Today’s Impact on Communication System by IP Spoofing and Its Detection and Prevention

TABLE OF CONTENTS

Abstract

Acknowledgement

Table of Figures

Chapter 1: Introduction
1.1 Background
1.2 Outline

Chapter 2: Problem definitions & goals
2.1 Aims
2.2 Objectives
2.3 Research Plan

Chapter 3: IP address & IP Spoofing
3.1 IP address
3.2 Brief History of IP Spoofing
3.3 Background
3.4 Recent Attacks using IP Spoofing
3.5 Details of an Attack
3.6 Why IP Spoofing is easy?
3.7 Application
3.8 Why spoofed IP address
3.9 Internet Protocol - IP
3.10 TCP/IP Overview
3.10.1 Ethernet
3.10.2 Internet Protocol
3.10.3 Transmission Control Protocol
3.10.4 User Datagram Protocol
3.10.5 Internet Control Message Protocol
3.11 IP Spoofing structure
3.12 IP spoofing and IPv6

Chapter 4: IP Spoofing Attacks
4.1 Spoofing Attacks
4.1.1 Non-Blind Spoofing
4.1.2 Blind Spoofing
4.1.3 Hijacking an Authorized Session
4.1.4 Scanning
4.1.5 Sequence-Number Prediction
4.1.6 Determining the State of a Firewall
4.1.7 Man In the Middle Attack
4.1.8 Denial of Service Attack
4.1.9 Flooding
4.1.10 Attacks concerning the routing protocols
4.2 Host disabling
4.3 Packet Sequence Sampling and Prediction
4.4 Impersonating the Trusted Host
4.5 System Compromise
4.6 Misconceptions of IP Spoofing
4.7 The Effects of IP Spoofing
4.7.1 Service Denied
4.7.2 Corporate Espionage and Sabotage
4.7.3 External Invaders
4.8 Impact

Chapter 5: Spoofed Packet Detection
5.1 Spoofed Packets Detection Methods
5.1.1 Routing methods
5.1.2 Non-routing methods
5.2 Active Methods
5.2.1 TTL methods
5.2.2 Direct TTL probes
5.2.3 IP Identification Number
5.2.4 OS Fingerprinting
5.2.5 TCP Specific Methods
5.2.6 Flow Control
5.2.7 Packet Retransmission
5.2.8 Traceroute
5.3 Passive Methods?
5.3.1 Passive TTL Methods
5.3.2 OS Idiosyncrasies
5.4 Services vulnerable to IP spoofing
5.5 Software for IP Spoofing

Chapter 6: Challenges and Methods to stop IP Spoofing
6.1 How to Avoid IP Spoofing
6.1.1 Instructions
6.1.2 Challenges in IP Spoofing
6.1.3 Challenges in Prevention Solutions
6.1.4 Challenges in Distributed Denial of Service (DDoS) Attacks
6.1.5 Challenge in Anti-spoofing with Access Lists
6.2 IP Spoofing Prevention methods:
6.2.1 Compression
6.2.2 Cryptography:
6.3 Algorithm
6.4 Software to Stop IP Spoofing

Chapter 07: Future Works Chapter 08: Conclusions

Referecnes

Abstract

In computer networking, the term IP address spoofing or IP spoofing refers to the creation of Internet Protocol (IP) packets with a forged source IP address, called spoofing, with the purpose of concealing the identity of the sender or impersonating another computing system. On January 22, 1995, in an article entitled, “New form of attack on computers linked to Internet is uncovered”, John Markoff of the New York Times reported on the TCP/IP protocol suite's security weakness known as IP spoofing. The IP spoofing security weakness was published by S. M. Bellovin (1989). However, not much attention has been paid to the security weaknesses of the TCP/IP protocol by the general public. This is changing as more people and companies are connecting to the Internet to conduct business. This thesis is on “Today’s Impact on Communication System by IP Spoofing and Its Detection and Prevention”. This paper contains an overview of IP address and IP Spoofing and its background. It also shortly discusses various types of IP Spoofing, how they attack on communication system. This paper also describes some methods to detection and prevention methods of IP spoofing and also describes impacts on communication system by IP Spoofing. We think that our proposed methods will be very helpful to detect and stop IP spoofing and give a secured communication system.

