Department of ECE

INTRODUCTION

IP spoofing: is a technique used to gain unauthorized access to computers, whereby the

intruder sends messages to a computer with an IP address indicating that the message is
coming from a trusted host. To engage in IP spoofing, a hacker must first use a variety of
techniques to find an IP address of a trusted host and then modify the packet headers so
that it appears that the packets are coming from that host.

After the occurrence of the infamous Internet Worm, IP spoofing has been identified as a
real risk to the Internet and computer network community. Since then, the Internet has
suffered a huge number of large-scale attacks. There are many variants of IP spoofing
used in an attack. In this paper, we aim to examine the attack methods, and to identify
counter-measures.

IP spoofing is an attack that is unavoidable. The attack exploits trust relationships in a

world that everything wants to be connected to everything else. If a system is connected to
the Internet and provides services, it is vulnerable to the attack. By studying the attack
methods, we learn how IP spoofing works and can then identify the weaknesses of a
system. By examining the counter-measures, we learn what we need to do for defense,
and what we do not need to have, in terms of services and applications. By implementing
the counter methods above, an administrator can guarantee that he has a low risk of being
attacked. It should be remembered that there is no full proof mechanism to prevent this
kind of attack. Thus, even a low risk can provide a considerable level of network security.

Figure 1: Valid source IP address, illustrates a typical interaction between a workstation

with a valid source IP address requesting web pages and the web server executing the
requests. When the workstation requests a page from the web server the request contains
both the workstation’s IP address (i.e. source IP address 192.168.0.5) and the address of
the web server executing the request (i.e. destination IP address 10.0.0.23). The web
server returns the web page using the source IP address specified in the request as the
destination IP address, 192.168.0.5 and its own IP address as the source IP address,
10.0.0.23.

1. Jagannath Gupta Institute of Engineering & Technology

 Department of ECE

Figure 1: Valid source IP address

This fig 2 illustrates the interaction between a workstation requesting web pages using a
spoofed source IP address and the web server executing the requests. If a spoofed source
IP address (i.e. 172.16.0.6) is used by the workstation, the web server executing the web
page request will attempt to execute the request by sending information to the IP address
of what it believes to be the originating system (i.e. the workstation at 172.16.0.6). The
system at the spoofed IP address will receive unsolicited connection attempts from the web
server that it will simply discard.

2. Jagannath Gupta Institute of Engineering & Technology

 Department of ECE

Figure 2: Spoofed source IP address

2. ATTACK WITH IP-SPOOFING

2.1 Background
IP is the connectionless, unreliable network protocol in the TCP/IP suite. It has two 32-bit
header fields to hold address information. IP's job is to route packets around the network. It
provides no mechanism for reliability or accountability. IP simply sends out the data and
hopes they make it intact. If they don't, IP can try to send an ICMP (Internet Control
Message Protocol) error message back to the source, however this packet can get lost as
well. IP has no means to guarantee delivery. Since IP is connectionless, it does not
maintain any connection state information. The fact that it is easy to modify the IP stack to
allow an arbitrarily chosen IP address in the source (and destination) fields makes IP
vulnerable to attacks.

TCP is the connection-oriented, reliable transport protocol in the TCP/IP suite. Connection-
oriented means the two hosts participating in a discussion must first establish a connection
before data A B: SYN;
change
may my number
hands. Three-way is Xis used to establish a connection.
handshake

B  A: ACK; now X+1

SYN; my number is Y

A B: ACK; now Y+1

3. Jagannath Gupta Institute of Engineering & Technology
 Department of ECE

Figure: TCP/IP handshake

Reliability is provided in a number of ways, here we are only concerned with are data
sequencing and acknowledgement. TCP is layered on top of IP and provides virtual circuits
by splitting up the data stream into IP packets and reassembling them at the far end. TCP
assigns sequence numbers to every segment and acknowledges all data segments
received from the other end. Both hosts use this number for error checking and reporting.

