By Kapil Sharma
A spoofing attack involves forging one's source address. It is the act of using one machine to impersonate another. Most of the applications and tools in UNIX rely on the source IP address authentication. Many developers have used the host based access controls to secure their networks. Source IP address is a unique identifier but not a reliable one. It can easily be spoofed.
To understand the spoofing process, First I will explain about the TCP and IP authentication process and then how an attacker can spoof you network.
The client system begins by sending a SYN message to the server. The server then acknowledges the SYN message by sending SYN-ACK message to the client. The client then finishes establishing the connection by responding with an ACK message. The connection between the client and the server is then open, and the service-specific data can be exchanged between the client and the server. Client and server can now send service-specific data
TCP uses sequence numbers. When a virtual circuit establishes between two hosts , then TCP assigns each packet a number as an identifying index. Both hosts use this number for error checking and reporting.
Rik Farrow, in his article "Sequence Number Attacks", explains the sequence number system as follows:
"The sequence number is used to acknowledge receipt of data. At the beginning of a TCP connection, the client sends a TCP packet with an initial sequence number, but no acknowledgment. If there is a server application running at the other end of the connection, the server sends back a TCP packet with its own initial sequence number, and an acknowledgment; the initial number from the client's packet plus one. When the client system receives this packet, it must send back its own acknowledgment; the server's initial sequence number plus one."
Thus an attacker has two problems:
1) He must forge the source address.
2) He must maintain a sequence number with the target.
The second task is the most complicated task because when target sets the initial sequence number, the attacker must response with the correct response. Once the attacker correctly guesses the sequence number, he can then synchronize with the target and establish a valid session.
Services vulnerable to IP Spoofing:
Configuration and services that are vulnerable to IP spoofing :
RPC (Remote Procedure Call services)
Any service that uses IP address authentication
The X Window system
The R services suite (rlogin, rsh, etc.)
TCP and IP spoofing Tools:
1) Mendax for Linux
Mendax is an easy-to-use tool for TCP sequence number prediction and rshd spoofing.
spoofit.h is a nicely commented library for including IP spoofing functionality into your programs. [Current URL unknown. -Ed.]
ipspoof is a TCP and IP spoofing utility.
hunt is a sniffer which also offers many spoofing functions.
dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic.
Measures to prevent IP Spoofing Attacks:
Avoid using the source address authentication. Implement cryptographic authentication systemwide.
Configuring your network to reject packets from the Net that claim to originate from a local address. This is most commonly done with a router.
If you allow outside connections from trusted hosts, enable encryption sessions at the router.
Spoofing attacks are very dangerous and difficult to detect. They are becoming more and more popular now. The only way to prevent these attacks are to implement security measures like encrypted authentication to secure your network.
2 posts • Page 1 of 1