Sometimes on the internet, a girl named Alice is really a man named John
TCP/IP – in brief IP Spoofing
Basic overview Examples
Mitnick Attack Session Hijack DoS/DDoS Attack
Defending Against the Threat Continuous Evolution Conclusion
TCP/IP in 3 minute or less
General use of term describes the Architecture upon which the Interweb is built. TCP/IP are specific protocols within that architecture.
TCP/IP in 3 minutes or less
Application Transport TCP
Interweb Network Access Physical
.TCP/IP in 3 minute or less
IP is the internet layer protocol. IP assumes that each address is unique within the network. IP addresses are used to express the source and destination. only does its best to move packets from a source address to a destination address. Does not guarantee delivery or ordering.
It guarantees delivery and ordering. Port numbers are used to express source and destination.
.TCP/IP in 3 minutes or less
TCP is the transport layer protocol. but relies upon IP to move packets to proper destination. Destination Port is assumed to be awaiting packets of data.
24.TCP/IP in 3 minutes or less
Client Using Mozilla
Some Web Server
Application Transport Interweb
TCP – Port 80 IP – 10.1
But what happens if someone is lying??
Application Transport Interweb
Lying about the source address lets an attacker assume a new identity.
. Normally. the source address is incorrect.IP Spoofing – Basic Overview
Basically. IP spoofing is lying about an IP address.
any replies generated by the destination will not be sent to the attacker. Attacker must have an alternate way to spy on traffic/predict responses.IP Spoofing – Basic Overview
Because the source address is not the same as the attacker‟s address. Attacker must adhere to protocol requirements
. To maintain a connection.
IP Spoofing – Basic Overview
Difficulties for attacker:
TCP sequence numbers One way communication Adherence to protocols for other layers
what do you want to talk about? 3.Alice
2. SYN ACK – Sure.IP Spoofing – The Reset
4. I have no idea why you are talking to me
. No connection – Guess I need to take Bob out of the picture…
Attacker . RESET – Umm.. SYN – Let‟s have a conversation
.IP Spoofing – Mitnick Attack
Merry X-mas! Mitnick hacks a Diskless Workstation on December 25th. 1994 The victim – Tsutomu Shinomura The attack – IP spoofing and abuse of trust relationships between a diskless terminal and login server.
Mitnick fakes the ACK using the proper TCP sequence number 3. which is ignored by the flooded port (and not visible to Mitnick)
1. Mitnick Flood‟s server‟s login port so it can no longer respond
2. Terminals responds with an ACK. Mitnick discovers that the TCP sequence number is incremented by 128000 each new connection
. Mitnick forges a SYN from the server to the terminal
5. Mitnick Probes the Workstation to determine the behaviour of its TCP sequence number generator
7. Mitnick has now established a one way communications channel
Mitnick Attack – Why it worked
Mitnick abused the trust relationship between the server and workstation He flooded the server to prevent communication between it and the workstation Used math skillz to determine the TCP sequence number algorithm (ie add 128000) This allowed Mitnick to open a connection without seeing the workstations outgoing sequence numbers and without the server interrupting his attack
IP Spoofing . Attacker normally within a LAN/on the communication path between server and client. Not blind.Session Hijack
IP spoofing used to eavesdrop/take control of a session.
. since the attacker can see traffic from both server and client.
2.. Eve could use Arp Poisoning. Eve can assume the identity of either Bob or Alice through the Spoofed IP address. This breaks the pseudo connection as Eve will start modifying the sequence numbers
3.. Eve can monitor traffic between Alice and Bob without altering the packets or sequence numbers. Eve assumes a man-in-themiddle position through some mechanism. router hacking etc. social engineering. At any point. For example.
IP Spoofing can be used to create DoS attacks
.IP Spoofing – DoS/DDoS
Denial of Service (DoS) and Distributed Denial of Service (DDoS) are attacks aimed at preventing clients from accessing a service.
Flood of Requests from Attacker
Server queue full. legitimate requests get dropped
legitimate user‟s cannot use the service. With the services queue filled.
The attacker spoofs a large number of requests from various IP addresses to fill a Services queue.
Attacker makes large number of SYN connection requests to target servers on behalf of a DoS‟d server
SYN ACK SYN ACK
SYN ACK SYN
2. as each connection request will have to go through a process of sending several SYN ACKs before it times out
. Queue‟s quickly fill. Servers send SYN ACK to spoofed server. which cannot respond as it is already DoS‟d.DDoS Attack
Server (already DoS‟d)
DoS becomes more dangerous if spread to multiple computers.DDoS Attack
Many other types of DDoS are possible.
IP Spoofing – Defending
IP spoofing can be defended against in a number of ways: As mentioned. “Smart” servers can block IP ranges that appear to be conducting a DoS. other protocols in the Architectural model may reveal spoofing.
TCP sequence numbers are often used in this manner New generators for sequence numbers are a lot more complicated than „add 128000‟ Makes it difficult to guess proper sequence numbers if the attacker is blind
“Smart” routers can detect IP addresses that are outside its domain.
but has to evolve in the face of growing security. New issue of Phrack includes a method of using IP spoofing to perform remote scans and determine TCP sequence numbers This allows a session Hijack attack even if the Attacker is blind
.IP Spoofing continues to evolve
IP spoofing is still possible today.
Will continue to represent a threat as long as each layer continues to trust each other and people are willing to subvert that trust. Can be used for a wide variety of purposes.
IP Spoofing is an old school Hacker trick that continues to evolve.
Mitnick Attack Sequence:
Session Hijack Sequence:
DoS and DDoS attacks:
.html http://tarpit.org/issues.rmc.ca/knight/EEE466Lectures/DA14/14%20%20Security%20I.wikipedia.ppt Conversation with Todd „Hot Toddy‟ Jackson http://www.com/ra/hack/tsattack.phrack.Sources
http://en.rmc.rmc.htm (See ppts on subject)
http://www.org/wiki/Ip_spoofing http://www.ppt http://tarpit.ca/knight/EE579index.ca/knight/EEE466Lectures/DA14/14%20%20Security%20I.com/infocus/1674 http://tarpit.