2.2 IP spoofing

IP spoofing uses the idea of trust relationships. The attack is a "blind" one, meaning the
attacker will be assuming the identity of a "trusted" host. From the perspective of the target
host, it is simply carrying on a "normal" conversation with a trusted host. In reality, the host
is conversing with an attacker who is busy forging IP packets. The data that the target
sends back (destined for the trusted host) will go to the trusted host, which the attacker
never “sees” them. To prevent disruption from the trusted host, he has to disable the
trusted host, using DOS, so that it will not respond to the target’s replies. The attacker must
guess what the target sends and the type of response the server is looking for. By trial
communication with the target, the attacker can predict the initial sequence number (ISN) in
the target’s response. He then does not need to actually "see" the response. This allows
him to work in the "blind" and manipulate the system.

IP spoofing in fig consists of these steps:

• Selecting a target host (the victim).

• Identifying a host that has a "trust" relationship with the target. This can be
accomplished by looking at the traffic of the target host. There cannot be an attack if the
target does not trust anyone.

4. Jagannath Gupta Institute of Engineering & Technology

 Department of ECE
• The trusted host is then disabled using SYN flooding (Figure ) and the target’s TCP
sequence numbers are sampled.
• The trusted host is impersonated and the sequence number forged. This is difficult
when the attacker has to find out the target’s ISN and the round trip time between the target
and the attacker’s host.
• A connection attempt is made to a service that only requires address-based
authentication (no user id or password).
• If a successful connection is made, the attacker executes a simple command to leave a
backdoor. This allows for simple re-entries in a non-interactive way for the attacker.

Figure : A typical IP spoofing

5. Jagannath Gupta Institute of Engineering & Technology

 Department of ECE

Figure :SYN flood Attack

2.3 IP routing mechanism and problems

Figure 3: IP Routing mechanism

IP routing is hop by hop. Every IP packet is routed separately. The route of a IP packet is
decided by all the routers the packet goes through. IP address spoofing is possible
because routers only require inspection of the destination IP address in the packet to make
routing decisions. The source IP address is not required by routers and an invalid source IP
address will not affect the delivery of packets.

That address is only used by the destination machine when it responds back to the source.

6. Jagannath Gupta Institute of Engineering & Technology

 Department of ECE

3. IP ADDRESS SPOOFING & APPLICATIONS

3.1 Asymmetric routing (Splitting routing)

Asymmetric routing means traffic goes over different interfaces for directions in and out. In
other words, asymmetric routing is when the response to a packet follows a different path
from one host to another than the original packet did. The more correct and more general
answer is, for any source IP address 'A' and destination 'B', the path followed by any packet
(request or response) from 'A' to 'B' is different than the path taken by a packet from 'B' to
'A'.

3.2 NAT

NAT is network address translation.

Normally, packets on a network travel from their source to their destination through many
different links. None of these links really alter your packet, they just send it onward.

If one of these links were to do NAT, then they would alter the source or destinations of the
packet as it passes through. Usually the link doing NAT will remember how it mangled a
packet, and when a reply packet passes through the other way, it will do the reverse
mangling on that reply packet, so everything works.

NAT have several applications:

• Modem Connections To The Internet

7. Jagannath Gupta Institute of Engineering & Technology

 Department of ECE
Most ISPs give you a single IP address when you dial up to them. You can send out
packets with any source address you want, but only replies to packets with this source IP
address will connect to the Internet through this one link, you'll need NAT.

• Multiple Servers

Sometimes you want to change where packets heading into your network will go.
Frequently this is because (as above) you have only one IP address, but you want people
to be able to get into the boxes behind the one with the `real' IP address. If you rewrite the
destination of incoming packets, you can manage this. This type of NAT was called port-
forwarding.A common variation of this is load-sharing, where the mapping ranges over a
set of machines, fanning packets out to them.

• Transparent Proxying

Sometimes you want to pretend that each packet which passes through your Linux box is
destined for a program on the Linux box itself. This is used to make transparent proxies: a
proxy is a program which stands between your network and the outside world, shuffling
communication between the two. The transparent part is because your network won't even
know it's talking to a proxy, unless of course, the proxy doesn't work.
NAT has two different types: Source NAT (SNAT) and Destination NAT (DNAT).
Source NAT is when you alter the source address of the first packet: i.e. you are changing
where the connection is coming from. Source NAT is always done post-routing, just before
the packet goes out onto the wire. Masquerading is a specialized form of SNAT.
Destination NAT is when you alter the destination address of the first packet: i.e. you are
changing where the connection is going to. Destination NAT is always done before routing,
when the packet first comes off the wire. Port forwarding, load sharing, and transparent
proxying are all forms of DNAT.

