Transcript IP Spoofing

Sniffing and Spoofing
Spoofing





Fraudulent authentication one
machine as another
ARP spoofing
IP spoofing
DNS spoofing
Web spoofing
ARP spoofing

Address resolution Protocol (ARP)




IP address  hardware(ethernet) address
mapping
send ARP packet “who has IP address and
what is your hardware address?”
ARP cache – table of recent responses
ARP Spoofing
1.
2.
3.
4.
Assume IP address “a” of trusted host
Respond to ARP packets for address “a”
Sending false hardware address (I.e. the
fraud’s address)
Solution: make ARP cache static (manual
updates!?!)
ARP Message Formats


ARP packets provide mapping between
hardware layer and protocol layer addresses
28 byte header for IPv4 ethernet network



8 bytes of ARP data
20 bytes of ethernet/IP address data
6 ARP messages



ARP request and reply
ARP reverse request and reply
ARP inverse request and reply
ARP Request Message


Source contains initiating system’s
MAC address and IP address
Destination contains broadcast MAC
address ff.ff.ff.ff.ff.ff
ARP Reply Message


Source contains replying system’s
MAC address and IP address
Destination contains requestor’s
MAC address and IP address
Types of Attack



Sniffing Attacks
Session Hijacking/MiM
Denial of Service
Sniffing on a Hub
Sniffer
Source
CISCOSYSTEMS
Hub
Destination
Switch Sniffing

Normal switched networks



Switches relay traffic between two
stations based on MAC addresses
Stations only see broadcast or
multicast traffic
Compromised switched networks


Attacker spoofs destination and source
addresses
Forces all traffic between two stations
through its system
Unsolicited ARP Reply


Any system can spoof a reply to an
ARP request
Receiving system will cache the
reply



Overwrites existing entry
Adds entry if one does not exist
Usually called ARP poisoning
Host to Host Exploit
Client (C)
Server (S)
Real ARP Reply
Broadcast ARP Request
Hostile
Spoofed ARP ReplyC
Spoofed ARP ReplyS
Host to Router Exploit
Client (C)
Gateway Router (R)
Hostile
CISCO SYSTEMS
Real ARP Reply
Broadcast ARP Request
Spoofed ARP ReplyC
Spoofed ARP ReplyR
Relay Configuration
Attacker
0:c:3b:1a:7c:ef- 10.1.1.10
Alice
Bob
0:c:3b:1c:2f:1b- 10.1.1.2
0:c:3b:9:4d:8- 10.1.1.7
0:c:3b:1a:7c:ef- 10.1.1.7
0:c:3b:1a:7c:ef- 10.1.1.2
Relay Configuration (cont.)
Sniffer
Source
CISCOSYSTEMS
Switch
Destination
Session Hijacking/MiM


Natural extension of sniffing
capability
“Easier” than standard hijacking


Don’t have to deal with duplicate/unsync’d packets arriving at destination
and source
Avoids packet storms
Denial of Service


Spoofing the destination MAC address of
a connection will prevent the intended
source from receiving/accepting it
Benefits



No protocol limitation
Eliminates synchronization issues
Examples


UDP DoS
TCP connection killing instead of using RST’s
DoS MAC Entries
Attacker
0:c:3b:1a:7c:ef- 10.1.1.10
Alice
Bob
0:c:3b:1c:2f:1b- 10.1.1.2
0:c:3b:9:4d:8- 10.1.1.7
a:b:c:1:2:3- 10.1.1.7
0:c:3b:1c:2f:1b 10.1.1.2
Denial of Service
Examples
ARP Attack on Web Surfing


Web surfers require gateway router to
reach Internet
Method


Identify surfer’s MAC address
Change their cached gateway MAC
address (or DNS MAC address if local) to
“something else”
ARP Attack on Network-based IDS


Poorly constructed (single homed) IDS
network systems relay auditing
data/alerts to management/admin
consoles
Method



Identify local IDS network engine
Modify gateway MAC address
Modify console/management station
address
Switch Attacks


Certain attacks may overflow
switch’s ARP tables
Method


A MAC address is composed of six
bytes which is equivalent to 2^48
possible addresses
See how many randomly generated
ARP-replies or ARP requests it takes
before the switch “fails”
Switch Attacks (cont.)

