Understanding IP Spoofing

Attackers can launch a variety of attacks by initiating an IP spoofing attack. An IP spoofing attack causes an attacker's IP address to appear to be a trusted IP address. For example, if an attacker convinces a host that he is a trusted client, he might gain privileged access to a host. The attacker could also capture traffic, which might include credentials such as usernames and passwords. As another example, you might be familiar with denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks. The perpetrators of such attacks might use IP spoofing to help conceal their identities.

To understand how an IP spoofing attack is possible, consider the operation of IP and TCP. At Layer 3, the attacker can easily modify his packets to make the source IP address appear to be a "trusted" IP address. However, TCP, operating at Layer 4, can be more of a challenge.

From your early studies of TCP, you might recall that a TCP session is established using a three-way handshake:

1. The originator sends a SYN segment to the destination, along with a sequence number.

2. The destination sends an acknowledgment (an ACK) of the originator's sequence number along with the destination's own sequence number (a SYN).

3. The originator sends an ACK segment to acknowledge the destination's sequence number, after which the TCP communication channel is open between the originator and destination.

Figure 1-3 illustrates the TCP three-way handshake process. Figure 1-3 TCP Three-Way Handshake

SYN and ACK

Figure 1-3 illustrates the TCP three-way handshake process. Figure 1-3 TCP Three-Way Handshake

Key Topic

Destination Originator

For an attacker to "hijack" a session being set up between a legitimate originator and a destination, the attacker needs to know the TCP sequence numbers used in the TCP segments. If the attacker successfully guesses or predicts the correct TCP sequence numbers, he can send a properly constructed ACK segment to the destination. If the attacker's ACK segment reaches the destination before the originator's ACK segment does, the attacker becomes trusted by the destination, as illustrated in Figure 1-4.

Figure 1-4 IP Spoofing

Originator

SYN and ACK

Attacker

Destination

The attacker's ACK segment reaches the destination before the originator's ACK segment.

How an attacker guesses or predicts correct TCP sequence numbers depends on the type of IP spoofing attack being launched. Table 1-7 describes two categories of IP spoofing attacks.

— Table 1-7 Types of IP Spoofing Attacks

— Table 1-7 Types of IP Spoofing Attacks

Type of Attack

Description

Nonblind spoofing

Nonblind spoofing occurs when the attacker and the destination are on the same subnet. By being on the same subnet, the attacker might be able to use a packet-capture utility to glean sequence numbers.

Blind spoofing

Blind spoofing occurs when the attacker is not on the same subnet as the destination. Therefore, obtaining correct TCP sequence numbers is more difficult. However, using techniques such as IP source routing (described next), an attacker can accurately determine those sequence numbers.

0 0

Post a comment