8. Jagannath Gupta Institute of Engineering & Technology

 Department of ECE

3.3 IP MASQUERADE:

IP Masquerade is a specific form of Network Address Translation (NAT) which allows

internally connected computers that do not have registered Internet IP addresses to
communicate to the Internet via the Linux server's Internet IP address. IP masquerading
lets you use a single Internet-connected computer running Linux with a real IP address as a
gateway for non-connected machines with "fake" IP addresses. The Linux box with a real
address handles mapping packets from your intranet out to the Internet, and when
responses come back, it maps them back to your intranet. This lets you browse the web
and use other Internet functions from multiple machines without having a special network
setup from your ISP.

IP Masquerade is a networking function in Linux similar to the one-to-many (1:Many) NAT

(Network Address Translation) servers found in many commercial firewalls and network
routers. For example, if a Linux host is connected to the Internet via PPP, Ethernet, etc.,
the IP Masquerade feature allows other "internal" computers connected to this Linux box
(via PPP, Ethernet, etc.) to also reach the Internet as well. Linux IP Masquerading allows
for this functionality even though these internal machines don't have an officially assigned
IP address.
IP masquerading is different from NAT. While IP masquerading implements a specific
many-to-one NAT, IP NAT allows complex many-to-many translations. For static real IP
address we use NAT, while for dynamic real IP address (via PPP) we use IP
masquerading.

9. Jagannath Gupta Institute of Engineering & Technology

 Department of ECE
4. IP ADDRESS SPOOFING ATTACKS

Attacks using IP spoofing includes:

• Man–in-the-middle (MITM): packet sniffs on link between the two endpoints, and
therefore can pretend to be one end of the connection.
• Routing re-direct: redirects routing information from the original host to the attacker’s
host (a variation on the man-in the-middle attack).
• Source routing: The attacker redirects individual packets by the hacker’s host.
• Flooding: SYN flood fills up the receive queue from random source addresses.
• Smurfing: ICMP packet spoofed to originate from the victim, destined for the broadcast
address, causing all hosts on the network to respond to the victim at once. This congests
network bandwidth, floods the victim, and causes a loop at the victim.

With MITM attack, packets between the two ends go through the attacker and the attacker
controls the flow of communication and can eliminate or alter the information sent by one of
the original participants without the knowledge of either the original sender or the recipient.
Routing attack refers to redirecting the route of packets. Sender of a packet can specify
the route that a packet should take through the network. As a packet travels through the
network, each router will examine the "destination IP address" and choose the next hop to
forward the packet to. For DOS, the attacker creates half-open connections that fill up the
system and disable the system from receiving new incoming requests. Normally there is a
timeout associated with a pending connection, so the half-open connections will eventually
expire and the victim server system will recover. However, the attacking system can send
IP spoofed requests faster than the victim system can release the pending connections. In
smurfing, the attacker uses ICMP echo requesting packets directed to IP broadcast
addresses from remote locations to generate a denial-of-service attack. A common
implementation of this process is the "ping" command, which is included with many
operating systems and network software packages.

4.1 Denial-of-service attack

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS

attack) is an attempt to make a computer resource unavailable to its intended users.

10. Jagannath Gupta Institute of Engineering &

Technology
 Department of ECE
Although the means to carry out, motives for, and targets of a DoS attack may vary, it
generally consists of the concerted efforts of a person or persons to prevent an Internet site
or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of
DoS attacks typically target sites or services hosted on high-profile web servers such as
banks, credit card payment gateways, and even root nameservers.One common method of
attack involves saturating the target (victim) machine with external communications
requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be
rendered effectively unavailable. In general terms, DoS attacks are implemented by either
forcing the targeted computer(s) to reset, or consuming its resources so that it can no
longer provide its intended service or obstructing the communication media between the
intended users and the victim so that they can no longer communicate adequately.

