Sometimes on the

PRESENTATION
internet, ON
a girlIP
namedSPOOFING
Alice
is really
a man named
Yuves……………
Presented By : BASUNDHARA DEY
CSE,GROUP 2,
ROLL NO.103
OVERVIEW
 Spoofing
 TCP/IP –in 3 minutes or less
 IP Spoofing
 Classifications

 IP Spoofing is easy
 Spoofing Attacks
 Detect and Defend IP Spoofing
 SPOOFING
 is a situation in which
 a person or program
 successfully inserts false
 or misleading information
 in e-mail or Netnews
 headers.
 Also known as
 Header Forgery.
 SPOOFING
 is a situation in which
 a person or program
 successfully inserts false
 or misleading information
 in e-mail or Netnews
 headers.
 Also known as
 Header Forgery.
 SPOOFING
 is a situation in which
 a person or program
 successfully inserts false
 or misleading information
 in e-mail or Netnews
 headers.
 Also known as
 Header Forgery.
 SPOOFING
 is a situation in which
 a person or program STOP AND
THINK!!
 successfully inserts false THE ONLY
THING THESE
 or misleading information SCUM KNOW
ABOUT
JESES IS HOW
 in e-mail or Netnews TO SPELL HIS
NAME AFTER
USING SPELL
 headers. CHECK.

 Also known as
 Header Forgery.
 SPOOFING
 is a situation in which PROTECT
YOUR
 a person or program PERSONAL
INFORMATIO
N.
 successfully inserts false YOU DIDN’T
WIN A
 or misleading information LOTTERY
.YOU DIDN’T
ENTER,NO
 in e-mail or Netnews ONE DIED AND
LEFT 55
MILLION

headers. DOLLARS
 UNCLAIMED
AND YOUR
BANK OR
 Also known as PAYPAL DOES
NOT WANT
YOU TO
 Header Forgery. RE-ENTER
YOU’RE A/C
NUMBER AND
NAME.
TCP / IP IN 3 minutes
or less
 General use of term
 describes the Architecture
 upon which the
TCP
 Interweb is built.
 TCP and IP are two IP
 specific protocol
 within that architecture.
TCP / IP IN 3 minutes
or less
 TCP is the transport layer protocol.
 It guarantees delivery and ordering , but
relies upon IP to move packets to proper
destination.
 Port numbers are used to express source
and destination.
 Destination Port is assumed to be awaiting
packets of data.
TCP / IP IN 3 minutes
or less

TCP HEADER
TCP / IP IN 3 minutes
or less
 IP is the internet layer protocol.
 It doesn’t guarantee delivery and ordering,
only does its best to move packets from a
source address to a destination address.
 IP addresses are used to express source and
destination.
 IP assumes that each address is unique
within the network.
TCP / IP IN 3 minutes
or less

IP HEADER
TCP / IP IN 3
minutes or less
Client Using Mozilla Some Web Server

HTTP - GET Application But what Application

happens if
Transport Transport
TCP – Port 80 someone is
lying??
IP – 10.24.1.1 Interweb Interweb

MAC – Network Network

00:11:22:33:44:55 Access Access

11010010011101001 Physical Physical

10100110101
IP SPOOFING
 is a technique used to gain unauthorized
access to computers, where by the
attacker sends messages to a computer
with a forging IP address.
 Basically , it is lying about an IP address.
 It is the creation of TCP/IP packets with
somebody else’s IP address in the header.
 The concept was discovered as security
weakness in the IP protocol.


BASIC CONCEPT

A www.cartoon.in
10.10.10.1 134.117.1.60
http://www.cartoon.in

134.117.1. Any
10.10.10.1 80
60 (>1024)
Src_IP dst_IP Src_port dst_port

Spoofed
134.117.1. Any
11.11.11.1 80
60 (>1024)
Src_IP dst_IP Src_port dst_port
 Attacker
uses trusted user’s
source IP as his own.