Switches may


Fail open- switch actually becomes a
hub
Fail- no traffic passes through the
switch, requiring a hard or soft reboot
Network “Bombs”


“Hidden” application installed on a
compromised system
Method



Passively or actively collects ARP
entries
Attacker specifies timeout or future
time
Application transmits false ARP entries
to its list
Vulnerable Systems





Windows
Windows
Windows
Windows
AIX 4.3
95
98
NT
2000





HP 10.2
Linux RedHat 7.0
FreeBSD 4.2
Cisco IOS 11.1
Netgear
Not Vulnerable

Sun Solaris 2.8

Appears to resist cache poisoning
Countermeasures
Firewalls


Most “personal” firewalls are not capable
of defending against or correctly
identifying attacks below IP level
UNIX



ipfw
ipf (IP Filter)
Windows environments

Network Ice/Black Ice©
Session Encryption

Examples



Establishing VPNs between networks or
systems
Using application-level encryption
Effects


Prevents against disclosure attacks
Will not prevent against DoS attacks
Strong Authentication

Examples



One-time passwords
Certificates
Effects


None on disclosure attacks
None on DoS attacks
Port Security

Cisco switches

set port security ?/? enable <MAC address>

Restricts source MAC addresses
Hard coded ones
 “Learned” ones




Ability to set timeouts
Ability to generate traps
Ability to “shutdown” violating port
Port Security (Cont.)

Issues



Only restricts source MAC addresses
Will not prevent against ARP relay
attacks
Will only prevent against ARP source
spoofing attacks
Hard Coding Addresses

Example


Individual systems can hard code the
corresponding MAC address of another
system/address
Issues



Management nightmare
Not scalable
Not supported by some OS vendors
Hard Coding Results
Operating
System
Results
Windows 95
FAIL
Windows 98
FAIL
Windows NT
FAIL
Windows 2000
FAIL
Linux RedHat 7.0
YES
FreeBSD 4.2
YES
Solaris 2.8
YES
Countermeasure Summary
Sniffing
Firewalls
Session
Encryption
Strong
Authentication
Port Security
Hard Coding
Session
Hijacking
Denial of
Service
Detection
IDS Architecture Issues
Management
Console
Network
Monitor
Management
Console
Monitored Network
Critical
Server
Network
Monitor
Monitored Network
Hostile
System
Critical
Server
Hostile
System
OS Level Detection
Operating
System
Detection
Windows 95
NO
Windows 98
NO
Windows NT
NO
Windows 2000
NO
Linux RedHat 7.0
NO
FreeBSD 4.2
YES
Hypothetical Detection Application

Purpose


Track and maintain ARP/IP pairings
Identify non-standard ARP-replies
versus acceptable ones



Timeout issues
OS must withstand corruption itself
Fix broken ARP entries of systems

Transmission of correct ARP replies
Public Domain Tools

Manipulation




Dsniff 2.3
Hunt 1.5
Growing number of others
Local monitoring

Arpwatch 1.11
Demo Environment
172.16.10.40
FreeBSD/ Win2k
CISCOSYSTEMS
802.11b
172.16.10.30
Linux Redhat
172.16.10.25
FreeBSD 4.2
172.16.10.133
Win2k
Demonstration Tools

rfarp 1.1



Provides ARP relay capability and packet dump
for two selected stations
Corrects MAC entries upon exiting
farp 1.1b




Passive and active collection of ARP messages
DoS Attacks on single hosts
DoS Attacks on entire collection
Arbitrary and manual input of spoofed MAC
addresses
Bibliography