4.2 Blind IP spoofing

Usually the attacker does not have access to the reply, abuse trust relationship between
hosts.For example: Host C sends an IP datagram with the address of some other host Host
A) as the source address to Host B. Attacked host (B) replies to the legitimate host (A)

Figure: Blind IP Spoofing

4.3 Man-in-the-middle attacks

If an attacker controls a gateway that is in the delivery route, he can

• sniff the traffic

• intercept / block / delay traffic

• modify traffic

11. Jagannath Gupta Institute of Engineering &

Technology
 Department of ECE

This is not easy in the Internet because of hop-by-hop routing, unless you control one of
the backbone hosts or source routing is used. This can also be done combined with IP
source routing option. IP source routing is used to specify the route in the delivery of a
packet, which is independent of the normal delivery mechanisms. If the traffic can be forced
through specific routes (=specific hosts), and if the reverse route is used to reply traffic, a
host on the route can easily impersonate another host.

4.4 Attacks concerning the routing protocols

A host can send spoofed RIP packets in order to “inject” routes into a host. This is easy to
implement, it only requires IP/UDP spoofing. On a LAN with RIPv2 passwords have to be
used for updating routes, but plaintext passwords are used. The plaintext passwords can
be sniffed.

4.5 IP address spoofing attack with ICMP

12. Jagannath Gupta Institute of Engineering &

Technology
 Department of ECE
4.5.1 ICMP Echo attacks

• Map the hosts of a network

The attack sends ICMP echo datagram to all the hosts in a subnet, then he collects the
replies and determines which hosts are alive.

• Denial of service attack (SMURF attack)

The attack sends spoofed (with victim‘s IP address) ICMP Echo Requests to subnets, the
victim will get ICMP Echo Replies from every machine.

4.5.2 ICMP Redirect attacks

ICMP redirect messages can be used to re-route traffic on specific routes or to a specific
host that is not a router at all The ICMP redirect attack is very simple: just send a spoofed
ICMP redirect message that appears to come from the host‘s default gateway.

For example: Host 192.168.1.4 sends a forged ICMP packet to host 192.168.1.3, saying
the route through 192.168.1.4 is a better way to internet. The source IP address of this
forged ICMP packet is the gateway’s IP address 192.168.1.1. Then all the traffic from
192.168.1.3 to internet will go through 192.168.1.4.

13. Jagannath Gupta Institute of Engineering &

Technology
 Department of ECE

4.5.3 ICMP destination unreachable attacks

ICMP destination unreachable message is used by gateways to state that the datagram
cannot be delivered. It can be used to “cut” out nodes from the network. It is a denial of
service attack (DOS)

Example: An attacker injects many forged destination unreachable messages stating that
100.100.100.100 is unreachable) into a subnet (e.g. 128.100.100.*). If someone from the
128.100.100.* net tries to contact 100.100.100.100, he will immediately get an ICMP Time

14. Jagannath Gupta Institute of Engineering &

Technology
 Department of ECE
Exceeded from the attacker‘s host. For 128.100.100.* this means that there is no way to
contact 100.100.100.100, and therefore communication fails.

4.6 UDP attacks

UDP is an unreliable transport layer protocol. It relies on IP, it is connectionless, and its
checksum is optional. Therefore, the delivery, integrity, non-duplication and ordering are
not guaranteed. It is easy to send a forged packet to the target. Compared with this, TCP is
connection oriented and the TCP connection setup sequence number is hard to predicated,
so it is hard to insert forged packet into the TCP connection. Therefore UDP traffic is more
vulnerable for IP spoofing than TCP.

Figure 19: UDP spoofing

15. Jagannath Gupta Institute of Engineering &
Technology
 Department of ECE

Figure 20: UDP hijacking

4.7 TCP attacks

Although it is hard to do IP spoofing on TCP, it is still can be realized on the specific OS.
The attack aims at impersonating another host mostly during the TCP connection
establishment phase.

For example:
1) Node A trusts node B (e.g. login with no password)

2) Node C wants to impersonate B with respect to A in opening a TCP connection

3) C kills B (flooding, redirecting or crashing) firstly

4) C sends A an TCP segment in a spoofed IP packet with B‘s address as the source IP
and 11000 as the sequence number.

