Pages

Sunday, 18 May 2014

IP SPOOFING


IP SPOOFING
 

What is IP spoofing

IP spoofing is the creation of IP packets using somebody else’s IP source addresses.

This technique is used for obvious reasons and is employed in several of the attacks

discussed later. Examining the IP header, we can see that the first 12 bytes contain

various information about the packet. The next 8 bytes contains the source and

destination IP addresses. Using one of several tools, an attacker can easily modify these

addresses – specifically the “source address” field. A common misconception is that IP

spoofing can be used to hide our IP address while surfing the Internet, chatting online,

sending e-mail, and so on. This is generally not true. Forging the source IP address

causes the responses to be misdirected, meaning you cannot create a normal network

connection.

 
Valid source IP address, illustrates a typical interaction between a workstation with a

valid source IP address requesting web pages and the web server executing the

requests. When the workstation requests a page from the web server the request

contains both the workstation’s IP address (i.e. source IP address 192.168.0.5) and the

address of the web server executing the request (i.e. destination IP address 10.0.0.23).

The web server returns the web page using the source IP address specified in the

request as the destination IP address (192.168.0.59) and its own IP address as the

source IP address (10.0.0.23).



Spoofed source IP address illustrates the interaction between a workstation requesting

web pages using a spoofed source IP address and the web server executing the

requests. If a spoofed source IP address (i.e. 172.16.0.6) is used by the workstation, the

web server executing the web page request will attempt to execute the request by

sending information to the IP address of what it believes to be the originating system

(i.e. the workstation at 172.16.0.6). The system at the spoofed IP address will receive

unsolicited connection attempts from the web server that it will simply discard.

IP ROUTING MECHANISM AND PROBLEMS

The IP routing mechanism is hop by hop. Every IP packet is routed separately. The

route of a IP packet is decided by all the routers the packet goes through. IP address

spoofing is possible because routers only require inspection of the destination IP

address in the packet to make routing decisions. The source IP address is not required

by routers and an invalid source IP address will not affect the delivery of packets. That

address is only used by the destination machine when it responds back to the source.

IP ADDRESS SPOOFING

ASYMMETRIC ROUTING (SPLITTING ROUTING)

Asymmetric routing means traffic goes over different interfaces for directions in and out.

In other words, asymmetric routing is when the response to a packet follows a different

path from one host to another than the original packet did. The more correct and more

general answer is, for any source IP address ‚A’ and destination ‚B’, the path followed by

any packet (request or response) from ‚A’ to ‚B’ is different than the path taken by a

packet from ‚B’ to ‚A’.

IMPLEMENTATION OF ASYMMETRIC ROUTING

Modern operating systems allows us to receive packets from an input interface, different

from the output interface.

In Linux, we can implement asymmetric routing using iptables (linux 2.4):

iptables –A POSTROUTING –t nat –j SNAT –to 192.168.0.5 –o eth0

This means, for all the packets going out via eth0, their source IP address will be

changed to 192.168.0.5. We also have to „disable“ reverse path filtering:

echo “0” > /proc/sys/net/ipv4/conf/all/rp_filter

IP ADDRESS SPOOFING ATTACKS

BLIND IP SPOOFING

Usually the attacker does not have access to the reply, abuse trust relationship between

hosts. For example: Host C sends an IP packet with the address of some other host

(Host A) as the source address to Host B. Attacked host (B) replies to the legitimate host

(A).



MAN-IN-THE-MIDDLE ATTACKS

If an attacker controls a gateway that is in the delivery route, he can

sniff the traffic

intercept / block / delay traffic

modify traffic

 

This is not easy in the Internet because of hop-by-hop routing, unless you control one of

the backbone hosts or source routing is used. This can also be done combined with IP

source routing option. IP source routing is used to specify the route in the delivery of a

packet, which is independent of the normal delivery mechanisms. If the traffic can be

forced through specific routes (=specific hosts), and if the reverse route is used to reply

traffic, a host on the route can easily impersonate another host.

ATTACKS CONCERNING THE ROUTING PROTOCOLS

A host can send spoofed RIP packets in order to “inject” routes into a host. This is easy

to implement, it only requires IP/UDP spoofing. On a LAN with RIPv2 passwords have to

be used for updating routes, but plaintext passwords are used. The plaintext passwords

can be sniffed.

