IP Spoofing

Sometimes on the internet, a girl named Alice is really a man named Yves

Sources
General Information:
     http://en.wikipedia.org/wiki/Ip_spoofing http://www.securityfocus.com/infocus/1674 http://tarpit.rmc.ca/knight/EE579index.htm (See ppts on subject) http://www.gulker.com/ra/hack/tsattack.html http://tarpit.rmc.ca/knight/EEE466Lectures/DA14/14%20%20Security%20I.ppt http://tarpit.rmc.ca/knight/EEE466Lectures/DA14/14%20%20Security%20I.ppt Conversation with Todd Hot Toddy Jackson http://www.phrack.org/issues.html?issue=64&id=15#article

Mitnick Attack Sequence: Session Hijack Sequence: DoS and DDoS attacks:
  

Phrack Article:

Overview
TCP/IP in brief IP Spoofing
 Basic overview  Examples

Mitnick Attack Session Hijack DoS/DDoS Attack

Defending Against the Threat Continuous Evolution Conclusion

TCP/IP in 3 minute or less

General use of term describes the Architecture upon which the Interweb is built. TCP/IP are specific protocols within that architecture.

TCP/IP in 3 minutes or less

Application

Transport

TCP

Interweb

IP

Network Access Physical

TCP/IP in 3 minute or less

IP is the internet layer protocol. Does not guarantee delivery or ordering, only does its best to move packets from a source address to a destination address. IP addresses are used to express the source and destination. IP assumes that each address is unique within the network.

TCP/IP in 3 minutes or less

TCP is the transport layer protocol. It guarantees delivery and ordering, but relies upon IP to move packets to proper destination. Port numbers are used to express source and destination. Destination Port is assumed to be awaiting packets of data.

TCP/IP in 3 minutes or less

Client Using Mozilla Some Web Server

HTTP - GET

Application Transport Interweb Network Access Physical

TCP Port 80 IP 10.24.1.1 MAC

00:11:22:33:44:55

But what happens if someone is lying??

Application Transport Interweb Network Access Physical

11010010011101 00110100110101

IP Spoofing Basic Overview

Basically, IP spoofing is lying about an IP address. Normally, the source address is incorrect. Lying about the source address lets an attacker assume a new identity.

IP Spoofing Basic Overview

Because the source address is not the same as the attackers address, any replies generated by the destination will not be sent to the attacker. Attacker must have an alternate way to spy on traffic/predict responses. To maintain a connection, Attacker must adhere to protocol requirements

IP Spoofing Basic Overview

Difficulties for attacker:
 TCP sequence numbers  One way communication  Adherence to protocols for other layers

IP Spoofing The Reset

Sucker - Alice
1. SYN Lets have a conversation

2. SYN ACK 3. RESET Sure, what do Umm.. I have no idea why you want to you are talking talk about? to me

Victim - Bob

4. No connection Guess I need to take Bob out of the picture

Attacker - Eve

IP Spoofing Mitnick Attack

Merry X-mas! Mitnick hacks a Diskless Workstation on December 25th, 1994 The victim Tsutomu Shinomura The attack IP spoofing and abuse of trust relationships between a diskless terminal and login server.

Mitnick Attack
4. Mitnick forgestheSYN from the 6. fakes a ACK using server to the terminal the proper TCP sequence number

Workstation

5. Terminals responds with an ACK, which is ignored by the 7. Mitnick has now visible to flooded port (and not established a one way Mitnick)

Server
1. Mitnick Floods servers login port so it can no longer respond

communications channel
2. Mitnick Probes the 3. discovers that the TCP sequence determine Workstation tonumber is the incremented its 128000 each behaviour of by TCP sequence new connection number generator

Kevin Mitnick

Mitnick Attack Why it worked

Mitnick abused the trust relationship between the server and workstation He flooded the server to prevent communication between it and the workstation Used math skillz to determine the TCP sequence number algorithm (ie add 128000) This allowed Mitnick to open a connection without seeing the workstations outgoing sequence numbers and without the server interrupting his attack

IP Spoofing - Session Hijack

IP spoofing used to eavesdrop/take control of a session. Attacker normally within a LAN/on the communication path between server and client. Not blind, since the attacker can see traffic from both server and client.