Finlayson, Mann, Mogul, Theimer, RFC 903 “A Reverse
Address Resolution Protocol,” June 1984
Kra, Hunt 1.5, http://www.gncz.cz/kra/index.html,
Copyright 2000
Lawrence Berkeley National Laboratory, Network
Research Group, Arpwatch 1.11,
ftp://ftp.ee.lbl.gov/arpwatch.tar.Z, Copyright 1996
Plummer, David C., RFC 826 “An Ethernet Address
Resolution Protocol,” November 1982
Russel, Ryan and Cunningham, Stace, “Hack Proofing
Your Network,”, Syngress Publishing Inc, Copyright
2000
Song, Dug, Dsniff 2.3,
http://www.monkey.org/~dugsong/, Copyright 2000
IP Spoofing
Definitions








An open connection between two computers
communicating by TCP/IP is called a socket and
is defined by:
Source IP number
Source Port number
Destination IP number
Destination Port number
Initial source SEQ number
Initial destination SEQ number
AN ID # that is increased for each packet
2.6.1.1
TCP packet header
16-bit source port number
16-bit destination port number
32-bit sequence number
32-bit acknowledgement number
length
unused
flags
16-bit TCP checksum
16-bit window size
16-bit urgent offset
Options (if any)
Data (if any)
Traditional TCP/IP handshake
Src ip,Dst ip
Src prt, Dst Prt
syn
Syn = in seq#
Ack = NULL
Flags = S
Src ID = src ID + 1
attacker
target
Traditional TCP/IP handshake
Src ip,Dst ip
Src prt, Dst Prt
Src ip,Dst ip
syn
Syn = src seq#
Ack = NULL
Flags = S
Src prt, Dst Prt
Syn = Dst seq#
Syn / Ack
Ack = src seq# +1
Flags = S+A
Dst ID = Dst ID + 1
attacker
target
Traditional TCP/IP handshake
Src ip,Dst ip
syn
Src prt, Dst Prt
Syn = src seq#
Syn / Ack
Ack = dst seq# +1
Flags = A
Ack
Src ID = src ID + 1
attacker
target
Establishing a socket
A
B
SYN (seqa)
ACK (ack= seqb+1)
SYN/ACK (seqb/ack= seqa+1)
Traditional port scanning
syn
Syn / Ack
Ack
attacker
target
Traditional stealth scanning 1
syn
Syn / Ack
attacker
target
Traditional stealth scanning 2
syn
Syn / Ack
Rst
attacker
target
Sequence numbers
Are in place to provide easy packet
reassembly.
Increments each time a packet is
sent.
Various incrementation schemes exist
ID flag




Are in place to identify each tcp
session
Is also in some cases used for
packet reassembly
The id counter is increased every
time a packet is sent
This is valid far all packets including
reset packets
ID flag prediction





Most unix boxes increments the ID by a
random or seudo random number.
Up till today id numbers has not been
known to be security critical.
Some Windows tend to increment id# by
1
While some seem to increment id# by
254
This is due to reversed byte ordering of
the id# in these operating systems.
IP spoofing



3 computers: A, B, C
C sends packet to A, but making A believe
that the packets comes from B
How to do it?

Easy? Set the source IP address of IP header
to the IP address of B
 This can be done easily using “raw” ip packets

You can make ip packets on your own. So you can
also set the source ip address to any value you
want
Spoofed scanning in theory



By constantly polling a decoy host
for id number increments we can se
If the scanned target host has sent
it syn/ack or reset packets.
By analyzing this we will know
whether a port on the scanned host
is open or not
This is done totally blind from the
scanned host.
Spoofed scanning in theory


Since we know a machine will
increase the id# by sending a
packet we can by constantly
probing the host to see how many
packets it has sent between our
polls
This is done my monitoring the ID#
increment
Spoofed scanning in theory


If a port is open on a scanned host
the server will respond with a
syn/ack
If a port is closed on the scanned
host it will respond with a rst
Spoofed scanning in theory
If a host receives a syn ack from a
unknown source it will send a rst
packet back
If a host receives a rst packet from a
unknown source it will NOT send a
packet back
Internet security threats
IP Spoofing:



can generate “raw” IP packets directly from
application, putting any value into IP source
address field
receiver can’t tell if source is spoofed
e.g.: C pretends to be B
C
A
src:B dest:A
payload
B
Why IP spoofing?