IP address spoofing attack with ICMP

ICMP is short for Internet Control Message Protocol, an extension to the Internet

Protocol (IP) defined by RFC 792. ICMP supportspackets containing error, control, and

informational messages. The PING command, for example, uses ICMP to test an

internet connection.

ICMP ECHO ATTACKS

Map the hosts of a network: The attack sends ICMP echo datagram to all the hosts in a

subnet, then he collects the replies and determines which hosts are alive.

Denial of service attack (SMURF attack): The attack sends spoofed (with victim‘s IP

address) ICMP Echo Requests to subnets, the victim will get ICMP Echo Replies from

every machine.

ICMP REDIRECT ATTACKS

ICMP redirect messages can be used to re-route traffic on specific routes or to a specific

host that is not a router at all.

The ICMP redirect attack is very simple: just send a spoofed ICMP redirect message

that appears to come from the host‘s default gateway.

For example: Host A sends a forged ICMP packet to host B, saying the route through A

is a better way to internet. The source IP address of this forged ICMP packet is the

gateway’s IP address C. Then all the traffic from B to internet will go through A.

ICMP DESTINATION UNREACHABLE ATTACKS

ICMP destination unreachable message is used by gateways to state that the datagram

cannot be delivered. It can be used to cut out nodes from the network. It is a denial of

service attack (DOS)

Example: An attacker injects many forged destination unreachable messages stating

that 100.100.100.100 is unreachable) into a subnet (e.g. 128.100.100.*). If someone

from the 128.100.100.* net tries to contact 100.100.100.100, he will immediately get an

ICMP Time Exceeded from the attacker‘s host. For 128.100.100.* this means that there

is no way to contact 100.100.100.100, and therefore communication fails.

UDP attacks

UDP is an unreliable transport layer protocol. It relies on IP, it is connectionless, and its

checksum is optional. Therefore, the delivery, integrity, non-duplication and ordering are

not guaranteed. It is easy to send a forged packet to the target. Compared with this,

TCP is connection oriented and the TCP connection setup sequence number is hard to

predicated, so it is hard to insert forged packet into the TCP connection. Therefore UDP

traffic is more vulnerable for IP spoofing than TCP.

TCP attacks

Although it is hard to do IP spoofing on TCP, it is still can be realized on the specific

operating system. The attack aims at impersonating another host mostly during the TCP

connection establishment phase. For example:

1) Node A trusts node B (e.g. login with no password)

2) Node C wants to impersonate B with respect to A in opening a TCP connection

3) C kills B (flooding, redirecting or crashing) firstly

4) C sends A an TCP segment in a spoofed IP packet with B‘s address as the source IP

and 11000 as the sequence number.

5) A replies with a TCP SYN/ACK segment to B with 54002 as the sequence number

6) C does not receive the segment from A to B, but in order to finish the handshake it

has to send an ACK segment with 54002+1 as the acknowledge number to A. C has to

guess or predicate the value of 54002.



Stopping IP address spoofing attack

PACKET FILTERING

The router that connects a network to another network is known as a border router. One

way to mitigate the threat of IP spoofing is by inspecting packets when they the leave

and enter a network looking for invalid source IP addresses. If this type of filtering were

performed on all border routers, IP address spoofing would be greatly reduced.

Outgoing filtering checks the source IP address of packets to ensure they come from a

valid IP address range within the internal network. When the router receives a packet

that contains an invalid source address, the packet is simply discarded and does not

leave the network boundary. Incoming filtering checks the source IP address of packets

that enter the network to ensure they do not come from sources that are not permitted to

access the network. At a minimum, all private, reserved, and internal IP addresses

should be discarded by the router and not allowed to enter the network.

LIMITS OF PACKET FILTERING

Packet filtering normally may not prevent a system from participating in an attack if the

spoofed IP address used could fall within the valid internal address range. However it

will simplify the process of tracing the packets, since the systems will have to use a

source IP address within the valid IP range of the network.

Instances where you might need to disable packet filtering include:

If you want to do asymmetric routing (accepting returning packets inbound an

interface other than the outbound interface).

If the box has multiple interfaces up on the same network.

If you are using special VPN interfaces to tunnel traffic (e.g. FreeS/WAN) Another

problem is that many ISPs do not have the technical ability to arrange packet

filtering to block packets with spoofed source addresses. Also, packet filtering

reduces equipment performance.

No comments:

Post a Comment