Session Hijack
3. 1. Eve assumes Evetraffic between 2. At any point, a man-in-the- the can monitor can assume identity of either Bob altering middle position through some the Alice and Bob without or Alice through the For example, Eve mechanism. Spoofed numbers. could packets or sequence IP address. This breaks the pseudo connection use Arp Poisoning, social as Eve will start modifying the engineering, router hacking etc... sequence numbers

Alice

Bob

Im Bob!

Im Alice!

Eve

IP Spoofing DoS/DDoS
Denial of Service (DoS) and Distributed Denial of Service (DDoS) are attacks aimed at preventing clients from accessing a service. IP Spoofing can be used to create DoS attacks

DoS Attack
Service Requests
Flood of Requests from Attacker

Server

Interweb

Server queue full, legitimate requests get dropped

Fake IPs

Service Requests

Attacker

Legitimate Users

DoS Attack
The attacker spoofs a large number of requests from various IP addresses to fill a Services queue. With the services queue filled, legitimate users cannot use the service.

DDoS Attack
SYN ACK

Queue Full

Server (already DoSd)

1. Attacker makes large number of SYN connection requests to target servers on behalf of a DoSd server

Interweb
SYN ACK SYN ACK

SYN SYN

SYN ACK SYN

SYN

2. Servers send SYN ACK to spoofed server, which cannot respond as it is already DoSd. Queues quickly fill, as each connection request will have to go through a process of sending several SYN ACKs before it times out

Target Servers Attacker

DDoS Attack
Many other types of DDoS are possible. DoS becomes more dangerous if spread to multiple computers.

IP Spoofing Defending
IP spoofing can be defended against in a number of ways:  As mentioned, other protocols in the Architectural model may reveal spoofing.
TCP sequence numbers are often used in this manner New generators for sequence numbers are a lot more complicated than add 128000 Makes it difficult to guess proper sequence numbers if the attacker is blind

 Smart routers can detect IP addresses that are outside its domain.  Smart servers can block IP ranges that appear to be conducting a DoS.

IP Spoofing continues to evolve

IP spoofing is still possible today, but has to evolve in the face of growing security. New issue of Phrack includes a method of using IP spoofing to perform remote scans and determine TCP sequence numbers This allows a session Hijack attack even if the Attacker is blind

Conclusion
IP Spoofing is an old school Hacker trick that continues to evolve. Can be used for a wide variety of purposes. Will continue to represent a threat as long as each layer continues to trust each other and people are willing to subvert that trust.

Questions?

Application

Application

Transport

Transport

Interweb

Interweb

Network Access Physical

Network Access Physical

Sucker - Alice

Victim Bob

Attacker - Eve

Sucker - Alice

Interweb
Victim Bob

Attacker - Eve

Stolen from: http://tarpit.rmc.ca/knight/EE579/mitnik.ppt

IP header
0 Version IHL 16 Type of Service Flags Total Length Fragment Offset Header Checksum 31

Identification

Time to Live

Protocol Source Address Destination Address Options and Padding

Stolen from: http://tarpit.rmc.ca/knight/EE579/mitnik.ppt

TCP header
0 Source Port 16 Destination Port Sequence Number 31

Acknowledgement Number Data Offset Reserved Flags Window

Checksum

Urgent Pointer

Options and Padding

TCP Sequence Numbers

Client
Start SEQ - 1892
SEQ 1892 ACK 15562 Size - 50 SEQ 15562 ACK 1942 Size - 25 SEQ 1942 ACK 15587 Size - 0

1. 2. ServerACKs, sends no data 3. Client transmits 50 bytes transmits 20 bytes

Server
Start SEQ - 15562

End SEQ - 1942

End SEQ - 15587