IP spoofing involves disguising the source IP address of packets sent to a target system to make it appear the packets are coming from a trusted system. There are two main types of IP spoofing attacks - blind spoofing where the attacker cannot see acknowledgement packets, and non-blind where they can. Spoofing is commonly used for denial of service attacks by flooding a target with spoofed packets. It is difficult to detect spoofing, but methods include ingress/egress filtering, checking IP identification numbers, and analyzing flow control and packet retransmission patterns.
2. WHAT IS IP-SPOOFING ???
IP -> Internet Protocol..
Spoofing -> Hiding..
It is a trick played on servers to fool the target
computers into thinking that it is receiving data from
source other than the trusted host.
This Attack is actually a Trust-Relationship
Exploitation.
3. REAL LIFE EXAMPLE TO
B is on line
EXPLAIN WHAT IS
IP SPOOFING.
A disguising his voice,making
it sound more like that of B C
A
B
If we now,replace the 3 people by computers and change
the term “voice” with “IP-Address” then you would know
what we mean by IP-SPOOFING…
9. THE
K
ATTAC
1. Non-blind spoofing :
This attack takes place when the attacker is on the
same subnet as the target that could see sequence and
acknowledgement of packets.
SYN
S R
SYN,ACK
ACK
A
10. 2. Blind spoofing
This attack may take place from outside where sequence
and acknowledgement numbers are unreachable. Attackers
usually send several packets to the target machine in
order to figure out sequence numbers, which is easy to do
in older days. Since most OSs implement random sequence
number generation today, it becomes more difficult to
predict the sequence number accurately. If, however, the
sequence number was compromised, data could be sent to
the target.
11. 3. Denial of Service Attack :
IP spoofing is almost always used in denial of service
attacks (DoS), in which attackers are concerned with
consuming bandwidth & resources by flooding the target
with as many packets as possible in a short amount of
time.
12. 4.Man in the Middle Attack
This is also called connection hijacking. In this attacks, a
malicious party intercepts a legitimate communication
between two hosts to controls the flow of communication
and to eliminate or alter the information sent by one of the
original participants without their knowledge.
S A R
13. WHY IP SPOOFING IS EASY ?
• Problem with the Routers.
• Routers look at Destination addresses only.
• Authentication based on Source addresses only.
• To change source address field in IP header field is
easy.
14. IO N
E CT
DET
Routing Methods
• Ingress filtering
• Egress filtering
Non-Routing Methods
• IP Identification Number
• Flow Control
• Packet Retransmission
•Traceroute
15. Routing Method
Routers know IP addresses originate with which
network interface. If the router receives IP
Packets with external IP addresses on an internal
interface or vice versa its likely to be spoofed.
Filtering:
•Ingress filtering(inbound packets)-protect
org.from outside attacks.
•Egress filtering(outbound packets)-prevent
internal computers from being involved in Spoofing
Attack
16. Non-Routing
Active- verify that the packet was sent from
claimed source, Method validate case.
Passive- no such action, indicate packet was
spoofed.
17. Identification Number(ID)
Detect IP Spoofed Packet,when attacker is on same
Subnet as Target.
R
S Detection as follows:
Sen
d Pa c k
et
•ID value should be near the
Questionable packets.
•ID value must be greater
ID than the ID value in
values Questionable Packet.
•If its Spoofed there value
change rapidly.
18. Flow Control
S R • If the Packets = Spoofed,then
Sender =no recipient’s ACK
Packets,will not respond to flow
AC control.
K
•If the Recipient’s =no ACK
ACK Packets,Sender Should Stop After
the initial window size is exhausted.
W.s.
=
(exc I
eed)
19. Contd..
S R
ACK Another Way to Detect IP
Spoofing.
w=0 •We set W=0 ,in order to know
,ACK Sender is receiving or not.
SYN
•If W=0,and we get ACK with
ACK some Data ,it means it’s likely to
be Spoofed.
20. Packet Retransmission
S R
ACK TCP uses sequence number to
determine which Packets have been
ReSYN ACK.
Method to Detect:
•When Packet Receive with an ACK-
number less then min expected,or
greater than max expected,the
ACK Packet Drops and as a way to resyn.
The connection,send a reply with min
expected Ack-number is sent.
RST •After receiving ACK successfully
next time sent RST in reply ,its
spoofed.
21. Contd..
FIREWALL
Capture reply, and Prevent the internal host from
seeing the reply ,and will Prevent an ACK-Storm .
22. Traceroute
Traceroute tells number of
hops to the true source.
Detection is as follows
•If the Firewall blocks UDP
packets it will count the Hops
to the firewall.
•If the packet is spoofed the
number of Hops increase.
(monitored site more hops
away than true ).
24. t iv e
ve n e s
Pre sur
M ea
1.Packet Filtering
2.Firewall
3.Disable commands like Ping.
4.Encryption
25. Should arriving
packet be allowed
in? Departing packet
let out?
internal network connected to Internet
Router filter packets-by-packets, decision to
forward/drop packets based on:
--Source IP address, destination IP address.
--TCP SYN and ACK bits.
26. Oh sure, Don’t
Our network worry. We have
is secure, several
right? firewalls
27. CONCLUSION
IP-Spoofing is an exploitation of trust-based
relationship and can be curbed effectively if
proper measures are used. Understanding
how and why spoofing attacks are used
,combined with a few simple prevention
methods, can help protect networks from
these malicious cloaking and cracking
techniques.