IP address as authentication method

It is not as safe as username/password
authentication, but used in many cases
 E.g. rlogin host



Network of workstations. They have the same
user database
Host detects the IP address of the client. If it is in
the trusted list, login is granted without asking
username and password
Consequence:

Attacker can get access all the information of
the spoofed computer on the server
How to do IP spoofing?

IP spoofing is Blind Attack



Why?
Where does the victim send reply to?
It is extremely hard to carry out
successful IP spoofing

Must create a successful TCP
connection with the victim.

How?
TCP Connection Establishment
Active participant
(client)
Passive participant
(server)
Spoofing TCP connection


A SYN request sent by C to A. C is
impersonating B
A will reply to B (not C) by sending
SYN/ACK packet


Case 1: B receives SYN/ACK and got confused.
It replies with NACK. Spoofing fails
Case 2: B doesn’t reply to A (hopefully)
 C sends ACK to A
 Have to guess the SYN SEQ# number A
sent to B and reply it with SEQ#+1

Hard but possible
TCP SYN attack

in Berkeley implementations, the ISN is incremented by
a constant amount (64000)




once per 0.5 second, and
each time a connection is initiated
it is not hopeless to guess the next ISN to be used by a
server
an attacker can impersonate a trusted host (e.g., in case
of r commands, authentication is based on source IP
address solely)
attacker
SYN = ISNX, SRC_IP = T
server
SYN = ISNS, ACK(ISNX)
ACK(ISNS), SRC_IP = T
SRC_IP = T, nasty_data
trusted host (T)
Steps of IP spoofing attack

Detecting the trusted system


C wants to access A and finds the A trusts B
Blocking the trusted system (B)

To let it not response to SYN request from A. How?


Guessing the SEQ# of B





DOS attack to B
Must know how TCP generates SEQ#
Try to connect to open ports of B right before the
attack. Check the SEQ#
Predict the next SEQ# according to TCP algorithm
given last SEQ# and elapsed time
Making TCP connection
Do Damages
Counter Measures

Avoid using IP as authentication method


Install firewall





Username/password better
Trusted IP usually on the same network
Spoofed IP comes from outside network
Firewall prevents IP packets from outside the
network, especially with source IP inside
network
Also the attacker’s firewall should prevent
packets with source IP different from internal
network
IPsec

Secure IP using encryption
SYN Floods



Simple to execute.
Send many SYNs to target host in
quick succession with spoofed IPs.
Target allocates buffer in kernel
space, which stays allocated until
time out.
Reconnaissance with Spoofed IPs

3 basic recon methods



Spoofed IPs as Misinformation
Port Scanning by IP Seq Number
Observation
Port Scanning by Indirect Observation
Spoofed IP Addresses As Background Noise

An attacker can use spoofed IP addresses to create
suspicious traffic that cannot easily be tracked
down to the actual attacker. The intent here is not
to leverage data from the actual spoofed packets,
but to allow the attacker’s real activity, or identity,
to be hidden among the false packets.
Nmap, perhaps the most common network scanner
at the moment, allows the use of numerous ‘decoy’
addresses. Using the –D option in Nmap, such as
nmap –O –D 10.1.1.1, 10.1.1.2,
actual.attacker.ip.address, 10.1.1.3 10.2.2.1 will
allow an attacker to determine the operating
system of the host at 10.2.2.1 while making it
appear that the system is being scanned by four
simultaneous hosts, only one of which (the 3rd
sequentially) is the attacker.
Spoofed IPs as Background Noise



