Welcome to Scribd. Sign in or start your free trial to enjoy unlimited e-books, audiobooks & documents.Find out more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Section1 > Ip Spoofing

Section1 > Ip Spoofing

Ratings: (0)|Views: 739|Likes:
Published by api-3730049

More info:

Published by: api-3730049 on Oct 15, 2008
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0
Copyright 2004. All rights Reserved.
The Art of IP Spoofing by Ankit Fadia

IP Spoofing is probably the ultimate trick or attack that an attacker can execute on the target system. Almost all wannabe computer experts dream of being able to spoof their IP Address and fool the target system into establishing illegitimate connections. If successfully executed, IP spoofing is definitely one of the smoothest and classic attacks on the Internet. However, IP spoofing attacks are quite complex and very few attackers have actually been able to spoof their identity successfully.

IP Spoofing is a process wherein an attacker fools or tricks the target system into believing that the data packets being sent actually originated on a system other than the real source system. In other words, IP spoofing is a technique that allows an attacker to change or disguise his real identity while communicating with the target system. In this technique, the data packets that the attacker sends to the target system will seem to originate at some other arbitrary system.

For Example
Consider a scenario wherein the following system addresses exist:

1. Attacker: (REAL) 2. Victim: (VICTIM) 3. Fake: (FAKE)

Under ordinary circumstances, when REAL sends certain data packets to the VICTIM system, then the source address of these packets will clearly have REAL as the source address. However, in case of IP spoofing, REAL will send data packets to VICTIM in such a manner that the source address of these packets will be the FAKE system. In other words, IP spoofing is a process wherein REAL is able to send data to VICTIM so that it seems to have originated at FAKE. This process of fooling the remote system into believing that you are someone else is known as IP spoofing and is commonly exploited to carry out a variety of attacks.

A very good real life analogy to understand IP spoofing better is that of three people: A, B and C. Consider a scenario wherein A wants to fool C over the phone into believing that it is talking to B. In order to achieve this goal, A will telephone C and disguise his voice so that he sounds like B. If A can successfully disguise his true identity and pretend to be (or sound like) B, then a successful telephone spoofing is executed. In an IP spoofing attack, three computers are involved instead of three people. However, taking the analogy of the three people a bit further, it is quite clear that for the telephone spoofing to succeed, the following must be true:

1. C should not already be communicating with B.
2. C should not be able to contact B using some other means and discover that B
is not actually busy on the phone with him/her.
Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0
Copyright 2004. All rights Reserved.
Challenges Faced

The biggest challenge that an attacker faces while performing IP spoofing is the fact that the attack is a blind one. In other words, since all data packets being sent to the target computer in an IP spoofing attack are from spoofed addresses, hence the attacker never receives any update on the status of the attack. In other words, an IP spoofing attack is also known as a blind attack because throughout the attack, the attacker does not know whether the attack is successful or not. If something goes wrong, even then on most occasions the attacker remains oblivious about the problem. IP spoofing attacks are literally being performed blindly with the attacker taking the liberty of assuming that things went as planned.

This blind nature of the IP spoofing attack becomes evident in the first step of the attack itself. Typically in such an attack, the ATTACKER sends spoofed data packets to the VICTIM making it believe that they were actually sent by FAKE. Assuming that these spoofed data packets were successful, then VICTIM will reply to FAKE and not ATTACKER. Since all replies sent by VICTIM reach FAKE, as a result, ATTACKER does not have any idea or feedback on the progress of the attack. Typically, according to the TCP/IP connection establishment rules, each time IP spoofing is executed, the following steps are followed:

If REAL wants to establish a TCP/IP connection with VICTIM, without spoofing

of any IP Address, then typically the below three way handshake would take place:
1. REAL sends a SYN packet to VICTIM.
2. VICTIM sends back a SYN/ACK packet to REAL.
3. REAL acknowledges this by send back an ACK packet to VICTIM.

In this case, since REAL did not attempt to spoof its identity, hence, it received a continuous update on the status of the connection. However, if REAL is an ATTACKER and wants to spoof his IP Address and make it appear to be FAKE, then the procedure is quite different. In such a case, the following steps are followed:

1. ATTACKER sends a SYN packet to VICTIM in such a manner that it seems to have originated at FAKE. In purely networking terms, in the first step, VICTIM receives a connection request (SYN packet) from FAKE.

2. Since VICTIM received the SYN packet from FAKE, hence in the second step, it sends back a SYN/ACK packet to FAKE. This means that ATTACKER does not receive any reply or packets from VICTIM in this step. This step brings us to the blind part in IP spoofing where ATTACKER needs to only wait for some time to pass. ATTACKER then assumes that in this time the FAKE has received a SYN/ACK packet from VICTIM. There is no way for ATTACKER to find out

Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0
Copyright 2004. All rights Reserved.

whether the VICTIM has actually sent a SYN/ACK packet to FAKE or not. This means that there is no way for the attacker to figure out whether the target computer has fallen for the IP spoofing attack or not.

3. After waiting for some time to pass, ATTACKER then sends a spoofed ACK packet to VICTIM to acknowledge that FAKE has indeed received the SYN/ACK packet. Again, this is a blind step that simply assumes that VICTIM has actually sent the SYN/ACK packet and that FAKE has indeed received it as well.

4. Once the above steps have been executed successfully, ATTACKER is able to
establish a complete spoofed TCP/IP connection between VICTIM and FAKE.

Unfortunately, the above procedure itself presents us with a very unique problem. In the second step in IP spoofing, VICTIM sends a SYN/ACK packet to FAKE in response to the spoofed SYN packet sent by the ATTACKER. This response sent by VICTIM to FAKE can lead to a few complications. Depending upon the state of FAKE there can be two cases:

1. FAKE exists

If FAKE is a real system on the Internet, then the SYN/ACK packet sent by VICTIM will actually arrive at FAKE. Since FAKE never actually requested for a connection to be established, hence, when FAKE receives this packet, it will not know as to what to do with it. Since FAKE does not know as to what should be done with the packet, it will simply discard it and send back a NACK (Non Acknowledgement) packet to VICTIM. Typically, a NACK message is sent by a system to terminate a connection, resulting in no further communication between the two systems.

When VICTIM receives this NACK packet from FAKE, it will immediately terminate the spoofed connection request initiated by ATTACKER. As a result, the spoofed connection attempt between VICTIM and FAKE will be turned down and discarded. This means that if FAKE exists and does actually send a NACK packet to VICTIM then REAL\u2019s attempt to perform IP spoofing will fail.

The above problem can be compared to the analogy of a telephone conversation. If\u2018A \u2019 telephones\u2018C \u2019 and pretends to be\u2018B\u2019, then this spoof can be successful only if\u2018B\u2019 does not interrupt the spoofing process. This brings us to the first golden rule of IP spoofing:

Rule 1: IP Spoofing can only be successful if the FAKE system does not interrupt
the spoofing attempt by sending packets to the VICTIM.
2. FAKE does not exist

Activity (22)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
Sanjeev Chaswal liked this
Ashish Kunwar liked this
yogeshdhuri22 liked this
kggupta33 liked this
kggupta33 liked this
rinkesh21 liked this
143hellow liked this
Kailash Devrari liked this

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->