IP Spoofing gtsshjkjjw hythahwikj sjahw.ppt
NandaKumar18432
21 views
32 slides
Oct 02, 2024
Slide 1 of 32
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
About This Presentation
Bgfd
Slide Content
IP Spoofing
Sometimes on the internet, a girl
named Alice is really a man named
Yves
Sometimes on the internet, a girl
named Alice is really a man named
Yves
Sources
General Information:
http://en.wikipedia.org/wiki/Ip_spoofing
http://www.securityfocus.com/infocus/1674
http://tarpit.rmc.ca/knight/EE579index.htm (See ppts on subject)
Mitnick Attack Sequence:
http://www.gulker.com/ra/hack/tsattack.html
Session Hijack Sequence:
http://tarpit.rmc.ca/knight/EEE466Lectures/DA14/14%20-
%20Security%20I.ppt
DoS and DDoS attacks:
http://tarpit.rmc.ca/knight/EEE466Lectures/DA14/14%20-
%20Security%20I.ppt
Conversation with Todd ‘Hot Toddy’ Jackson
Phrack Article:
http://www.phrack.org/issues.html?issue=64&id=15#article
General Information:
http://en.wikipedia.org/wiki/Ip_spoofing
http://www.securityfocus.com/infocus/1674
http://tarpit.rmc.ca/knight/EE579index.htm (See ppts on subject)
Mitnick Attack Sequence:
http://www.gulker.com/ra/hack/tsattack.html
Session Hijack Sequence:
http://tarpit.rmc.ca/knight/EEE466Lectures/DA14/14%20-
%20Security%20I.ppt
DoS and DDoS attacks:
http://tarpit.rmc.ca/knight/EEE466Lectures/DA14/14%20-
%20Security%20I.ppt
Conversation with Todd ‘Hot Toddy’ Jackson
Phrack Article:
http://www.phrack.org/issues.html?issue=64&id=15#article
Overview
TCP/IP – in brief
IP Spoofing
Basic overview
Examples
Mitnick Attack
Session Hijack
DoS/DDoS Attack
Defending Against the Threat
Continuous Evolution
Conclusion
TCP/IP – in brief
IP Spoofing
Basic overview
Examples
Mitnick Attack
Session Hijack
DoS/DDoS Attack
Defending Against the Threat
Continuous Evolution
Conclusion
TCP/IP in 3 minute or less
General use of term describes the
Architecture upon which the Interweb
is built.
TCP/IP are specific protocols within
that architecture.
General use of term describes the
Architecture upon which the Interweb
is built.
TCP/IP are specific protocols within
that architecture.
TCP/IP in 3 minutes or less
Application
Transport
Interweb
Network
Access
Physical
TCP
IP
Application
Transport
Interweb
Network
Access
Physical
TCP
IP
TCP/IP in 3 minute or less
IP is the internet layer protocol.
Does not guarantee delivery or
ordering, only does its best to move
packets from a source address to a
destination address.
IP addresses are used to express the
source and destination.
IP assumes that each address is
unique within the network.
IP is the internet layer protocol.
Does not guarantee delivery or
ordering, only does its best to move
packets from a source address to a
destination address.
IP addresses are used to express the
source and destination.
IP assumes that each address is
unique within the network.
TCP/IP in 3 minutes or less
TCP is the transport layer protocol.
It guarantees delivery and ordering,
but relies upon IP to move packets to
proper destination.
Port numbers are used to express
source and destination.
Destination Port is assumed to be
awaiting packets of data.
TCP is the transport layer protocol.
It guarantees delivery and ordering,
but relies upon IP to move packets to
proper destination.
Port numbers are used to express
source and destination.
Destination Port is assumed to be
awaiting packets of data.
TCP/IP in 3 minutes or less
Application
Transport
Interweb
Network
Access
Physical
Application
Transport
Interweb
Network
Access
Physical
Client Using Mozilla
HTTP - GET
Some Web Server
TCP – Port 80
IP – 10.24.1.1
MAC –
00:11:22:33:44:55
11010010011101
00110100110101
But what
happens if
someone is
lying??