Scan from 100 random used IPs
and your own.
All must be checked to determine
actual scanner.
Ex: -D option in nmap
Indirect Reconnaissance of a Target
1)
2)
3)
* hosts reply SYN|ACK to SYN if tcp target port is open,
reply RST|ACK if tcp target port is closed.
* You can know the number of packets that hosts are
sending using id ip header field.
* hosts reply RST to SYN|ACK, reply nothing to RST.
The significance of this is that due to predictable IP IDs, it is
possible to remotely determine if a particular host is sending
traffic to a third party.
Using another of the described tendencies, it is also possible to
predict how a host will react to a port scan. If a host is
listening on a port, a probe (SYN) to that port will result in a
SYN/ACK.
Indirect Reconnaissance of a Target
IP Sequence Number Observation
Step 1
Step 2
Z
Step 3
T
Z
Unknown
traffic
echo
Spoofed
response
A
SYN from Z
A
Z
response
echo
A
Indirect Reconnaissance of a Target
Introducing our players
Spoof host
172.0.0.1
attacker
10.0.0.1
target
192.0.0.1
Why do we need three of them
Spoof host
www.anycompany.com:80
attacker
target
3vil.org
unknowing.com
Phase one (sync the id# of spoof)
Spoof host
www.anycompany.com:80
Syn:80
attacker
target
3vil.org
unknowing.com
Phase one (sync the id# of spoof)
Spoof host
www.anycompany.com:80
Syn/ack
attacker
target
3vil.org
unknowing.com
Why did we do that

Attacker now knows the spoofs
initial ID#
Phase2 (spoofing the source)
Spoof host
172.0.0.1
Syn src = 172.0.0.1 Dst = 192.0.0.1
attacker
target
10.0.0.1
192.0.0.1
Phase 3 (fooling the respons)
Spoof host
172.0.0.1
Syn/Ack src = 192.0.0.1 Dst = 172.0.0.1
attacker
target
10.0.0.1
192.0.0.1
Phase 3 (fooling the respons)
Spoof host
172.0.0.1
Rst src == 172.0.0.1 Dst = 192.0.0.1
attacker
target
10.0.0.1
192.0.0.1
Phase 4 (probing the spoof host)
Spoof host
172.0.0.1
Syn:80
attacker
target
10.0.0.1
192.0.0.1
Phase 4 (probing the spoof host)
Spoof host
172.0.0.1
Syn:80
Syn/ack
attacker
target
10.0.0.1
192.0.0.1
Case port open
Adding the ID counters
Phase one (sync the id# of spoof)
Spoof host ID =0
172.0.0.1
Syn:80
attacker
target
3vil.org
unknowing.com
Phase one (sync the id# of spoof)
Spoof host ID =1
172.0.0.1
Syn/ack
attacker
target
3vil.org
unknowing.com
Phase2 (spoofing the source)
Spoof host ID =1
172.0.0.1
Syn src = 172.0.0.1 Dst = 192.0.0.1
attacker
target
10.0.0.1
192.0.0.1
Phase 3 (fooling the respons)
Spoof host ID =1
172.0.0.1
Syn/Ack src = 192.0.0.1 Dst = 172.0.0.1
attacker
target
10.0.0.1
192.0.0.1
Phase 3 (fooling the respons)
Spoof host ID =2
172.0.0.1
Rst src == 172.0.0.1 Dst = 192.0.0.1
attacker
target
10.0.0.1
192.0.0.1
Phase 4 (probing the spoof host)
Spoof host ID =2
172.0.0.1
Syn:80
attacker
target
10.0.0.1
192.0.0.1
Phase 4 (probing the spoof host)
Spoof host ID =3
172.0.0.1
Syn:80
Syn/ack
attacker
target
10.0.0.1
192.0.0.1
Case port closed
Adding the ID counters
Phase one (sync the id# of spoof)
Spoof host ID =0
172.0.0.1
Syn:80
attacker
target
3vil.org
unknowing.com
Phase one (sync the id# of spoof)
Spoof host ID =1
172.0.0.1
Syn/ack
attacker
target
3vil.org
unknowing.com
Phase2 (spoofing the source)
Spoof host ID =1
172.0.0.1
Syn src = 172.0.0.1 Dst = 192.0.0.1
attacker
target
10.0.0.1
192.0.0.1
Phase 3 (fooling the respons)
Spoof host ID =1
172.0.0.1
Rst src = 192.0.0.1 Dst = 172.0.0.1
attacker
target
10.0.0.1
192.0.0.1
Phase 4 (probing the spoof host)
Spoof host ID =1
172.0.0.1
Syn:80
attacker
target
10.0.0.1
192.0.0.1
Phase 4 (probing the spoof host)
Spoof host ID =2
172.0.0.1
Syn:80
Syn/ack
attacker
target
10.0.0.1
192.0.0.1
The basic technique and its flaws





