ip spoofing denial of services
TRANSCRIPT
-
8/22/2019 IP Spoofing Denial of Services
1/39
-
8/22/2019 IP Spoofing Denial of Services
2/39
AMIT PATELALOK KUMAR DUBEYCSE 3rd year
-
8/22/2019 IP Spoofing Denial of Services
3/39
IP Spoofing is a technique used to gain unauthorized accessto computers.
IP: Internet Protocol
Spoofing: using somebody elses information
Exploits the trust relationships
Intruder sends messages to a computer with an IP addressof a trusted host.
-
8/22/2019 IP Spoofing Denial of Services
4/39
WHAT IS IP-ADDRESSING SPOOFING IP SPOOFING-INTRODUCTION HISTORY BASIC CONCEPT WHAT MAKES IP SPOOFING EASY FOR ATTACKERS CLLASIFICATION OF IP SPOOFING MISCONCEPTION OF IP SPOOFING IMPACT DETECTION PREVENTION
-
8/22/2019 IP Spoofing Denial of Services
5/39
IP-ADDRESSING It stands for internet protocol addressing , resides
in network layer.
Each system attached to the internet requires a 32-bit internet address value.
The first part of IP identifies the network on whicha host resides.
The second part identifies the particular host onthe given network.
-
8/22/2019 IP Spoofing Denial of Services
6/39
IP-ADDRESSING ContinuedIP-Address Classes
Class A Addresses - IP Range (0-127)Class B Addresses - IP Range (128-191)
Class C Addresses - IP Range (192-223)
Class D Addresses - IP Range (224-239)Class E Addresses - IP Range (240-255)
-
8/22/2019 IP Spoofing Denial of Services
7/39
SPOOFING A good -humored hoax
A light amusing satire
In the sense of internet fraudulent ,it refers to fool the
receiver by breaching the address of original sender
-
8/22/2019 IP Spoofing Denial of Services
8/39
IP SPOOFING-INTRODUCTION IP address spoofing is the creation of IP packets using
somebody elses IP source addresses.
This technique is used for obvious reasons and is employed
in several of the attacks .
IP headers first 12 bytes contain various information about
the packet. The next 8 bytes, however, contains the source
and destination IP addresses. Using one of several tools, anattacker can easily modify these addresses specifically the
source address field.
-
8/22/2019 IP Spoofing Denial of Services
9/39
HISTORY
* The concept of IP spoofing, was initially discussed in the 1980's. Robert
Morri discovered a security weakness in the TCP protocol known assequence prediction. Stephen Bellovin discussed the problem in-depth in
Security Problems in the TCP/IP Protocol Suite.
* Another infamous attack, Kevin Mitnick's Christmas Day crack ofTsutomu Shimomura's machine, employed the IP spoofing and TCP
sequence prediction techniques.
-
8/22/2019 IP Spoofing Denial of Services
10/39
BASIC CONCEPT
Valid source IP address- illustrates a typicalinteraction between a workstation with a valid source IPaddress requesting web pages and the web server executingthe requests.
When the workstation requests a page from the web serverthe request contains both the workstations IP address and
the address of the web server executing the request . The web server returns the web page using the source IP
address specified in the request as the destination IPaddress, 192.168.0.5 and its own IP address as the source IPaddress, 10.0.0.23.
-
8/22/2019 IP Spoofing Denial of Services
11/39
BASIC CONCEPT
VALID SOURCE IP-ADDRESS
-
8/22/2019 IP Spoofing Denial of Services
12/39
BASIC CONCEPT
[Continued]
Spoofed source IP address- illustrates theinteraction between a workstation requesting web pages
using a spoofed source IP address and the web serverexecuting the requests. If a spoofed source IP address (i.e. 172.16.0.6) is used by the
workstation, the web server executing the web page requestwill attempt to execute the request by sending information
to the IP address of what it believes to be the originatingsystem (i.e. the workstation at 172.16.0.6). The system at the spoofed IP address will receive
unsolicited connection attempts from the web server that itwill simply discard.
-
8/22/2019 IP Spoofing Denial of Services
13/39
BASIC CONCEPT
SPOOFED IP-ADDRESS
-
8/22/2019 IP Spoofing Denial of Services
14/39
WHAT MAKES IP SPOOFING EASY FOR
ATTACKERS
Problem with the Routers.
Routers look at Destination addressesonly.
Authentication based on Sourceaddresses only.
To change source address field in IPheader field is easy.
-
8/22/2019 IP Spoofing Denial of Services
15/39
CLASSIFICATION OF IP SPOOFING
BLIND SPOOFING NON-BLIND SPOOFING
DENIAL OF SERVICE (SMURF ATTACK)
MAN IN THE MIDDLE UDP ATTACK
TCP ATTACK
-
8/22/2019 IP Spoofing Denial of Services
16/39
BLIND SPOOFING
* This attack may take place from outside where sequenceand acknowledgement numbers are unreachable. Attackers
usually send several packets to the target machine in orderto sample sequence numbers.
* Using the spoofing to interfere with a connection (orcreating one), that does not send packets along your cable.
-
8/22/2019 IP Spoofing Denial of Services
17/39
BLIND SPOOFING
[Continued]
sender
victim
Oops, many packetsare coming. But, who
is the real source?
-
8/22/2019 IP Spoofing Denial of Services
18/39
NON-BLIND SPOOFING
* This attack takes place when the attacker is on the samesubnet as the target that could see sequence and
acknowledgement of packets.
*Using the spoofing to interfere with a connection thatsends packets along your subnet.
-
8/22/2019 IP Spoofing Denial of Services
19/39
NON-BLIND SPOOFING
[Continued]
sender
victim
partner
Oh, my partner sentme a packet. Ill
process this.