5) A replies with a TCP SYN/ACK segment to B with 54002 as the sequence number

6) C does not receive the segment from A to B, but in order to finish the handshake it has
to send an ACK segment with 54002+1 as the acknowledge number to A. C has to guess
or predicate the value of 54002.

16. Jagannath Gupta Institute of Engineering &

Technology
 Department of ECE

5. STOPPING IP ADRESS SPOOFING ATTACKS

IP spoofing is dangerous and can be carried out nearly undetectably. There is generally no
complete solution to prevent this type of attack. As we have mentioned earlier, the attack is
contributed by the weakness inherent in the design of IP protocol [5]. Since IP packet
makes no assumptions about the sender and recipient, routers along the path do not check
the sender’s identity. Routers will find ways to reach the destination the packet is intended
for, and are not concerned with the packet’s origin or its intended purpose. They only look
at the destination address, that of the recipient, to decide whether they should accept the
packet for their network, or forward it to one of their neighbors. This is analogous to the
post-office looking at the recipient’s mailing address to determine the destination. Post-
office does not want to know and does not need to know if the mail contains dangerous
material in it, such as a timing bomb. The return address is only meaningful when the mail
cannot reach the destination, and needs to be return to the sender.

Although there is no way to completely eliminate IP spoofing, there are various methods we
can take to strengthen our network and to reduce the possibility of being attacked, as well
as to avoid aiding the attackers. There are methods to help accomplish this goal.

5.1 Disabling r* services: remote services such as rlogin are very handy in
normal users’ activities. It is easy to make a connection using these services because they
are based solely on mutual trust, which uses either the host name or the host IP address as
17. Jagannath Gupta Institute of Engineering &
Technology
 Department of ECE
authentication. These hostname-based and host IP-based services bypass the proper
authentication procedure that would otherwise help avoid the attack. Disabling them does
not necessarily mean we are getting rid of the convenience offered. There are other secure
services such as secure shell (ssh) that can help achieve similar needs. System
administrator should clean out all .rhosts files and /etc/host.equiv to prevent the use of
trusted hosts. To completely disable r* services, administrator could remove those binary
files, or disable possible invocation by users in inet or xinet .

5.2 No insecure authentication: the use of applications that use hostname/IP-

based authentication should be weighed against their benefits. If there is no need for such
applications, it is advisable not to have them installed. Porting scanning can be used to
detect ports open to services that exhibit IP spoofing and Denial of Service attacks.
Administrators can take other measures to provide a secure connection such as VPN to
route the traffic through a trusted and encrypted tunnel that is established prior to the
exchange.

5.3 Disable ping: ping command is a convenient tool for administering the network
to check if a host is down, or to check network performance (based on RTT). Other than
that, it is a security risk to have it open, as an attacker can send ICMP packets that
consume network bandwidth and host resources. This type of attack will not crash the
system, but causes it to degrade and to eventually end up halted as it runs out of memory.
This is an example of Denial of Service attack that can be easily avoided.

5.4 Encryption: among the various cryptographic algorithms, Kerberos stands out
and is the candidate for universities’ and large corporations’ network. Kerberos is free and
thus can be used in networks at any level of size. However, Kerberos is not completely
foolproof. Its initial ticket and key exchange is exposed to man-in-the-middle attack. Digital
signature can be used to verify the identity of the sender’s ticket or public key. Good
random nonce can be used to improve the freshness of the message. Last but not least
important, session lifetime should be chosen appropriately to avoid being long enough for
an attacker to employ a brute-force attack on the generated key, and being too short that
may cause users’ inconvenience as they have to re-authenticate when the session time

18. Jagannath Gupta Institute of Engineering &

Technology
 Department of ECE
expires. For a thorough understanding of Kerberos security, readers are encouraged to
read.

5.5 Good random number generator: helps make the life of an attacker much
harder in guessing the ISN in TCP/IP connection. Various random sequence number
generators have been developed, such formulas can be found in [1] [8].

5.6 Shorten time-out value in TCP/IP requests: TCP/IP is widely used and
Denial of Service using half-open connections is unavoidable. However, we can reduce this
possibility by shorten the timeout value for a half-open connection so that it will be dropped
dead when the required time expires. Increasing the size of the request queue on the
server will lengthen the time before the host will be clogged up with connection requests.
The two methods mentioned above cannot prevent TCP/IP half-open-connection attack,
but will buy more time in hope that luckily the attack will be noticed.