Application
Transport
Interweb
Network
Access
Physical
Application
Transport
Interweb
Network
Access
Physical
Client Using Mozilla
HTTP - GET
Some Web Server
TCP – Port 80
IP – 10.24.1.1
MAC –
00:11:22:33:44:55
11010010011101
00110100110101
But what
happens if
someone is
lying??
IP Spoofing – Basic Overview
Basically, IP spoofing is lying about
an IP address.
Normally, the source address is
incorrect.
Lying about the source address lets
an attacker assume a new identity.
Basically, IP spoofing is lying about
an IP address.
Normally, the source address is
incorrect.
Lying about the source address lets
an attacker assume a new identity.
IP Spoofing – Basic Overview
Because the source address is not the
same as the attacker’s address, any
replies generated by the destination
will not be sent to the attacker.
Attacker must have an alternate way
to spy on traffic/predict responses.
To maintain a connection, Attacker
must adhere to protocol requirements
Because the source address is not the
same as the attacker’s address, any
replies generated by the destination
will not be sent to the attacker.
Attacker must have an alternate way
to spy on traffic/predict responses.
To maintain a connection, Attacker
must adhere to protocol requirements
IP Spoofing – Basic Overview
Difficulties for attacker:
TCP sequence numbers
One way communication
Adherence to protocols for other layers
Difficulties for attacker:
TCP sequence numbers
One way communication
Adherence to protocols for other layers
IP Spoofing – The Reset
Victim - Bob
Sucker - Alice
Attacker - Eve
1. SYN –
Let’s have a
conversation
2. SYN ACK –
Sure, what do
you want to
talk about?
3. RESET –
Umm.. I have
no idea why
you are talking
to me
4. No connection –
Guess I need to take
Bob out of the picture…
Victim - Bob
Sucker - Alice
Attacker - Eve
1. SYN –
Let’s have a
conversation
2. SYN ACK –
Sure, what do
you want to
talk about?
3. RESET –
Umm.. I have
no idea why
you are talking
to me
4. No connection –
Guess I need to take
Bob out of the picture…
IP Spoofing – Mitnick Attack
Merry X-mas! Mitnick hacks a
Diskless Workstation on December
25
th
, 1994
The victim – Tsutomu Shinomura
The attack – IP spoofing and abuse of
trust relationships between a diskless
terminal and login server.
Merry X-mas! Mitnick hacks a
Diskless Workstation on December
25
th
, 1994
The victim – Tsutomu Shinomura
The attack – IP spoofing and abuse of
trust relationships between a diskless
terminal and login server.
Mitnick Attack
1. Mitnick Flood’s
server’s login port so it
can no longer respond
2. Mitnick Probes the
Workstation to determine the
behaviour of its TCP sequence
number generator
3. Mitnick discovers that the
TCP sequence number is
incremented by 128000 each
new connection
4. Mitnick forges a SYN from the
server to the terminal
5. Terminals responds with an
ACK, which is ignored by the
flooded port (and not visible to
Mitnick)
ServerWorkstation
Kevin Mitnick
6. Mitnick fakes the ACK using
the proper TCP sequence number
7. Mitnick has now
established a one way
communications channel
1. Mitnick Flood’s
server’s login port so it
can no longer respond
2. Mitnick Probes the
Workstation to determine the
behaviour of its TCP sequence
number generator
3. Mitnick discovers that the
TCP sequence number is
incremented by 128000 each
new connection
4. Mitnick forges a SYN from the
server to the terminal
5. Terminals responds with an
ACK, which is ignored by the
flooded port (and not visible to
Mitnick)
ServerWorkstation
Kevin Mitnick
6. Mitnick fakes the ACK using
the proper TCP sequence number
7. Mitnick has now
established a one way
communications channel
Mitnick Attack – Why it worked
Mitnick abused the trust relationship
between the server and workstation
He flooded the server to prevent
communication between it and the
workstation
Used math skillz to determine the TCP
sequence number algorithm (ie add
128000)
This allowed Mitnick to open a connection
without seeing the workstations outgoing
sequence numbers and without the server
interrupting his attack
Mitnick abused the trust relationship
between the server and workstation
He flooded the server to prevent
communication between it and the
workstation
Used math skillz to determine the TCP
sequence number algorithm (ie add
128000)
This allowed Mitnick to open a connection
without seeing the workstations outgoing
sequence numbers and without the server
interrupting his attack
IP Spoofing - Session Hijack
IP spoofing used to eavesdrop/take
control of a session.