If the poll host is active it will
increase the id# for each
connection.
This will result in false positives.
These false positives can be
minimized by sending multiple
packets for each port.
Then calculating the increase
The port will only show up true if
the increase is >
(#packets_sent*255)/2
Phase2 (spoofing the source)
Spoof host ID =1
172.0.0.1
(Syn src = 172.0.0.1 Dst = 192.0.0.1) * 20
attacker
target
10.0.0.1
192.0.0.1
Phase 3 (fooling the respons)
Spoof host ID=1+20
172.0.0.1
Syn /Ack src = 192.0.0.1 Dst = 172.0.0.1
attacker
target
10.0.0.1
192.0.0.1
Summary



By constantly polling a decoy host
for id number increments we can se
If the scanned target host has sent
it syn/ack or reset packets.
By analysing this we will know
whether a port on the scanned host
is open or not
This is done totally blind from the
scanned host.
DoS/DDoS




DoS attacks are as old as the Internet itself
Year 2000 when a complete new quality of
DoS attack started (DDoS).
(DDoS) stroke a huge number of prominent
web sites including Yahoo, Ebay, Amazon
and Buy.com
DDoS Concepts: Distributing the attack
across several hosts. Coordinating the
attack among many machines. Using the
distribution system to thwart all attempts of
discovering the origin of the attack.
DoS/DDoS Flood Attack Methods





Smurf Attack
TCP SYN Attack
UDP Attack
TCP Attack
ICMP Attack
DoS/DDoS TCP SYN Attack

Exploits the three-way handshake
S
S
D
SYNx
LISTEN
Nonexistent (spoofed) SYN
LISTEN
SYN
SYNy , ACKx+1
SYN_RECIEVED
ACKy+1
CONNECTED
Figure 1. Three-way Handshake
D
SYN
SYN+ACK
Figure 2. SYN Flooding Attack
SYN_RECEIVED
“Smurf”
ICMP echo (spoofed source address of victim)
Sent to IP broadcast address
ICMP echo reply
Internet
Perpetrator
Victim
DNS Spoofing


Someone else’s domain name ->
your computer
Possible damages:

Redirected email

Email sent from A to B goes to C instead.


C spoofed B’s domain name
Redirected web server

Possible attack by exploiting browser’s
vulnerability
How to do DNS snooping?



C: attacker want to spoof B
A communicates with B
Method 1

Modify C’s name server ns.C
 Let it response to “C=?” to “B=C.ip”





This is replying something that is not asked for
Send DNS request “C=?” to ns.A
ns.A asks ns.C
ns.C replies “B=C.ip”
Method 2



C sends DNS request “B=?” to ns.A
C replies “B=C.ip” to ns.A
UDP makes it easier, still need to guess request ID
Countermeasures

Paranoid DNS checking





Resolved IP address is sent to DNS for
reverse resolve to get the hostname
Send the hostname to DNS again to
get the IP address
If two IP addresses match = OK
Secure name server
DNSsec

Digitally signed answers
Web Spoofing
Web-spoofing or Phishing or Carding
use spoofed emails and fraudulent
websites that trick innocent users
into divulging private information
such as username and passwords
credit card numbers, social security
numbers, etc.
A typical web spoofing attack
Web Spoofing



Web browsing goes through an
intermediate attacker
The attacker goes to server and fetch
data and send it back to the victim
Attacker is able to monitor all traffic
between the victim and server




Including forms
Even secure connections!
Lost privacy
Hard for a ordinary victim to notice
anything wrong
How it works



Javascript and Plug-ins
Redirect all web traffic to attacker’s
machine include the links on the
pages
Initiated by visiting a malicious
website
Countermeasures


Check “lock” button for secure
connection. Check if it is indeed the
website you are visiting
Check status bar

Does it go to somewhere strange?