Joshua White - Everis Inc.

Download Report

Transcript Joshua White - Everis Inc. 

Joshua White
Director of CyOON Research and Development
“Cyber Operations for Optical Networks”
[email protected]
Everis Inc
http://www.EverisInc.com
(315)-370-1535
CyberPatriot Advanced Topics:
IP Spoofing Overview
Agenda

Company Background

IP Spoofing Overview

Why Is It So Easy

Types Of IP Spoofing

Detection Techniques

Prevention Techniques

Conclusions
IP Spoofing
Overview


IP spoofing is a technique used to gain unauthorized access to
computers/networks
The attacker sends messages to a computer using a forged IP
address indicating that the message is coming from a trusted host
IP Spoofing
Overview (2)

IP Spoofing Occurs When An Individual Inside Or Outside Of A
Network Impersonates The Conversations Of A Trusted Node

Most Spoofing Attacks Fall Under Two Techniques:

Using An IP Address Within The Range Of Trusted IP's

Using An Authorized External IP Address That Is Trusted.
For Government And Enterprise Instances A Third Technique Exists:


Using An IP Address Other Than Your Own To Place Blame On
Another Country Or Individual. This IP Address Is Neither Trusted
or Untrusted, It Simply Is Not Truthful.
IP Spoofing
Overview (3)

Considering The AAA Model For Secure Protocols, (RFC-2906) Some
Example Uses Of IP Spoofing To Perpetrate Attacks Against It Are:



Injection of Malicious Data Or Code Into An Existing Data Stream
(Authentication)
A Hacked Routing Table Set For The Attacker To Receive And
Send From A Spoofed IP Would Allowing Them To Completely
Replace The Legitimate Source. (Authorization)
DoS or Other Attacks Can Be Covered Up By Using A Spoofed IP
Address To Shirk Responsibility For The Action. Thus Breaking
The Rules Of Non-Repudiation (Accountability)
Why Is It So
Easy?

IP Spoofing Is Easy Due To A Number Of Reasons
Routers Forward Traffic Based On The Destination Address (RFC1812)
Some Security Mechanisms Allow For IP As The Sole Means Of
Authentication (RFC-5406)



Actually Changing The Source IP In a Packet Is Extremely Easy To
Do (LibPal, PacketForge, Etc.)
Types Of IP
Spoofing

Everis Engineers Define IP Spoofing Attacks As Falling Under Three
Categories:



Blind
 The Attacker Has Some Real-Time Knowledge Of The
Network, Such As Packet Sequence Identifiers.
 Used Heavily In Replay Attacks
Non-Blind
 The Attacker Has Has No Knowledge Or Access To Real-Time
Network Information
 Used Heavily In DoS and Probing
Infinite Knowledge
 The Attacker Is Sitting (Sniffing) A Live Session And HiJacks It
Using Both Spoofed IP, MAC, Authentication, Etc.
 Used Heavily In MITM Attacks
Advanced IP
Spoofing Attacks

A Number Of Very Advanced Attacks Can Be Accomplished Through
The Use Of IP Spoofing The Simplest Example Is SMURFING:

SMURF Attack
 A LAN Is Sent An ICMP Broadcast Packet With A Spoofed
Source Address. All Computers On The LAN Reply To The
Owner Of The Real Address That Was Spoofed, Thus
Overwhelming It (D-DoS)
Detection

There's No Sure Fire Way To Detect IP Spoofing

Though Some Rule Of Thumb Exist:
 If An Internal IP Address Shows Up In A Log File As Coming In
Through An External Interface Then It's Probably Been
Spoofed
 If An Advanced Attack Is Happening On Your Network, You
Can Make The Assumption That The Attacker Is Covering
Their Tracks By Spoofing The Source Identifier
Prevention

There Are No Full Proof Prevention Mechanisms However To Better
Protect Yourself:


Do Not Allow Authenticated Access Without Some Layered
Mechanism Such As:
 CHAP
 LEAP
 KERBEROS
 Etc.
Do Not Allow Certain Ranges Of IP's To Pass In/Out Of Your
Border Gateway
 For Instance Don't Allow The Internal Range Of IP's Access
From The External Interface
Conclusion

Their Exists A Need For Mechanism Which Prevent/Detect/Traceback
IP Spoofing Attacks

These Mechanisms Should Focus On Fixing The Problems In The
AAA Security Model
 Everis Is Currently Focused On Fixing The Non-Repudiation
Aspect (Accountability) Which Is Broken By Not Being Able To
Accurately Identify Who A Perpetrator Is.
Thanks

Thanks to:




Central NY ISSA for providing time to the
CyberPatriot documentation project

www.issa.org
Everis Inc. for hosting, technical support, experienced
staff and more

www.everisinc.com
Griffiss Institute for providing space and support
• http://www.griffissinstitute.org/
Rome AFRL for their support of STEM
• http://www.wpafb.af.mil/afrl/ri/
12