Keywords: IP address, IP Spoofing, TCP/IP, Compression, Cryptography

Acknowledgement

In the Name of Almighty Allah, the Merciful, the Creator of the universe. All praises are due to Him who enabled us to complete this study.

First and foremost, We deeply indebted and thank to our supervisor, Md. Samsuzzaman, Assistant Professor, Department of Computer & Communication Engineering, Faculty of Computer Science & Engineering, Patuakhali Science & Technology University for his guidance, patient, insight and encouragement through out of this thesis period. His supportive and kind attitude makes it possible for us to complete it. We acknowledge his contributions to enhance our knowledge on the subject.

We specially owe thanks to all the teachers of Computer Science & Engineering Faculty, Patuakhali Science & T echnology University for their help, valuable suggestions and discussions.

We also grateful all publishers and authors as their scientific literature helped us while working on our thesis.

Finally, we must thank our family who has provided love and support through our study. Their love always remains the key source of motivation for us.

Authors

List of Figures

Fig 3.1:Valid source IP address

Fig 3.2:Spoofed source IP address

Fig 3.3: IP header

Fig 3.4: IP routing mechanism

Fig 3.5: IP header

Figure 3.6 : IP packet structure over Ethernet

Figure 3.7: Simplified network schematic

Figure 3.8: Packets routed by network A's edge router

Figure 3.9: Packets routed by the ISP's backbone router

Figure 3.10: Packets routed by the ISP's 2nd backbone router

Fig 4.1: Blind Spoofing

Fig 4.2 :Man in middle attack

Figure 4.3: A Normal TCP Connection Request from A to B

Figure 4.4: Half-Open TCP Connection

Fig 4.5: Link state before RIP attack

Fig 4.6: Link state after RIP attack

Chapter-01 INTRODUCTION

This thesis is on “Today’s Impact on Communication System by IP Spoofing and Its Prevention”. Here this introduction contains an overview of our thesis and background information about the IP address and IP Spoofing. It also shortly discusses various types of IP Spoofing, how they attack on communication system and how can prevent them.

1.1 Background

The basic protocol for sending data over the Internet network and many other computer networks is the Internet Protocol ("IP"). The header of each IP packet contains, among other things, the numerical source and destination address of the packet. The source address is normally the address that the packet was sent from. By forging the header so it contains a different address, an attacker can make it appear that the packet was sent by a different machine. The machine that receives spoofed packets will send response back to the forged source address, which means that this technique is mainly used when the attacker does not care about the response or the attacker has some way of guessing the response.

Criminals have long employed the tactic of masking their true identity, from disguises to aliases to caller-id blocking. It should come as no surprise then, that criminals who conduct their nefarious activities on networks and computers should employ such techniques. IP spoofing is one of the most common forms of on-line camouflage. In IP spoofing, an attacker gains unauthorized access to a computer or a network by making it appear that a malicious message has come from a trusted machine by “spoofing” the IP address of that machine.

In certain cases, it might be possible for the attacker to see or redirect the response to his own machine. The most usual case is when the attacker is spoofing an address on the same LAN or WAN. Hence the attackers have an unauthorized access over computers.

In this paper, we will examine the concepts of IP spoofing: why it is possible, how it works, what it is used for and how to defend against it.

1.2 Outline

This thesis is mainly divided in two parts:

- a theoretical and
- a Implementation part.

The practical part answers - and gives solutions to - the thesis goals whereas the theoretical part describes the theoretical foundation for our choices. The structure of the thesis is as follows:

Theoritical part

1.2.1 Chapter 2

This chapter includes the main goals and definition of our thesis. Here we include various research questions that we are faced during research and a research plan model of our thesis.

