IP Address: On
the Internet, each computer system is identified by its IP address. The
work we do on the Internet is associated with the IP address of the
system we are using. We know that every request or response process on
the Internet is done on packets. The basic protocol for information
exchange over the Internet is TCP/IP.
TCP stands for Transmission Control Protocol and IP stands
for Internet Protocol (IP). When we request a webpage or other resource
from a server the request is sent in the form of a TCP/IP packet. This
packet contains some information about the request, source and
destination, along with the data being sent. The source and destination
keeps the IP address of the sender and receiver.
What is IP spoofing: IP
spoofing is the process of replacing the source IP address with a fake
IP address from the IP packets to hide the real identity of the sender.
The source address is the address of the computer that the packet was
sent from. By changing the address in the packet an attacker can make it
appear that the packet was sent by a different computer system.
Figure 1: IP spoofing
See the above figure. Two computers, victim and partner, were
communicating with each other. In the meantime, a sender (the attacker)
also tries to communicate with the victim by forging the IP address and
tries to fool the victim with the fake IP address of the partner. So the
victim computer thinks that the packets came from the partner computer
while we can see the original sender is the sender system which in this
case is the attacker.
The term spoofing is also sometimes used to refer to header forgery
because attacker forges the header of the packets with fake information.
This process is used to send fake mail, requests or other information
with a fake IP address to mislead others about the information being
sent. Hackers often use IP spoofing for sending spam mail and denial of
service attacks. This protects the real identity of the hacker because
the IP address sent with the packet belongs to someone else. When a
machine replies to a spoofed packet, the response is sent back to the
forged source address. So IP spoofing is used in an attack when the
attacker does not care about the response.
How it works
Internet Protocol (IP) Packets
Internet Protocol is a network protocol operating at Layer 3 (network
layer) of the OSI model. Each IP packet sent contains a header with the
data. The header contains some information about the sender, receiver,
and other things.
Figure 2: IP packet
The header part contains additional information including the IP address
of sender and receiver. The data part contains the data being sent.
Figure 3: IP Header
We can see the structure of the IP header in Figure 2. It contains much
useful information about the packet. We can see the fields for SOURCE IP
ADDRESS and DESTINATION IP ADDRESS. Here the source IP address, the IP
address of the sender’s machine, and the destination IP address is the
IP address of the receiver’s machine.
Transmission Control Protocol (TCP):
TCP stands for the connection-oriented, reliable transport protocol in
the TCP/IP suite. It uses 3-way handshaking (SYN-SYN/ACK-ACK) to
establish the connection. In this protocol, reliability is provided by
sequence numbers and acknowledgement. See the second and third row for
sequence numbers and acknowledge number fields. TCP assigns sequence
numbers to every segment and acknowledges all data segments received
from the other end.
Figure 4: TCP Header
By forging the header of the packet, we can make a fake IP address appear in the source IP address part.
Some tools used in IP spoofing
How to spoof IP address:
Here I am going to show IP spoofing with the help of NMap. Nmap is also
known as Network Mapper. This tool is a free and open source (license)
utility for network exploration or security auditing.
First of all you need to select the interfaces to spoof from. To do this, run the command
Nmap –iflist
Use the “–e” argument in the interface you have selected. The “–S”
parameter can be used to specify the IP address that nmap will use as
the source address. It can be our real IP address or we can spoof the IP
address.
nmap -e eth0 -S 192.168.1.100 192.168.1.109
In the above command, I have used the eth0 interface and spoofed a source IP of 192.168.1.10, while scanning 192.168.1.32.
Application of the attack: This
attack is widely used in Denial of Service attacks. In denial of
service attacks an attacker floods the victim with large amounts of
traffic. In this example, an attacker does not care to receive the
responses from sent packets. Using packets with spoofed addresses is an
advantage for the attack as the attacker can send packets with many
different spoofed addresses. This makes it hard to filter the packets,
as they seem to come from different sources. Attackers use random
sequences of IP addresses to send spoofed packets in the Denial of
Service attack. This attack is impossible to filter on the systems which
rely on the validity of the source IP address in attack packets.
IP spoofing is also an effective way to defeat the networks which use IP
address-based authentication. This attack is easy to inflict on
corporations which have internal systems that trust each other’s systems
based on the IP address. By spoofing a connection from a trusted
machine, an attacker may be able to access the target machine without
authentication.
Attacks that are launched through IP spoofing
There are a few variations on the types of attacks that successfully
employ IP spoofing. Although some are relatively dated, others are very
pertinent to current security concerns.
Non-Blind Spoofing
Non-Blind Spoofing attacks work on those networks where the attacker and
victim are on the same subnet. In this situation, the attacker can
sniff the network packets to know the sequence and acknowledgement
numbers being sent in the packets. The biggest threat of spoofing in
this type of attack would be session hijacking. This can be done by
corrupting the data stream of an established connection with a valid
user, then re-establishing the connection based on the correct sequence
and acknowledgement numbers with the attack machine. Here the attacker
can easily bypass the authentication mechanisms because he has the
correct sequence and acknowledgement numbers – and guessing these is the
hardest part.