NETWORK
INTERNAL

Trusted USER

Trusted USER
Trusted USER
HOW IT WORKS ??
 It is
used to take control of a session.
 Attacker normally within a LAN/ on the
communication path between server and client.
 Attacker must have an alternate way to spy on
traffic/predict responses.
 To maintain a connection , attacker must adhere to
protocol requirements.
 Normally , the source address is incorrect and so
lets an attacker assume a new identity.
HOW IT WORKS ??
 Routers use the destination IP address to forward
packets , but ignore the source IP address.
 The source IP only is used by the dest. machine,
when it responds back to the source.
 When an attacker spoof’s someone’s IP address ,
the victim’s reply goes back to that address.
 Because the source address is not as the same as
the attacker’s address , any reply generated by
destination will not be sent to the attacker.
 2. SYN ACK –
Sure . what do you
want to talk about?

3. RESET – Umm.. I
have no idea why you
are talking to me
SUCKER-Alice VICTIM-Bob

4. No connection –
1. SYN –
Guess I need to take
let’s have a
Bob out of the
conversation
picture…

ATTACKER-Eve
CLASSIFICATIONS
 Non-blind spoofing attack
 Blind spoofing attack
 Man in the Middle attack




 Here goes few discussion on each of these…..
NON BLIND SPOOFING
This attack takes impersonation
place when the
attacker is on the
same subnet as
the target that
could see
sequence and
acknowledgement
of packets. Using
the spoofing to
interfere with a
connection that
sends packets
along your subnet.
Oh, my partner sent me a packet. I’ll process this.
BLIND SPOOFING
This attack may take
place from outside
where sequence and
acknowledgement flooding attack
numbers are
unreachable. Attackers
usually send several
packets to the target
machine in order to
sample sequence
numbers, which is
doable in older days
.Using the spoofing to
interfere with a
connection (or creating
Oops, many packets are coming. But, who is the real source?
one), that does not
send packets along your
cable.
MAN IN THE MIDDLE
reflection
This is also called
connection hijacking.
In this attacks, a
malicious party
intercepts a legitimate
communication
between two hosts to
controls the flow of
communication and to
eliminate or alter the
information sent by
one of the original
Oops, a lot of replies without any request…
participants without
their knowledge.
IP SPOOFING IS EASY
!!!
 Problem with the Routers.
 Routers look at Destination addresses
only.
 Authentication based on Source
addresses only.
 To change source address field in IP
header field is easy.
spoofing attacks …
 Mitnick Attack
 Session Hijack
 Dos Attack



Lets have a quick looks on above


examples….
MITNICK ATTACK
 Merry X-mas ! Mitnick hacks a Diskless
Workstation on December 25th , 1994. The
victim – Tsutomu Shinomura.
 The attack – IP spoofing and abuse of trust
relationships between a diskless terminal
and login server.
 He flooded the server to prevent
communication between it and the
workstation by using math skill to
determine the TCP sequence number
algorithm .
 This allowed Mitnick to open a connection
without seeing the workstations outgoing
sequence numbers and without the server
interrupting his attack.

 6.
4. Mitnick
Mitnick fakes
forgesthe ACKfrom
a SYN using the
the
proper TCP
server to thesequence
terminal number

5. Terminals responds with an ACK,

which is ignored by the flooded port
7. Mitnick
(and has to
not visible now established a
Mitnick)
Workstation one way communications channel Server

2.3.Mitnick
MitnickProbes the that the
discovers 1. Mitnick Flood’s server’s
Workstation
TCP sequence to determine
number is login port so it can no longer
the behaviour by
incremented of its TCP each
128000 respond
sequence number generator
new connection

Kevin Mitnick
Session Hijack
 IP spoofing used to eavesdrop/take
control of a session.
 Attacker normally within a LAN/on the
communication path between server
and client.
 Not blind, since the attacker can see
traffic from both server and client.
 1.
3. Eve assumes
At any point, Evea man-in-the-
can assume the
identity position
middle of either Bob or Alice
through through
some
theEve
2. Spoofed IPFor
address.
can monitor
mechanism. This
traffic
example, breaks
between
Eve
the pseudo
Alice
could and connection
use Bob
Arp withoutas
Poisoning, Eve willthe
altering
social
start modifying
packets the sequence
or sequence numbers
engineering,
numbers
router hacking etc...
.

