a technique used to gain unauthorized access to computers, where by the attacker sends messages to a computer with a forging IP address indicating that the message is coming from a trusted host
Attacker puts an internal, or trusted, IP address as its source. The access control device sees the IP address as trusted and lets it through
When Spoofing occurs?
IP spoofing occurs when a hacker inside or outside a network impersonates the conversations of a trusted computer.
Two general techniques of IP spoofing:
• A hacker uses an IP address that is within the range of trusted IP addresses.
• A hacker uses an authorized external IP address that is trusted
3-Way Handshake in TCP/IP
The client selects and transmits an initial sequence number ISNC ,the server acknowledges it and sends its own sequence number ISNS ,and the client acknowledges it.
The exchange may show schematically as follows
CàS: SYN(ISNC)
SàC: SYN(ISNS) , ACK(ISNC)
CàS: ACK(ISNS)
CàS: DATA
OR
SàC: DATA
How Spoofing take place?
Suppose, there is a way for an intruder X to predict ISNS .In this case , it could send the following sequence to impersonate trusted host T :
XàS: SYN(ISNX ) , SRC=T
SàT: SYN(ISNS) , ACK(ISNX)
XàS: ACK(ISNS) , SRC=T
XàS: ACK(ISNS) , SRC=T , nasty data
• Basic Concept of IP Spoofing
• IP Spoofing
• Why IP Spoofing is so easy?
Problem with the Routers.
Routers look at Destination addresses only.
Authentication based on Source addresses only.
To change source address field in IP header field is easy by the use of the software.
• Types of Spoofing Attack
The number of IP Spoofing attacks are:
Non-Blinding Attack
This attack take place when the Victim and the Attacker are on the same network.
In this the we have to make the assumption to find the sequence number passed from Target to Victim.
• Non- Blinding Spoofing
• Spoofing Attacks
Blind Spoofing
It is mainly used to abuse the trust relationship between hosts.
Today, most OSs implement random sequence number generation, making it difficult to predict them accurately.
In this many packet are sent to the victim
• Spoofing Attacks:
• Blinding Attack
• Spoofing Attacks:
Man in the Middle Attack( Connection Hijacking)
In this the attacker control the gateway that is in the delivery route, he can
• sniff the traffic
• intercept / block / delay traffic
• modify traffic:
Spoofing Attacks:
ICMP Echo attacks
• Map the hosts of a network
The attack sends ICMP echo datagram to all the hosts in a subnet, then he collects the replies and determines which hosts are alive.
• Denial of service attack (SMURF attack)
The attack sends spoofed (with victim‘s IP address) ICMP Echo Requests to subnets, the victim will get ICMP Echo Replies from every machine.
Smurf Attack
Spoofing Attacks:
ICMP Redirect attacks
• ICMP redirect messages can be used to re-route traffic on specific routes or to a specific host that is not a router at all.
• The ICMP redirect attack is very simple: just send a spoofed ICMP redirect message that appears to come from the host‘s default gateway.
ICMP Redirect attacks
ICMP destination unreachable attacks
ICMP destination unreachable message is used by gateways to state that the datagram cannot be delivered. It can be used to “cut” out nodes from the network. It is a denial of service attack (DOS)
Example:
An attacker injects many forged destination unreachable messages stating that 100.100.100.100 is unreachable) into a subnet (e.g. 128.100.100.*). If someone from the 128.100.100.* net tries to contact 100.100.100.100, he will immediately get an ICMP Time Exceeded from the attacker‘s host. For 128.100.100.* this means that there is no way to contact 100.100.100.100, and therefore communication fails.
ICMP destination unreachable attacks
Stopping IP address spoofing attack
Packet filtering
The router that connects a network to another network is known as a border router. One way to mitigate the threat of IP spoofing is by inspecting packets when they leave and enter a network looking for invalid source IP addresses. If this type of filtering were performed on all border routers, IP address spoofing would be greatly reduced.
• Ingress Filtering
• Egress Filtering
Packet filtering
Detection of IP Spoofing
If you monitor packets using network-monitoring software such as netlog, look for a packet on your external interface that has both its source and destination IP addresses in your local domain. If you find one, you are currently under attack
Detection of IP Spoofing
Another way to detect IP spoofing is to compare the process accounting logs between systems on your internal network. If the IP spoofing attack has succeeded on one of your systems, you may get a log entry on the victim machine showing a remote access; on the apparent source machine, there will be no corresponding entry for initiating that remote access
How we prevent IP Spoofing?
To prevent IP spoofing happen in your network, the following are some common practices:
1- Avoid using the source address authentication. Implement cryptographic authentication system-wide.
2- Configuring your network to reject packets from the Net that claim to originate from a local address.
3- Implementing ingress and egress filtering on the border routers and implement an ACL (access control list) that blocks private IP addresses on your downstream interface.
If you allow outside connections from trusted hosts, enable encryption sessions
Our Misconception
Software for IP Spoofing
Mac Spoofing
Macaroni Screen Saver Bundle
SpoofMAC
sTerm
MAC Change
Software to Stop IP Spoofing
StopCut
Find Mac Address pro
SecurityGateway for Exchange / SMTP
PacketCreator
Responder Pro
