Download Spoofing Attacks

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
Document related concepts

PaX wikipedia , lookup

Distributed firewall wikipedia , lookup

Unix security wikipedia , lookup

Mobile security wikipedia , lookup

Deep packet inspection wikipedia , lookup

Address space layout randomization wikipedia , lookup

IDN homograph attack wikipedia , lookup

Denial-of-service attack wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Transcript 
IP Spoofing Attack
Dr. Neminath Hubballi
IIT Indore © Neminath Hubballi
Outline
 Introduction
 IP address spoofing
 ICMP spoofing
 ARP spoofing
 DNS spoofing
 Email spoofing
 Defense mechanisms
IIT Indore © Neminath Hubballi
What is Spoofing
 Dictionary.com says –
“to communicate electronically under a fals
e identity”
 More conventional definition
 hoax or trick (someone)
 Ex. Caller ID spoofing was prevalent in
purchase scams
 Required specific equipment to accomplish
such spoofing
IIT Indore © Neminath Hubballi
Why Spoofing Works in Networks
 Computer networks are designed with trust





relationship
Design goal was get it working
Security was never a concern
Design was not intended for today’s use cases
We are best in reacting to situations
Spoofing is possible almost in every layer of
TCP/IP stack
IIT Indore © Neminath Hubballi
IP Address Spoofing
 IP spoofing is the creation of IP packets
using somebody else’s IP address as
source address of a IP packet
 Absence of state information makes IP
protocol vulnerable to spoofing
 Peer is not authenticated
IIT Indore © Neminath Hubballi
Normal Interaction
200.1.1.1
Source IP
Destination IP
200.1.1.1
100.1.1.1
Source IP
Destination IP
100.1.1.1
200.1.1.1
100.1.1.1
IIT Indore © Neminath Hubballi
Interaction Under Spoofing
Source IP
Destination IP
150.1.1.1
100.1.1.1
200.1.1.1
100.1.1.1
150.1.1.1
Source IP
Destination IP
100.1.1.1
150.1.1.1
IIT Indore © Neminath Hubballi
Interaction Under Spoofing
Source IP
Destination IP
150.1.1.2
100.1.1.1
200.1.1.1
When attacker
uses a non
existing IP
address as
source address
100.1.1.1
Source IP
Destination IP
100.1.1..1
150.1.1.2
I have no
way forward
IIT Indore © Neminath Hubballi
IP Address Spoofing
 By spoofing address attacker conceals
identity
 Make it appear that it has come from a
different source
 IP address spoofing is used in many cyber
attacks
 There are some legitimate use cases
 Website performance testing
 NAT
IIT Indore © Neminath Hubballi
Why Spoof IP Address
 For the same reason why thieves wear
black dress, helmet and do their work in
night
 IP address acts as a source of sender’s
identity
 Many systems keep logs of your activities
 IP address are part of logging
IIT Indore © Neminath Hubballi
Non Blind IP Spoofing
Atta
cker
10.0.0.2
10.0.0.1
10.0.0.3
Targe
t
10.0.0.4
10.0.0.7
10.0.0.15
10.0.0.6
when the attacker is on the same subnet
as the victim
SEQ and ACK can be sniffed
IIT Indore © Neminath Hubballi
Blind IP Spoofing
Target
Atta
cke
r
when the attacker is on the different subnet
perhaps different networks
SEQ and ACK can not be sniffed that
easily
IIT Indore © Neminath Hubballi
IP Address Spoofing in Reality
IIT Indore © Neminath Hubballi
IP Address Spoofing-Implications
 Many network services use host names or
address for identification and authentication
 Host wanting service prepare a message and
send it to a remote service. Receiver either
allows or disallows the service
 Many services are vulnerable to IP spoofing




RPC (http://seclists.org/bugtraq/1995/Jan/182 )
NFS
X window system
Any service using IP address as authentication
method
IIT Indore © Neminath Hubballi
IP Spoofing Derivative Attacks
 Man in the middle attack: Allows sniffing packets in between
 Routing redirect: Send a packet advertising a false better route to reach







a destination
Source routing: Insert attacker host in the list
 Strict: Packet has to traverse only through the addresses mentioned
 Loose: In addition to the list mentioned, packet can traverse
additional routers
Smurf attack: send ICMP packet to a broadcast address with spoofed
address
SYN flooding: Send too many TCP connections with spoofed source
address
Sequence number prediction
Session hijacking
Determining the state of firewall
 Stateful firewalls remember history
Denial of service
IIT Indore © Neminath Hubballi
How Easy it is to Spoof IP Address
 Little programming is enough !
 Raw socket programming in UNIX
 You will find examples of raw socket programs here
http://www.pdbuchan.com/rawsock/rawsock.html
 WinPacp in windows
 Several open source tools are available
 Hping – seems not actively maintained now
 Scapy – it does many things- packet manipulation,
capture, spoof etc.
IIT Indore © Neminath Hubballi
Defenses Against IP Address
Spoofing
 No complete solution exists
 Ingress filtering-drop packets coming from outside with
source IP addresses used inside network
 Egress filtering-any packet having source IP address not
in the network are dropped
 Avoiding trust relationship based on IP address
 Unicast Reverse Path Forwarding – discard IP packet
that lack verifiable IP source address
 Idea is simple a reverse path to the source IP address of an
incoming packet is using the same interface
 Strict- same interface
 Loose- if any path exists to the source its ok
IIT Indore © Neminath Hubballi
Defenses Against IP Address
Spoofing
 Anti-Spoofing with IP sourceguard
 Layer 2 security feature
 Restricts IP traffic on un-trusted layer 2 ports to achieve with an
IP address other than one assigned by DHCP/static assignment
 Encryption and authentication – IPSec may be an
answer
 Make ISN prediction difficult by having a perfect random
number generation
 RFC 1948 recommends ISN to be a function of Source
IP, Destination IP, Source Port, Destination Port and a
secrete key
 TCP Receiver window based prediction
 Set the window size to small
 Traceroute
 Measure TTL values
IIT Indore © Neminath Hubballi
Related documents
Botnets
Botnets
Intrusion Detection
Intrusion Detection
Introduction
Introduction
Operating System Security
Operating System Security
ip spoofing ppt pdf
ip spoofing ppt pdf
Detecting Spoofing and Anomalous Traffic in Wireless
Detecting Spoofing and Anomalous Traffic in Wireless
Alumni Lecture by Mr. Deepak Mohoni
Alumni Lecture by Mr. Deepak Mohoni
intra-industry trade between malaysia and singapore in sitc 7
intra-industry trade between malaysia and singapore in sitc 7
Normal Distribution
Normal Distribution
Bodh Raj Mehta is currently Professor of Physics at Indian Institute of
Bodh Raj Mehta is currently Professor of Physics at Indian Institute of
SYLLABUS Class – B.Com. V Sem.
SYLLABUS Class – B.Com. V Sem.
Artificial Intelligence: Introduction
Artificial Intelligence: Introduction