IP SPOOFING Internetworking
20067817 Danny O’Leary
Danny O’Leary - 20067817
Contents Introduction .......................................................................................................................................... 2 What is IP address spoofing? ............................................................................................................ 3 The Dangers of IP Spoofing ................................................................................................................... 5 What attacks can be carried out on a network? ............................................................................... 5 How often is it used in attacks? ........................................................................................................ 6 NMAP.................................................................................................................................................... 7 How the command works ................................................................................................................. 8 Uses for IP address spoofing ................................................................................................................. 8 How it can be used for good and help a network ............................................................................. 8 How attacks can be prevented ............................................................................................................. 9 What a network administrator can do .............................................................................................. 9 Spoofing my own IP Address............................................................................................................... 10 Pinging the Default Gateway and PC-B ........................................................................................... 10 Using Wireshark to verify the ping message ................................................................................... 11 Spoofing PC-A’s IP address using nmap .......................................................................................... 11 References .......................................................................................................................................... 13
Introduction IP spoofing is the process involved in the creation of packets with a different source IP address than the source IP address should be. This is carried out to gain anonymity or to impersonate another computer system. IP spoofing can be used maliciously, and also with good reason. One of the ways that it is used maliciously is to spoof the attackers source IP address to a different IP address that may be trusted by the machine. IP spoofing was first discovered when Robert Morris discovered a security weakness in the TCP protocol that was known as sequence prediction. Kevin Mitnick, a well known black hat hacker was one of the first people to ever incorporate IP spoofing and also TCP sequence techniques into a crack on Tsutomu Shimomura’s(A security expert) machine (Symantic.com, 2016). The aim of this paper is to give an understanding of the process that is carried out in an IP spoofing attacks, and some of the things that I will look at are: 1. What is IP address spoofing? – In this section, I will give an overview of what IP address spoofing is, how it is carried out, and why it is dangerous. It will go through the security weakness in the TCP protocol known as sequence prediction. 2. NMAP – The next thing I will go through is the software that can be used to potentially spoof your own IP address. I will go through what the software has uses for, how the software can be exploited by hackers, and I will also show the command to spoof your IP address and how it works. 3. Uses for IP Address Spoofing – This section will go over how IP address spoofing can be used to carry out attacks and help hackers be more secure when carrying out attacks. This section will also go over some of the uses of IP address spoofing that can be used to help users on a network. 4. How attacks can be prevented – This section will show some of the protections that can be taken by a network administrator to secure a network, and prevent IP address spoofing on their network. It will show some of the software that is used to prevent these attacks also. 5. Spoofing my own IP Address – This is where I will show an example of me spoofing my own IP address as a demonstration on how to spoof IP address’s where I will ping another computer, and show how the packets are being sent. Along with this I’ll use Wireshark to track all the packets that are being sent by the machine with the file being included in the zip file.
What is IP address spoofing? IP address spoofing is when packets are created with a ‘spoofed’ source IP address. A spoofed source IP address is basically a different source IP address than the actual source IP address. In IP, each packet of information that is sent contains a source IP address to identify where it has come from, and then the network will be able to identify if it wants to trust it or not. (Symantic.com, 2016) Although most of the time it is the source IP address that has been changed in IP address spoofing, it is also considered spoofing if something else changes such as the destination source IP address. One way that an IP address spoofing can be carried out is on the IP protocol layer: 32 Bits Version
Header Length Identifier
Time to Live
Type of Service
Total Length Flags
Protocol
Fragment Offset Header Checksum
Source Address Destination Address Options
Padding
IP Packet Header information
At the IP layer level, it is a lot easier to spoof information than for at the TCP layer because it’s a connectionless, stateless protocol. A stateless protocol is a protocol that treats each request separately and can work without the need for other communications. A connectionless protocol is a protocol that sends data from one end point without checking the other. In a connection-oriented protocol, both devices would first have to be able to communicate with each other prior to sending the data (Radware.com, 2016). This makes it very easy for a program to be able to change information on an IP Packet Header like the one shown above. Since a source address is provided in an IP packet header it makes it possible to spoof the IP address and make it appear like traffic is coming from somewhere else. An example of a program that could carry out this would be Scapy or NMAP.