Attacker normally within a LAN/on
the communication path between
server and client.
Not blind, since the attacker can see
traffic from both server and client.
IP spoofing used to eavesdrop/take
control of a session.
Attacker normally within a LAN/on
the communication path between
server and client.
Not blind, since the attacker can see
traffic from both server and client.
Session Hijack
Alice
Bob
Eve
I’m
Bob! I’m
Alice!
1. Eve assumes a man-in-the-middle
position through some mechanism.
For example, Eve could use Arp
Poisoning, social engineering, router
hacking etc...
2. Eve can monitor traffic between
Alice and Bob without altering the
packets or sequence numbers.
3. At any point, Eve can assume the
identity of either Bob or Alice
through the Spoofed IP address.
This breaks the pseudo connection
as Eve will start modifying the
sequence numbers
Alice
Bob
Eve
I’m
Bob! I’m
Alice!
1. Eve assumes a man-in-the-middle
position through some mechanism.
For example, Eve could use Arp
Poisoning, social engineering, router
hacking etc...
2. Eve can monitor traffic between
Alice and Bob without altering the
packets or sequence numbers.
3. At any point, Eve can assume the
identity of either Bob or Alice
through the Spoofed IP address.
This breaks the pseudo connection
as Eve will start modifying the
sequence numbers
IP Spoofing – DoS/DDoS
Denial of Service (DoS) and
Distributed Denial of Service (DDoS)
are attacks aimed at preventing
clients from accessing a service.
IP Spoofing can be used to create
DoS attacks
Denial of Service (DoS) and
Distributed Denial of Service (DDoS)
are attacks aimed at preventing
clients from accessing a service.
IP Spoofing can be used to create
DoS attacks
DoS Attack
Server
Attacker
Legitimate Users
Interweb
Fake IPs
Service
Requests
Flood of
Requests from
Attacker
Server queue full,
legitimate
requests get
dropped
Service
Requests
Server
Attacker
Legitimate Users
Interweb
Fake IPs
Service
Requests
Flood of
Requests from
Attacker
Server queue full,
legitimate
requests get
dropped
Service
Requests
DoS Attack
The attacker spoofs a large number of
requests from various IP addresses to
fill a Services queue.
With the services queue filled,
legitimate user’s cannot use the
service.
The attacker spoofs a large number of
requests from various IP addresses to
fill a Services queue.
With the services queue filled,
legitimate user’s cannot use the
service.
DDoS Attack
Server
(already DoS’d)
Attacker
Target Servers
Interweb1. Attacker makes
large number of SYN
connection requests
to target servers on
behalf of a DoS’d
server
2. Servers send SYN ACK to
spoofed server, which cannot
respond as it is already DoS’d.
Queue’s quickly fill, as each
connection request will have to go
through a process of sending
several SYN ACKs before it times
out
SYN
SYN SYN SYN
SYN ACK
SYN
ACKSYN
ACK
SYN ACK
Queue
Full
Server
(already DoS’d)
Attacker
Target Servers
Interweb1. Attacker makes
large number of SYN
connection requests
to target servers on
behalf of a DoS’d
server
2. Servers send SYN ACK to
spoofed server, which cannot
respond as it is already DoS’d.
Queue’s quickly fill, as each
connection request will have to go
through a process of sending
several SYN ACKs before it times
out
SYN
SYN SYN SYN
SYN ACK
SYN
ACKSYN
ACK
SYN ACK
Queue
Full
DDoS Attack
Many other types of DDoS are
possible.
DoS becomes more dangerous if
spread to multiple computers.
Many other types of DDoS are
possible.
DoS becomes more dangerous if
spread to multiple computers.
IP Spoofing – Defending
IP spoofing can be defended against in a number of
ways:
As mentioned, other protocols in the Architectural
model may reveal spoofing.
TCP sequence numbers are often used in this manner
New generators for sequence numbers are a lot more
complicated than ‘add 128000’
Makes it difficult to guess proper sequence numbers if
the attacker is blind
“Smart” routers can detect IP addresses that are
outside its domain.
