Spoofing Attacks

 

Description

  • This is an attack based on the creation of Internet Protocol (IP) packets with a forged IP source address. This forging makes the packet appear as if it was sent from a different machine.
  • This technique is very useful as part of certain other attacks, as a way of trying to disguise identity, and as a way to defeat portions of network security like IP address authentication.
  • Carrying out an IP spoofing attack can be difficult, because it often means the header of thousand s of packets must be modified, one packet at a time . This can’t usually be done on a computer that’s running Microsoft Windows.
  • To perform IP spoofing, the header of the packet must be modified. This header contains the following (among other data):
    • Source IP
    • Destination IP
    • Checksum value
    • Order value

* When packets are transmitted to the Internet, they will most likely arrive at their destination out of order and must be reassembled using the order sent value.

  • When trust relationships exist between machines, these spoofing attacks can be especially effective. Some corporate networks make it a common practice to have trust relationships between various internal systems, so that a user can access other machines without a username or password as long as they are connecting from another machine on the internal network.
  • Because of this connection from another system, they are assumed to have been authenticated by that system.
  • By spoofing a connection from another machine in a trust relationship with the target, an attacker might be able to access the target machine without authenticating.

Nonblind Spoofing

  • To perform this type of spoofing attack, the attacker needs to be on the same subnet as the target. The attacker can then use a packet sniffer to view the sequence and acknowledgment numbers, which means that the attacker doesn't have to worry about calculating them accurately and correctly. The biggest threat of spoofing in this case is session hijacking.

Blind Spooling

  • In this attack, the sequence and acknowledgment numbers are unreachable and unknown.
  • To try to provide a basis for guessing or calculating the sequence and acknowledgment numbers, several sample packets are sent to the target machine to obtain sample sequence numbers.
  • It was once a common practice to use simple methods to generate these sequence numbers, which also made them easy to guess and calculate.
  • Now, sequence numbers are typically the result of random number generation which makes it harder to predict the sequence.

Denial of Service Attack

  • IP spoofing is almost always a component of denial-of-service, or DOS, attacks. Because the goal of these attacks is to consume bandwidth or other resources, there is no need to worry about properly completing the handshake or transactions.
  • To consume these resources, the attacker wants to flood the victim with as many packets as possible and as quickly as possible.
  • To prolong the attack, the attacker will forge source IP addresses on these packets to make tracing and stopping the DoS as difficult as possible.
  • When multiple hosts are involved, and all of them are sending spoofed traffic, it can be very hard to block the traffic quickly. This tends to be a task where attackers use their army of bots.

Anatomy of an Exploit

  • Nonblind Attack:
    • The attacker sets up a packet sniffer and collects the packet data from the system they are targeting to see what the pattern of sequence and acknowledgment numbers are.
    • If a pattern can be detected. The attacker can construct a packet that uses that pattern and spoofs the IP address they want to attack.

Real-World Examples

  • The most famous use of an IP spoofing attack is probably that of Kevin Mitnick's attack against Tsutomu Shimomura in December 2004. It's important to note, first, that IP spoofing was a component of this attack but not the sole vulnerability used.
  • The initial sign of this attack was some probes against various machines. apparently to see if there might be an exploitable trust relationship between these machines.
  • Then SYN flooding was used to make the first victim computer unable to respond to requests, while the attacking machine first probed for specific TCP behavior and sequencing. Then spoofed IP address of the first victim computer was used to issue a SYN request to the second victim computer, and Mitnick eventually gained root access on the second victim computer.

Test Techniques

  • IP spoofing really isn’t a solvable problem, but the use of encryption and decryption should be tested as in some of the other attacks like man-in-the-middle or session-hijacking.