32 Bits Source Port
Offset
Destination Port Sequence Number Acknowledgement Number Reserved TCP Flags Window Checksum Urgent Pointer TCP Options(variable length, optional)
TCP Header
IP spoofing becomes a lot harder when it’s dealing with higher level protocols such as the TCP layer level. Since TCP is both a connection-oriented, and also a stateful protocol, it makes it significantly harder to IP spoof. Since the TCP layer uses sequence numbers to be able to establish the connection. This Sequence number is then sent through a SYN packet in the 3 way handshake:
(http://www.tcpipguide.com/free/diagrams/tcpopen3way.png) An example of how the 3 way handshake works is first the client sends a SYN packet which contains the Sequence Number, the server then receives the SYN packet, and replies with an acknowledgement that it received the packet, and then it also sends its own SYN packet. Lastly the client sends its own acknowledgement that it received the SYN packet. For IP spoofing to occur on a TCP packet, it would have to be able to predict or guess the sequence number or the acknowledgement number. There is an attack known as a TCP sequence prediction attack. This can be done in a number of different ways, but the main problem in the 3 way handshake is that the acknowledgement is always going to be the next sequence number so this way it can be predicted. An example of how this can be done: 1. Man in the middle attack: In our above picture, say a hacker wants to attack the client, and is somehow able to monitor the packets that the client and the server are exchanging. The hacker could now use a Denial of Service attack to flood the server from communicating with the client. Since the hacker is able to monitor the packets, he will now be able to find the last acknowledgement, and thus be able to predict the next sequence number. Now the hacker can use this information to act as the server by sending his own acknowledgement and SYN messages. In order to carry out an IP packet that is being sent to a target host, you need to be able to manipulate both the IP and TCP headers (thegeekstuff.com, 2016).
The Dangers of IP Spoofing Since IP spoofing can be used to hide an attacks identity, the dangers of IP spoofing are extreme since it can be used with most forms of attacks on a network, and makes it much harder to trace who the actual attack is:
An example of how IP spoofing can be used to carry out attacks. In the picture the hacker has spoofed the valid users ID’s to flood the Web Server with a Denial of Service attack. A Denial of Service attack is one of the most common attacks that is used alongside IP spoofing because if it wasn’t used all the connections would have valid IP’s and would be a lot easier to track down where they originate from. This is still a major problem today, and there’s no real solution to fix the problem besides trying to find out which traffic is real, and which is trying to carry out the Denial of Service attack.
Another one of the big ways that IP spoofing plays a part in even today is Man in the middle attacks, and potential flaws that exist with the 3-way handshake. With IP spoofing it is very easy for an attacker to receive data that they shouldn’t be by being able to spoof their IP address, and then pretending to be someone else to either send packets to a source where they are not mean to be able to. This works because the spoofed IP address might be trusted by the other machine, and thus when the IP address is spoofed it trusts the attacker. This can also be used to pretend you’re the destination source by spoofing the IP address in question, and then potentially receiving sensitive data.
What attacks can be carried out on a network? IP spoofing plays a big role in Denial of Service attacks because of the ability to hide where the attack is coming from. IP spoofing is used in quite a number of different attacks today, some of these are: 1. Man in the middle attack(Connection Hijacking): It can be used to carry out a man in the middle attack by spoofing the IP address of one of the 2 endpoints of the conversation, and can thus packet sniff to find out potentially harmful information. This form of man in the middle attack can also be known as connection hijacking. In this attack, it is possible for the attacker to fool a target into potentially sending confidential information. In a connection hijacking attack, it uses an exploit in TCP communication known as a desynchronised state. A desynchronised state happens when the sequence number in the received packet does not
match what the intended sequence number is supposed to be, this connection is now said to be desynchronised (Linuxsecurity.com, 2016). When this happens the TCP layer will either discard or buffer the packet. This causes that when two hosts get so desynchronised, they will be discarding packets from each other, and this is where the attacker with the spoofed IP address injects packets with the correct sequence numbers. 2. Routing re-direct: This is very similar to the above attack, and could also be considered a man in the middle attack. This form of attacks causes a redirection of router information from the host to the attacker.