1.2.2 Chapter 3

This chapter is committed to an overview of the IP address and IP Spoofing, Applications, and comparisons between IPv6 and IP Spoofing.

1.2.3 Chapter 4

This chapter is committed to an overview of different types of IP Spoofing attacks and impact on communication system by IP Spoofing.

Implementation part

1.2.4 Chapter 5

This chapter includes different names of software that are used to create IP Spoofing, various IP Spoofing packet detection methods and services that are vulnerable to IP Spoofing. .

1.2.5 Chapter 6

Chapter 6 includes the different ways and challenges to stop IP Spoofing. It also includes some names of software that will help to prevent IP spoofing and different ways to prevent IP Spoofing.

1.2.6 Chapter 7

This chapter includes the future works of our thesis.

1.2.6 Chapter 8

Chapter 8 concludes the thesis with a summary of the main contributions of this thesis.

Chapter-2 Problems Definitions & Goals

Packets sent using the IP protocol [2] include the IP address of the sending host. The recipient directs replies to the sender using this source address. However, the correctness of this address is not verified by the protocol. The IP protocol specifies no method for validating the authenticity of the packet’s source. This implies that an attacker could forge the source address to be any he desires. This is a well-known problem and has been well described [3][4][5]. In all but a few rare cases, sending spoofed packets is done for illegitimate purposes. Sending IP packets with forged source addresses is known as packet spoofing and is used by attackers for several purposes. These include obscuring the true source of the attack, implicating another site as the attack origin, pretending to be a trusted host, hijacking or intercepting network traffic, or causing replies to target another system. Because none of these are desirable, it is useful to determine if a packet has a spoofed source address. In cases where an ongoing attack is occurring it is beneficial to determine if the attack is from a particular location. In many cases we are able to determine when packets are spoofed, and generally from where they originate. In our thesis “Today’s Impact on Communication System by IP Spoofing and Its Prevention” at Firstly we provide the information of various types of IP Spoofing, Secondly, we include the main reasons for IP Spoofing Thirdly, identify various detection methods of IP Spoofing and Fourthly, We propose some ideas to stop IP Spoofing.

2.1 Aims

Followings objectives are set to achieve the aims­> To identify the main reasons that causes IP Spoofing,

- To identify the impact on Communication System by IP Spoofing,
- To identify various detection methods of IP Spoofing,
- To propose some methods that will helpful to stop IP Spoofing.

2.2 Objectives

The goal of our research is to propose some methods to stop IP Spoofing. These methods will be very much helpful to remove IP Spoofing and will save the entire communication System. Following objectives are set to achieve the goal.

- Literature study to explore the topics IP address and IP Spoofing.
- Identification of main reasons that cause IP Spoofing.
- Differentiate between IPv6 and IP Spoofing.
- Identify various detection method of IP Spoofing
- Analyze the detection method and propose some methods to stop IP Spoofing.

2.3 Research Plan:

In our thesis previously we include that there are two parts in our thesis.

a. Theoretical or literature review and
b. Implementation part.

During our research what topics we will discuss in theoretical and experimental part that are given in following our research plan model. The final research plan is-

illustration not visible in this excerpt

Chapter-03 IP Address & IP Spoofing

IP spoofing is a method of attacking a network in order to gain unauthorized access. The attack is based on the fact that Internet communication between distant computers is routinely handled by routers which find the best route by examining the destination address, but generally ignore the origination address. The origination address is only used by the destination machine when it responds back to the source.

In a spoofing attack, the intruder sends messages to a computer indicating that the message has come from a trusted system. To be successful, the intruder must first determine the IP address of a trusted system, and then modify the packet headers to that it appears that the packets are coming from the trusted system.

In essence, the attacker is fooling (spoofing) the distant computer into believing that they are a legitimate member of the network. The goal of the attack is to establish a connection that will allow the attacker to gain root access to the host, allowing the creation of a backdoor entry path into the target system. In this chapter we will be concerned about IP address and IP Spoofing.