Alice Bob

I’m Bob! I’m

Alice!

Eve
DoS / DDoS
 Denial of Service (DoS) and Distributed
Denial of Service (DDoS) are attacks
aimed at preventing clients from
accessing a service.
 IP Spoofing can be used to create DoS
attacks
DoS & DDoS attack
 The attacker spoofs a large number of
requests from various IP addresses to
fill a Services queue.
 With the services queue filled,
legitimate user’s cannot use the
service.

 Many other types of DDoS are possible.
 DoS becomes more dangerous if spread
to multiple computers.

 DoS Attack
Server

Flood of
Requests from
Attacker
Service Requests

Interweb
Server queue full,
legitimate requests
get dropped

Service Requests
Fake IPs

Legitimate Users
Attacker
 DDoS Attack Server
Queue Full (already DoS’d)

SYN ACK

1. Attacker makes large Interweb

number of SYN
connection requests to SYN ACK 2. Servers send SYN ACK to spoofed
target servers on behalf server, which cannot respond as it is
of a DoS’d server SYN
SYN
ACK
already DoS’d. Queue’s quickly fill, as
SYN
ACK each connection request will have to go
through a process of sending several
SYN SYN SYN SYN ACKs before it times out

Attacker Target Servers

DETECT IP
SPOOFING
If you monitor packets using network-

monitoring software such as netlog, look
for a packet on your external interface that
has both its source and destination IP
addresses in your local domain. If you find
one, you are currently under attack.
 Compare the process accounting logs
between systems on your internal network.
If you get a log entry on the victim
machine showing a remote access; on the
apparent source machine, there will be no
corresponding entry for initiating that
remote access , then your system is
spoofed.
DEFEND IP SPOOFING ..
 Avoid using the source address
authentication. Implement cryptographic
authentication system-wide.
 Configuring your network to reject packets
from the Net that claim to originate from
a local address.
 Implementing ingress and egress filtering
on the border routers and implement an
ACL (access control list) that blocks
private IP addresses on your
downstream interface.
DEFEND IP
SPOOFING

…
Other protocols in architectural model may
reveal spoofing .TCP sequence numbers
are often used in this manner . makes it
difficult to guess the proper sequence
number.
 Smart routers can detect IP addresses that
are outside its domain . i.e. Egress
filtering . Likewise , smart servers can
block IP ranges that appear to be
conducting a Dos .i.e. Ingress filtering.
 CLOSE TO THE
ORIGIN …
You are spoofing!
You are spoofing!
You are spoofing!
srcip: 0.0.0.0
srcip: 0.0.0.0
×
10.0.0.0/23
RT.a× srcip: 0.0.0.0 RT.b ×

srcip: ×
10.0.0.1 srcip: 10.0.3.0/24
10.0.0.1
× srcip:
Hmm, this looks ok...but.. You are 10.0.0.1
You are
spoofing! spoofing!

we can check and drop the packets which have unused address
everywhere, but used space can be checked before aggregation
SOME MISCONCEPTIONS
A common misconception is that "IP
Spoofing" can be used to hide your IP
address while surfing the Internet,
chatting on-line, sending e-mail, and so
forth.
 This is generally not possible. Forging the
source IP address causes the responses
to be misdirected, meaning you cannot
create a normal network connection.

IP spoofing Tools
 Mendex- for Linux is an easy to use
tool for TCP sequence number
prediction .
 spoofit.h - is a nicely commented
library for including IP spoofing
functionality into your programs.
 Ipspoof – is a TCP-IP spoofing utility.
 Hunt– is a sniffer which also offers
many spoofing functions.

IP Spoofing
continues to evolve
 IP spoofing is still possible today, but
has to evolve in the face of growing
security.
 New issue of Phrack includes a method
of using IP spoofing to perform
remote scans and determine TCP
sequence numbers.
 This allows a session Hijack attack even
if the Attacker is blind.
Conclusion
 IP Spoofing is an old school Hacker trick
that continues to evolve.
 Can be used for a wide variety of
purposes.
 Will continue to represent a threat as
long as each layer continues to trust
each other and people are willing to
subvert that trust.
ANYTHANK YOU
QUERIES???