3. Source routing: This is another form of a man in the middle attack. This is where the attacker will be able to send information to a host that it normally wouldn’t be able to send anything to, and this could be used to potentially bypass any existing security restrictions in place. 4. Blind spoofing: This is an older form of attack that was used as a more brute force way of obtaining sequence numbers. An attacker would send several packets to a targets machine, in doing this they would obtain sample sequence numbers, and then potentially would be able to predict a likely one that it is going to be. This however, is hard to carry out now because of Operating Systems implementing random sequence number generating now which in turn makes it extremely difficult to predict the outcome of the sequence number accurately.
5. Flooding: In this type of attack, it uses the 3-way hand shake to exploit a target by simply being able to just never return an acknowledgement for the last part. These are known as half open connections since they’re only half way through the process, but when enough of these are sent it will cause the data structure that the target is using to eventually fill up. This in turn, renders the target to either empty the data structure or just not receive any new incoming connections. One action that is used to prevent this is having a timeout that is associated with a pending connection, but this isn’t really effective considering the sheer amount of connections that can be sent at a given time. With the use of IP spoofing in this form of attack, it’s very hard to tell where the connection is originating from because all the connections could have spoofed IP address’s, and it would be very hard to filter the real connections from the spoofed IP address’s that are flooding the network. (Anon, 2016)
How often is it used in attacks? One of the most common attacks used on a website today is a Denial of Service attack which a lot of the time uses IP spoofing to carry out. This form of attack aims to flood a website so that it can no longer operate. Since this is one of the most widely used attacks today, it instantly makes IP spoofing dangerous and very often used. Below is an example of how many Denial of Service attacks are being carried out right now:
(http://www.digitalattackmap.com/) Note this map only shows top 2% of all reported attacks.
IP spoofing also remains popular because of how costly a Denial of Service can be. It is reported that more than 2,000 denial of service attacks are reported worldwide daily. It’s also a pretty cheap attack method where it has been suggested that $150 can buy a week long DDOS attack on the black market. Even more reason that IP spoofing is such a big deal is that Denial of Service attacks cause one third of all downtime on the internet (Digitalattackmap.com, 2016).
IP spoofing is also used in Man in the Middle Attacks today which can also be quite common, but not as commonly used as Denial of Service attacks. Since a lot of these Man in the Middle Attacks go undetected, it’s hard to find exact figures on how common it is, and how much damage it has actually done.
NMAP NMap is the tool that I am going to use to spoof my own IP address. It is a free open source software that comes pre-installed on some versions of Linux such as Kali Linux. It’s most commonly used for Network Discovery, and Security auditing to test security features on your own network. Some other uses that NMap has to Network Administrators are: 1. Managing service upgrade schedules 2. Monitoring Hosts 3. Service Uptime NMap uses IP packets to find out a lot of its information with things such as what hosts are available on the network, what services these hosts are providing, and also what Operating Systems the hosts are running. The main purpose of NMap is to scan large networks relatively quickly (Nmap.org, 2016).
NMap is commonly used by Network Administrators to monitor a network. Some of the more basic things that NMap can provide are: 1. Target Selection: This is used to target something specific, it’s used in NMap to do things like scan a single IP address, scan a single host, scan a range of IP’s or to scan a subnet. In these examples, they will only scan 1000 TCP ports. 2. Port Selection: This is used to scan ports. Some of the ways NMap can scan ports are being able to scan a single port, scan a range of ports, scan the 100 most common ports, or to scan all the ports. It can also change the type of Port scan to use TCP connect, TCP SYN, UDP ports or just selected ports 3. Service and OS detection: Nmap is able to detect the services that a host is running, along with the Operating System. It can detect standard service detection, aggressive service detection or lighter banner grabbing detection (HackerTarget.com, 2009)
How the command works The reason that a command exists to be able to spoof IP address’s on NMap is because companies sometimes are designed to detect NMap scans because the tool is used as an attack mechanism for a lot of people who may be attacking a company in question. It’s because of this that IP spoofing is still possible, in the aim of being able to bypass firewalls and some of companies’ detections. This isn’t necessarily a bad thing because it can show weaknesses in a network that could be spotted by the company so then the company can prevent these attacks from an attacker using NMap (Nmap.org, 2016).