5.7 Firewall: use firewall to monitor and filter Internet packets that we do not wish to
service. ipchains, iptables and other commercial firewall software can be used to:
a) Allow traffic originating from the hosts in the subnet to other hosts on the same subnet
that shows up “only on the internal interface.”
b) Allow traffic coming in from the external world to only the services that we offer. Those
packets “must” have the source IP address “not” from our network range, the destination
address to be in our network range, and come from the “external interface.” This measure
is to prevent IP spoofing that appear to come from our hosts, but in fact is not from our
subnet hosts.
c) Discard all packets going out on the external interface that do not originate from our
subnet. This involves checking the source IP address if it is in our network range. This is to
prevent IP spoofing initiated from our side to other networks.
d) Otherwise, strictly discard all packets that do not fall in the rules specified above.
Firewalls can be employed both at the server end and at router. Multiple layers of firewall
will construct a chain of “gates” that an attacker has to pass through to get to the targeted
service.

19. Jagannath Gupta Institute of Engineering &

Technology
 Department of ECE
5.8 IP Trace-back: When an attack is detected, it is fair to nail down the attacker for
punishment. Several IP trace-back methods have been proposed in. Unfortunately, IP
trace-back is a limited concept in reliability, efficiency and performance. The best one could
do is get as close to the attacker’s location as possible. It also involves the cooperation of
many network operators/administrators along the routing path from the attacker to the
victim. Unless the attack causes heavy damages to the Internet community, large
corporations, or to the government network systems.

6. USES OF SPOOFING
IP spoofing is most frequently used in denial-of-service attacks. In such attacks, the goal is
to flood the victim with overwhelming amounts of traffic, and the attacker does not care
about receiving responses to his attack packets. Packets with spoofed addresses are thus
suitable for such attacks. They have additional advantages for this purpose - they are more
difficult to filter since each spoofed packet appears to come from a different address, and
they hide the true source of the attack. Denial of service attacks that use spoofing typically
randomly choose addresses from the entire IP address space, though more sophisticated
spoofing mechanisms might avoid unroutable addresses or unused portions of the IP
address space. The proliferation of large botnets makes spoofing less important in denial of
service attacks, but attackers typically have spoofing available as a tool, if they want to use
it, so defenses against denial-of-service attacks that rely on the validity of the source IP
address in attack packets might have trouble with spoofed packets. Backscatter, a
technique used to observe denial-of-service attack activity in the Internet, relies on
attackers' use of IP spoofing for its effectiveness. IP spoofing can also be a method of
attack used by network intruders to defeat network security measures, such as
authentication based on IP addresses. This method of attack on a remote system can be
extremely difficult, as it involves modifying thousands of packets at a time. This type of
attack is most effective where trust relationships exist between machines. For example, it is
common on some corporate networks to have internal systems trust each other, so that a
user can log in without a username or password provided he is connecting from another
machine on the internal network (and so must already be logged in). By spoofing a
connection from a trusted machine, an attacker may be able to access the target machine
without authenticating.

20. Jagannath Gupta Institute of Engineering &

Technology
 Department of ECE

7. CONCLUSION

At last I conclude that my seminar topic under such an organization proud to be

very beneficial for me.

I learnt quite a lot about IP SPOOFING, Different Hacking Techniques,

there operations & effects in different sectors.

The Seminar Topic has been completed with great dedication and
sincere efforts.

We have some limitations that can be overcome as a measure of further

enhancement of this report and increase its utility.

21. Jagannath Gupta Institute of Engineering &

Technology
 Department of ECE

8. REFERENCES

1. www.networkcommand.com/docs/ipspoof.txt

2. www.sans.org/rr/threats/intro_spoofing.php

3. www.linuxgazette.com/issue63/sharma.html

4. www.securityfocus.com/advisories/2703

5. www.cert.org/advisories/CA-1995-01.html

6. http://bau2.uibk.ac.at/matic/spoofing.htm

22. Jagannath Gupta Institute of Engineering &

Technology