“Smart” servers can block IP ranges that appear to
be conducting a DoS.
IP spoofing can be defended against in a number of
ways:
As mentioned, other protocols in the Architectural
model may reveal spoofing.
TCP sequence numbers are often used in this manner
New generators for sequence numbers are a lot more
complicated than ‘add 128000’
Makes it difficult to guess proper sequence numbers if
the attacker is blind
“Smart” routers can detect IP addresses that are
outside its domain.
“Smart” servers can block IP ranges that appear to
be conducting a DoS.
IP Spoofing continues to evolve
IP spoofing is still possible today, but
has to evolve in the face of growing
security.
New issue of Phrack includes a
method of using IP spoofing to
perform remote scans and determine
TCP sequence numbers
This allows a session Hijack attack
even if the Attacker is blind
IP spoofing is still possible today, but
has to evolve in the face of growing
security.
New issue of Phrack includes a
method of using IP spoofing to
perform remote scans and determine
TCP sequence numbers
This allows a session Hijack attack
even if the Attacker is blind
Conclusion
IP Spoofing is an old school Hacker
trick that continues to evolve.
Can be used for a wide variety of
purposes.
Will continue to represent a threat as
long as each layer continues to trust
each other and people are willing to
subvert that trust.
IP Spoofing is an old school Hacker
trick that continues to evolve.
Can be used for a wide variety of
purposes.
Will continue to represent a threat as
long as each layer continues to trust
each other and people are willing to
subvert that trust.
Questions?
Application
Transport
Interweb
Network
Access
Physical
Application
Transport
Interweb
Network
Access
Physical
Transport
Interweb
Network
Access
Physical
Application
Transport
Interweb
Network
Access
Physical
Victim -
Bob
Sucker - Alice
Attacker
- Eve
Bob
Sucker - Alice
Attacker
- Eve
Victim -
Bob
Sucker - Alice
Attacker
- Eve
Interweb
Bob
Sucker - Alice
Attacker
- Eve
Interweb
IP header
0 16 31
Options and Padding
Source Address
Destination Address
Total Length
Fragment Offset
Header ChecksumTime to Live
Protocol
Identification
Type of Service
Flags
Version IHL
Stolen from: http://tarpit.rmc.ca/knight/EE579/mitnik.ppt
0 16 31
Options and Padding
Source Address
Destination Address
Total Length
Fragment Offset
Header ChecksumTime to Live
Protocol
Identification
Type of Service
Flags
Version IHL
Stolen from: http://tarpit.rmc.ca/knight/EE579/mitnik.ppt
TCP header
Stolen from: http://tarpit.rmc.ca/knight/EE579/mitnik.ppt
0 16 31
Source Port Destination Port
Sequence Number
Acknowledgement Number
Window
Urgent Pointer
Options and Padding
Checksum
FlagsReserved
Data
Offset
Stolen from: http://tarpit.rmc.ca/knight/EE579/mitnik.ppt
0 16 31
Source Port Destination Port
Sequence Number
Acknowledgement Number
Window
Urgent Pointer
Options and Padding
Checksum
FlagsReserved
Data
Offset
TCP Sequence Numbers
Client Server
Start SEQ - 1892 Start SEQ - 15562
1. Client transmits 50 bytes
SEQ – 1892
ACK – 15562
Size - 50
SEQ – 15562
ACK – 1942
Size - 25
2. Server transmits 20 bytes3. Client ACKs, sends no data
SEQ – 1942
ACK – 15587
Size - 0
End SEQ - 1942 End SEQ - 15587
Client Server
Start SEQ - 1892 Start SEQ - 15562
1. Client transmits 50 bytes
SEQ – 1892
ACK – 15562
Size - 50
SEQ – 15562
ACK – 1942
Size - 25
2. Server transmits 20 bytes3. Client ACKs, sends no data
SEQ – 1942
ACK – 15587
Size - 0
End SEQ - 1942 End SEQ - 15587
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 21
- Slides 32
- Age 432 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
35 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
38 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
34 views
14
Fertility awareness methods for women in the society
Isaiah47
31 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
30 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
31 views