IP-Spoofing Counter-measures

Download Report

Transcript IP-Spoofing Counter-measures 

IP Spoofing
Bao Ho
ToanTai Vu
CS 265 - Security Engineering
Spring 2003
San Jose State University
IP Spoofing, CS265
1
Presentation Outline
Introduction, Background
 Attacks with IP Spoofing
 Counter Measures
 Summary

IP Spoofing, CS265
2
IP Spoofing

IP Spoofing is a technique used to gain unauthorized
access to computers.
– IP: Internet Protocol
– Spoofing: using somebdody else’s information

Exploits the trust relationships

Intruder sends messages to a computer with an IP
address of a trusted host.
IP Spoofing, CS265
3
IP / TCP

IP is connectionless, unreliable

TCP connection-oriented
A  B: SYN; my number is X
B  A: ACK; now X+1
SYN; my number is Y
A B: ACK; now Y+1
TCP/IP handshake
IP Spoofing, CS265
4
A blind Attack
Host I cannot see what Host V send back
IP Spoofing, CS265
5
IP Spoofing Steps






Selecting a target host (the victim)
Identify a host that the target “trust”
Disable the trusted host, sampled the target’s TCP
sequence
The trusted host is impersonated and the ISN forged.
Connection attempt to a service that only requires
address-based authentication.
If successfully connected, executes a simple
command to leave a backdoor.
IP Spoofing, CS265
6
IP Spoofing Attacks

Man in the middle

Routing

Flooding / Smurfing
IP Spoofing, CS265
7
Attacks
Man - in - the - middle:
Packet sniffs on link between the two endpoints, and
therefore can pretend to be one end of the
connection.
IP Spoofing, CS265
8
Attacks

Routing re-direct:

Source routing:
redirects routing information
from the original host to the attacker’s host.
The attacker redirects individual
packets by the hacker’s host.
IP Spoofing, CS265
9
Attacks

Flooding: SYN flood fills up the receive queue from
random source addresses.

Smurfing: ICMP packet spoofed to originate from the
victim, destined for the broadcast address, causing all
hosts on the network to respond to the victim at
once.
IP Spoofing, CS265
10
IP-Spoofing Facts

IP protocol is inherently weak

Makes no assumption about sender/recipient

Nodes on path do not check sender’s identity

There is no way to completely eliminate IP spoofing

Can only reduce the possibility of attack
IP Spoofing, CS265
11
IP-Spoofing
Counter-measures

No insecure authenticated services

Disable commands like ping

Use encryption

Strengthen TCP/IP protocol

Firewall

IP traceback
IP Spoofing, CS265
12
No insecure authenticated
services






r* services are hostname-based or IP-based
Other more secure alternatives, i.e., ssh
Remove binary files
Disable in inet, xinet
Clean up .rhost files and /etc/host.equiv
No application with hostname/IP-based
authentication, if possible
IP Spoofing, CS265
13
Disable ping command

ping command has rare use

Can be used to trigger a DOS attack by flooding the
victim with ICMP packets

This attack does not crash victim, but consume
network bandwidth and system resources

Victim fails to provide other services, and halts if runs
out of memory
IP Spoofing, CS265
14
DOS using Ping
IP Spoofing, CS265
15
Use Encryption

Encrypt traffic, especially TCP/IP packets and Initial
Sequence Numbers

Kerberos is free, and is built-in with OS

Limit session time

Digital signature can be used to identify the sender of
the TCP/IP packet.
IP Spoofing, CS265
16
Strengthen TCP/IP protocol





Use good random number generators to generate
ISN
Shorten time-out value in TCP/IP request
Increase request queue size
Cannot completely prevent TCP/IP half-openconnection attack
Can only buy more time, in hope that the attack will
be noticed.
IP Spoofing, CS265
17
Firewall

Limit traffic to services that are offered

Control access from within the network

Free software: ipchains, iptables

Commercial firewall software

Packet filters: router with firewall built-in

Multiple layer of firewall
IP Spoofing, CS265
18
Network layout with Firewall
IP Spoofing, CS265
19
IP Trace-back

To trace back as close to the attacker’s location as
possible

Limited in reliability and efficiency

Require cooperation of many other network operators
along the routing path

Generally does not receive much attention from
network operators
IP Spoofing, CS265
20
Summary/Conclusion

IP spoofing attacks is unavoidable.

Understanding how and why spoofing attacks are
used, combined with a few simple prevention
methods, can help protect your network from these
malicious cloaking and cracking techniques.
IP Spoofing, CS265
21
References












IP-spoofing Demystified (Trust-Relationship Exploitation), Phrack Magazine Review, Vol. 7, No. 48, pp. 4814, www.networkcommand.com/docs/ipspoof.txt
Security Enginerring: A Guide to Building Dependable Distributed Systems, Ross Anderson, pp. 371
Introduction to IP Spoofing, Victor Velasco, November 21, 2000,
www.sans.org/rr/threats/intro_spoofing.php
A Large-scale Distributed Intrusion Detection Framework Based on Attack Strategy Analysis, Ming-Yuh
Huang, Thomas M. Wicks, Applied Research and Technology, The Boeing Company
Internet Vulnerabilities Related to TCP/IP and T/TCP, ACM SIGCOMM, Computer Communication Review
IP Spoofing, www.linuxgazette.com/issue63/sharma.html
Distributed System: Concepts and Design, Chapter 7, by Coulouris, Dollimore, and Kindberg
FreeBSD IP Spoofing, www.securityfocus.com/advisories/2703
IP Spoofing Attacks and Hijacked Terminal Connections, www.cert.org/advisories/CA-1995-01.html
Network support for IP trace-back, IEEE/ACM Transactions on Networking, Vol. 9, No. 3, June 2001
An Algebraic Approach to IP Trace-back, ACM Transactions on Information and System Security, Vol. 5, No.
2, May 2002
Web Spoofing. An Internet Con Game, http://bau2.uibk.ac.at/matic/spoofing.htm
IP Spoofing, CS265
22
Questions / Answers
IP Spoofing, CS265
23