-
8/22/2019 IP Spoofing Denial of Services
20/39
DENIAL OF SERVICE ATTACK
* In DOS, attackers are concerned with consumingbandwidth and resources by flooding the target with as
many packets as possible in a short amount of time.
* When multiple compromised hosts are participating in theattack, all sending spoofed traffic, it is very challenging to
quickly block traffic.
-
8/22/2019 IP Spoofing Denial of Services
21/39
SMURF ATTACK
Send ICMP ping packet with spoofed IP source addressto a LAN which will broadcast to all hosts on the LAN.
Each host will send a reply packet to the spoofed IPaddress leading to denial of service
This attack does not crash victim, but consume
network bandwidth and system resources
Victim fails to provide other services, and halts if runsout of memory
-
8/22/2019 IP Spoofing Denial of Services
22/39
SMURF ATTACK
[REFLECTION]
sender
ip spoofed packet
victim
reflector
src: victim
dst: reflector
Oops, a lot ofreplies without any
request
-
8/22/2019 IP Spoofing Denial of Services
23/39
MAN IN THE MIDDLE ATTACK
This is also called connection hijacking.
In these attacks, a malicious party intercepts alegitimate communication between two friendlyparties
The malicious host then controls the flow ofcommunication and can eliminate or alter theinformation .
-
8/22/2019 IP Spoofing Denial of Services
24/39
UDP ATTACK
UDP is an unreliable transport layer protocol. It relieson IP, it is connectionless.
And its checksum is optional. Therefore, the delivery,integrity, non-duplication and ordering are notguaranteed.
UDP traffic is more vulnerable for IP spoofing thanTCP .
-
8/22/2019 IP Spoofing Denial of Services
25/39
TRUSTEDCLIENT SERVER
ATTACKER
2.UDP REPLY FROMSERVER
1.SPOOFED UDPREQUEST
-
8/22/2019 IP Spoofing Denial of Services
26/39
TCP ATTACK
It is hard to do IP spoofing on TCP.
The attack aims at impersonating another host mostlyduring the TCP connection establishment phase.
It can be realized on the specific OS.
-
8/22/2019 IP Spoofing Denial of Services
27/39
TCP ATTACK
[Continued]
TCP is connection oriented and the TCP connectionsetup sequence number is hard to predicated.
Therefore UDP traffic is more vulnerable for IPspoofing than TCP.
-
8/22/2019 IP Spoofing Denial of Services
28/39
MISCONCEPTION OF IP SPOOFING
* A common misconception is that "IP Spoofing" can beused to hide your IP address while surfing the Internet,
chatting on-line, sending e-mail, and so forth.
* This is generally not true. Forging the source IP addresscauses the responses to be misdirected, meaning youcannot create a normal network connection.
* However, IP spoofing is an integral part of many networksthat do not need to see responses.
-
8/22/2019 IP Spoofing Denial of Services
29/39
IMPACT
Current intruder activity in spoofing source IPaddresses can lead to unauthorized remote root accessto systems behind a filtering-router firewall.
After gaining root access and taking over existing
terminal and login connections, intruders can gainaccess to remote hosts.
-
8/22/2019 IP Spoofing Denial of Services
30/39
DETECTION
1. If you monitor packets using network-
monitoring software such as netlog, look fora packet on your external interface that hasboth its source and destination IP addresses
in your local domain. If you find one, youare currently under attack.
-
8/22/2019 IP Spoofing Denial of Services
31/39
DETECTION
[Continued] 2. Another way to detect IP spoofing is to compare
the process accounting logs between systems onyour internal network. If the IP spoofing attackhas succeeded on one of your systems, you may geta log entry on the victim machine showing aremote access; on the apparent source machine,
there will be no corresponding entry for initiatingthat remote access.
-
8/22/2019 IP Spoofing Denial of Services
32/39
PREVENTION
1- Avoid using the source address
authentication. Implement cryptographicauthentication system-wide.
2- Configuring your network to reject packets
from the Net that claim to originate from alocal address.
-
8/22/2019 IP Spoofing Denial of Services
33/39
PREVENTION
[Continued] 3- Implementing ingress and egress filtering on
the border routers and implement an ACL (accesscontrol list) that blocks private IP addresses on
your downstream interface.
4-If you allow outside connections from trustedhosts, enable encryption sessions at the router.
-
8/22/2019 IP Spoofing Denial of Services
34/39
PREVENTION
[Continued]
* If your vendors router does not support filtering on theinbound side of the interface or if there will be a delay in
incorporating the feature into your system.
* you may filter the spoofed IP packets by using a secondrouter between your external interface and your outside
connection.
* Configure this router to block, on the outgoing interfaceconnected to your original router, all packets that have a
source address in your internal network.
-
8/22/2019 IP Spoofing Denial of Services
35/39
PREVENTION [ PACKET FILTERING]
10.10.10.0
10.10.0.0
if src_addr is
from 10.10.0.0
then forward
else drop
if src_addr is from
10.10.0.0
then drop
else forward
-
8/22/2019 IP Spoofing Denial of Services
36/39
PACKET FILTERING
[Continued]
In Linux, packet filtering can be enabled
using the following command:
* echo 2 >
/proc/sys/net/ipv4/conf/*/rp_filter
-
8/22/2019 IP Spoofing Denial of Services
37/39
CONCLUSION
IP Spoofing is a problem without an easy solution,since its inherent to the design of the TCP/IP suite.
Understanding how and why spoofing attacks areused, combined with a few simple prevention
methods, can help protect your network from thesemalicious cloaking and cracking techniques.
-
8/22/2019 IP Spoofing Denial of Services
38/39
??
-
8/22/2019 IP Spoofing Denial of Services
39/39