Escolar Documentos
Profissional Documentos
Cultura Documentos
Ip Spoofing
IP Spoofing
Sometimes on the internet, a girl named Alice is really a man named Yves
Sources
General Information:
http://en.wikipedia.org/wiki/Ip_spoofing http://www.securityfocus.com/infocus/1674 http://tarpit.rmc.ca/knight/EE579index.htm (See ppts on subject)
http://www.gulker.com/ra/hack/tsattack.html http://tarpit.rmc.ca/knight/EEE466Lectures/DA14/14%20%20Security%20I.ppt http://tarpit.rmc.ca/knight/EEE466Lectures/DA14/14%20%20Security%20I.ppt Conversation with Todd Hot Toddy Jackson http://www.phrack.org/issues.html?issue=64&id=15#article
Phrack Article:
Overview
TCP/IP in brief IP Spoofing
Basic overview Examples
IP
HTTP - GET
MAC
00:11:22:33:44:55
Network Access
Physical
Network Access
Physical
11010010011101 00110100110101
Sucker - Alice
1. SYN Lets have a conversation
2. SYN ACK 3. RESET Sure, what do Umm.. I have no idea why you want to you are talking talk about? to me
Victim - Bob
Attacker - Eve
Mitnick Attack
6. 4. Mitnick forgestheSYN from the fakes a ACK using the proper TCP sequence number server to the terminal 5. Terminals responds with an ACK, which is ignored by the 7. Mitnick has now visible to flooded port (and not established a one way Mitnick)
Workstation
Server
1. Mitnick Floods servers login port so it can no longer respond
communications channel
3. 2. Mitnick Probes the discovers that the TCP sequence determine Workstation tonumber is the incremented its 128000 each behaviour of by TCP sequence new connection number generator
Kevin Mitnick
Session Hijack
3. 2. At any point, a man-in-the- the 1. Eve assumes Evetraffic between can monitor can assume identity of either Bob altering Alice and Bob without or Alice middle position through some the through the For example, Eve packets or sequence IP address. mechanism. Spoofed numbers. could This breaks the pseudo connection use Arp Poisoning, social as Eve will start modifying the engineering, router hacking etc... sequence numbers
Alice
Bob
Im Bob!
Im Alice!
Eve
IP Spoofing Defending
IP spoofing can be defended against in a number of ways: As mentioned, other protocols in the Architectural model may reveal spoofing.
TCP sequence numbers are often used in this manner New generators for sequence numbers are a lot more complicated than add 128000 Makes it difficult to guess proper sequence numbers if the attacker is blind
Smart routers can detect IP addresses that are outside its domain. Smart servers can block IP ranges that appear to be conducting a DoS.
Conclusion
IP Spoofing is an old school Hacker trick that continues to evolve. Can be used for a wide variety of purposes. Will continue to represent a threat as long as each layer continues to trust each other and people are willing to subvert that trust.
Questions?