Blind Spoofing
This attack is complicated and difficult in comparison to the Non-Blind
attack because the sequence and acknowledgement numbers cannot be
sniffed. In order to get the correct sequence number and
acknowledgement, the attacker will send several packets to the target
machine, guessing sequence and acknowledgement numbers in order to
sample sequence numbers. A few years back machines used formula based
sequence number generators, so it was easy to generate the formula by
analyzing just a few packets and TCP sessions. But nowadays these
sequence numbers are generated randomly to make it unpredictable. After
sending several packets there may be a possibility to guess the right
sequence number. This attack takes a great deal of time and has a lesser
probability of success.
Man-in-the-Middle Attack
The man-in-the-middle attack (MITM) is a common security violation that
is formed by both types of spoofing we have discussed above. In this
attack, an attacker intercepts a legitimate communication between two
machines (server and client).Then, the attacker controls the flow of
data. He can alter the information being exchanged by two machines
without the knowledge of either the original sender or the recipient.
Denial of Service Attack
Denial of service is the main attack which uses IP spoofing and are the
most difficult to defend against. In this attack the attacker only tries
to consume the bandwidth and resource of a server. The attacker does
not care about the response, so they need not worry about properly
completing handshakes and transactions. In this attack an attacker only
wishes to flood the victim’s machine with as many packets as possible in
a short amount of time in order to make the victim’s machine
inaccessible to valid users. The attacker uses random-source IP
addresses to send packets to the target machine to make tracing and
stopping the DoS as difficult as possible. Most of the servers use IP
block mechanisms to prevent this type of flooding. Using random spoofed
IP easily bypasses those security mechanisms.
Services vulnerable to IP spoofing
Configurations and services that are vulnerable to IP spoofing:
- RPC (Remote Procedure Call services)
- Any service that uses IP address authentication
- The X Window System
- The R services suite
Most popular tools used to modify packet headers:
Tools – For Windows
- Engage Packet Builder – Scriptable packet builder for Windows
- HPing – Command-line oriented TCP/IP packet assembler/analyzer
- Nemesis – Command-line portable IP stack
- PacketExcalibur – Graphical and scriptable network packet engine
- Scapy – Interactive packet manipulation tool
- Spoofer – IP Spoofing Tester
- Colasoft Packet Builder – Tool for creating custom network packets
- Colasoft Packet Player – Packet replay tool
- NMap – Utility for network exploration and security auditing
Tools – For Linux
- LSRscan – Loose Source Route Scanning Tool
- Scapy – Interactive packet manipulation tool
- Spoofer – IP Spoofing Tester
- Yersina – Tool to exploit weaknesses’ in different network protocols
- Sendip – Send completely arbitrary packets out over the network
- HPing – Command-line TCP/IP packet assembler/analyzer
- IRPAS – Internetwork Routing Portocol Attack Suite (File2Cable etc.)
- LSRtunnel – Loose Source Route Tunneling Tool
- Nemesis – Command-line portable IP stack
- NMap – Utility for network exploration and security auditing
- PacketExcalibur – Graphical and scriptable network packet engine
Defenses against IP Spoofing
There are a few precautions that can be taken to prevent IP Spoofing attacks on the network:
Filtering packets at the Router - Implementing
ingress and egress filtering on your routers is the best defense
against the IP spoofing attack. Ingress filtering is the process of
blocking packets from outside the network with a source address inside
the network. Egress filtering is the blocking of packets from inside the
network with a source address that is not inside. You will also need to
implement an ACL (access control list) that blocks private IP addresses
on your downstream interface. On the upstream interface you should
restrict source addresses outside of your valid range, which will
prevent someone on your network from sending spoofed traffic to the
Internet.
Encryption and Authentication - Implementing
encryption and authentication will also reduce spoofing threats. Both
of these features are included in IPv6, which will eliminate current
spoofing threats. Host IP based authentication must not be used based on
the IP address. It is recommended to design network protocols and
services so that they do not rely on the IP source address for
authentication.
Conclusion: IP
spoofing is really easy because there are many tools available which
allow users to edit packets and send packets from the IP. So performing
IP spoofing is really simple, which leads to some big hacking
operations. Although many servers have secure mechanisms to prevent
spoofed packets, all those mechanisms are limited. Most of the networks
still does not consider this attack. So their authentication based on IP
address fails.
If we take a look at recent DOS attacks, most of the attackers are still
untraceable because they have used IP spoofing to perform the attack
and to prevent their real identity. So server administrators and network
administrators must consider this attack while designing the security
rules for their servers and networks. By considering some points, it’s
easy to identify the forged packet with fake IP addresses.