Uses for IP address spoofing IP spoofing isn’t always used to aid in attack attempts. It also has a number of positive uses that can help improve a network. One of the big uses IP spoofing has is for mobile networks which will be discussed below. One of the main advantages of IP spoofing is that it has the potential to create a lot of virtual connections which can be great for testing something like a website before the website even goes live.
How it can be used for good and help a network IP spoofing can be used in a positive way in a number of different scenarios. One of the bigger ones is for mobile networks. It is useful here in mobile IP environments when a roaming host has to use a ‘home’ IP address while in a foreign network. So this means that you can make a mobile IP environment into a roaming host by being able to use IP spoofing to change it to an allowed IP address for the roaming host.
It can also be used on websites to create virtual connections, and be able to run scripts to test the website before it actually goes live. This is extremely useful because it means that you don’t have to dedicate many resources into testing a website or even put the website live. Instead, you can simply just create virtual users using IP spoofing to create however many users you need. This can be used with different software such as HP LoadRunner. This software makes it so that a network administrator is able to test a number of different things such as applications, measuring a systems performance when it is hit with a certain number of different virtual users with the use of IP spoofing (Mirkovic, 2005).
How attacks can be prevented This section will go through the many different protection techniques that can be incorporated to prevent IP spoofing happening on a network. Since it is hard to prevent due to the vulnerabilities in the TCP layer, and the IP packet headers. This makes it so that it has to be prevented without actually fixing the vulnerability, and even if the vulnerability was fixed, it would stop services from working as well as the fact that IP spoofing can be used as a positive thing for network administrators too. Since this is the case, a lot of the preventions involve trying to be able to filter out the Spoofed IP addresses. Below I will go through some of the many things that a network administrator can try do to prevent IP spoofing from taking place on a network.
What a network administrator can do One of the ways that IP spoofing can be prevented is by being able to use something like IPSec. IPSec is a protocol that can be used that aims to ensure data authentication, integrity, and also confidentiality. It does this at the IP packet level which is where IP spoofing takes place on the source address. IPSec has a lot of different and complex ways of providing security against certain attacks, and making sure that the connection is secure and remains that way with no chance of spoofing. One of the ways it does this is by being able to use Authentication Header protection on the IP packet header. This makes it so that none of the fields in the IP packet header can be changed which makes it so that it’s harder to spoof an IP address by changing the Source IP address. To go along with this, the source IP address when using IPSec also has a key associated with it that is private to the actual sender (John Thomas and Adam J. Elbirt, 2016).
A network administrator can use Access Control Lists to potentially be able to prevent IP spoofing. The first thing that the Access Control List will be able to do is block IP addresses. Since most of the time that an IP spoofing attack is carried out it is used with private IP addresses such as 10.0.0.0 or 192.168.0.0. You can use an Access Control List to prevent a lot of these private IP addresses coming into the network from the internet. Since this traffic would be coming from the internet, it is obviously a spoofed IP address because none of these private IP addresses are used on the internet (CCIE, 2007).
A network administrator could also use routers and switches security to reject packets that claim to be coming from your network when they are coming in from the internet. This is a lot like how the Access Control Lists works, and can be used to prevent any private IP address that is coming from the internet from being able to send information around your network. Along with this the router can also use encryption sessions that will allow trusted hosts that are from outside your network will still be able to communicate with your private network (Hassell, 2016).
In the use of something such as a website, you can use DDOS protection services such as cloudflare which in trying to block Denial of Service attacks will also be able to detect some of the spoofed IP addresses and then blacklist them from using the website again, but the problem is that it is very hard to detect the real IP addresses from the spoofed IP addresses.
Spoofing my own IP Address
PC-A IP
PC-B IP
PC-A Spoofed IP
IP Address: 192.168.0.140
IP Address: 192.168.0.174
IP Address: 192.168.0.141
Subnet Mask: 255.255.255.0
Subnet Mask: 255.255.255.0
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.0.254
Default Gateway: 192.168.0.254
Default Gateway: 192.168.0.254
Pinging the Default Gateway and PC-B This is done to check if the network is able to interact with each other before spoofing the ip address. The commands I used from PC-A were:
ping 192.168.0.254 – To ping the Default Gateway ping 192.168.0.174 – To ping PC-B
Using Wireshark to verify the ping message On PC-B, I used the Wireshark program to verify that the ping message was being received by PC-B. To do this I started a capture on the interface in question, and then sent a ping message from PC-A, then on PC-B I stopped the capture, and applied the filter “ip.addr==192.168.0.140” to check if there was any messages from PC-A. From the picture below, you can see that a successful ping message was received by PC-B from PC-A:
Spoofing PC-A’s IP address using nmap We use the command nmap -iflist to fine the correct interface for the network that we are using. This command displays lots of information about the different interfaces on the PC. From the picture below we can see that the IP address of PC-A corresponds with the interface “eth4”.
Since I was using a command on NMap, I wasn’t actually able to send a ping from the IP address, but the above packets show that the spoofed IP address was able to communicate with TCP SYN packets to PC-B.
References Introduction, I. (2014). IP Spoofing: An Introduction | Symantec Connect. [online] Symantec.com. Available at: http://www.symantec.com/connect/articles/ip-spoofing-introduction [Accessed 5 Apr. 2016]. Radware.com. (2016). [online] Available at: http://www.radware.com/Glossary/ConnectionlessProtocol/ [Accessed 5 Apr. 2016]. Attacks, T. (2016). TCP Attacks: TCP Sequence Number Prediction and TCP Reset Attacks. [online] Thegeekstuff.com. Available at: http://www.thegeekstuff.com/2012/01/tcp-sequence-numberattacks/ [Accessed 5 Apr. 2016]. Linuxsecurity.com. (2016). TCP/IP Security. [online] Available at: http://www.linuxsecurity.com/resource_files/documentation/tcpip-security.html [Accessed 5 Apr. 2016]. Anon, (2016). [online] Available at: https://www.cert.org/historical/advisories/CA-1996-21.cfm? [Accessed 6 Apr. 2016]. Digitalattackmap.com. (2016). Digital Attack Map. [online] Available at: http://www.digitalattackmap.com/understanding-ddos/ [Accessed 6 Apr. 2016]. Nmap.org. (2016). Nmap: the Network Mapper - Free Security Scanner. [online] Available at: https://nmap.org/ [Accessed 6 Apr. 2016]. HackerTarget.com. (2009). Nmap Cheat Sheet | HackerTarget.com. [online] Available at: https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide/ [Accessed 6 Apr. 2016]. Mirkovic, J. (2005). Internet denial of service. Upper Saddle River, N.J.: Prentice Hall Professional Technical Reference. John Thomas and Adam J. Elbirt, L. (2016). IPsec: How it works and why we need it. [online] Computerworld. Available at: http://www.computerworld.com/article/2561149/security0/ipsec-how-it-works-and-why-we-need-it.html [Accessed 7 Apr. 2016]. CCIE, D. (2007). Prevent IP spoofing with the Cisco IOS - TechRepublic. [online] TechRepublic. Available at: http://www.techrepublic.com/article/prevent-ip-spoofing-with-the-cisco-ios/ [Accessed 7 Apr. 2016]. Hassell, J. (2016). The top five ways to prevent IP spoofing. [online] Computerworld. Available at: http://www.computerworld.com/article/2546050/network-security/the-top-five-ways-to-preventip-spoofing.html [Accessed 7 Apr. 2016].