3.1 IP spoofing:

In computer networking, the term IP address spoofing or IP spoofing refers to the creation of Internet Protocol (IP) packets with a forged source IP address, called spoofing, with the purpose of concealing the identity of the sender or impersonating another computing system.

Figure 1: Valid source IP address, illustrates a typical interaction between a workstation with a valid source IP address requesting web pages and the web server executing the requests. When the workstation requests a page from the web server the request contains both the workstation’s IP address (i.e. source IP address 192.168.0.5) and the address of the web server executing the request (i.e. destination IP address 10.0.0.23). The web server returns the web page using the source IP address specified in the request as the destination IP address, 192.168.0.5 and its own IP address as the source IP address, 10.0.0.23.

illustration not visible in this excerpt

Figure 2: Spoofed source IP address, illustrates the interaction between a workstation requesting web pages using a spoofed source IP address and the web server executing the requests. If a spoofed source IP address (i.e. 172.16.0.6) is used by the workstation, the web server executing the web page request will attempt to execute the request by sending information to the IP address of what it believes to be the originating system (i.e. the workstation at 172.16.0.6). The system at the spoofed IP address will receive unsolicited connection attempts from the web server that it will simply discard.

illustration not visible in this excerpt

Two general techniques are used during IP spoofing:

- A hacker uses an IP address that is within the range of trusted IP addresses.
- A hacker uses an authorized external IP address that is trusted.

3.2 Brief History of IP Spoofing

In the April 1989 article entitled: “Security Problems in the TCP/IP Protocol Suite’’ , author S. M Bellovin of AT & T Bell labs was among the first to identify IP spoofing as a real risk to computer networks. Bellovin describes how Robert Morris, creator of the now infamous Internet Worm, figured out how TCP created sequence numbers and forged a TCP packet sequence. This TCP packet included the destination address of his “victim” and using an

IP spoofing attack Morris was able to obtain root access to his targeted system without a User ID or password. A common misconception is that "IP spoofing” can be used to hide your IP address while surfing the Internet, chatting on-line, sending e-mail, and so forth. This is generally not true. Forging the source IP address causes the responses to be misdirected, meaning you cannot create a normal network connection. However, IP spoofing is an integral part of many network attacks that do not need to see responses (blind spoofing).

3.3 Background

The basic protocol for sending data over the Internet network and many other computer networks is the Internet Protocol ("IP"). The heart of IP is the IP datagram, a packet sent over the Internet in a connectionless manner. An IP datagram carries enough information about the network to get forwarded to its destination; it consists of a header followed by bytes of data. The header contains information about the type of IP datagram, how long the datagram should stay on the network. The header of each IP packet contains, among other things, the numerical source and destination address of the packet. The source address is normally the address that the packet was sent from. By forging the header so it contains a different address, an attacker can make it appear that the packet was sent by a different machine. The machine that receives spoofed packets will send response back to the forged source address, which means that this technique is mainly used when the attacker does not care about the response or the attacker has some way of guessing the response.

illustration not visible in this excerpt

Fig 3.3: IP header

In some cases when the attacker is spoofing an address on the same LAN or WAN, they have an unauthorized access over computers. They can spoof at various network layers; for example, the Simple Mail Transfer Protocol (SMTP) is also a target for spoofing; because SMTP does not verify the sender's address, you can send any e-mail to anybody pretending to be someone else.

3.4 Recent Attacks using IP Spoofing

Since the initial Internet worm, a number if attacks have been made using this vulnerability samples include;

- Man-in-the-middle: packet sniffs on link between the two endpoints, and can pretend to be one end of the connection
- Routing re-direct : redirects routing information form the original host to the hacker’s host (a variation on the man-in the-middle attack)
- Source routing: redirects individual packets by the hacker’s host.
- Blind spoofing: predicts responses from a host, allowing commands to be sent, but does not get immediate feedback
- Flooding: SYN flood fills up the receive queue from random source addresses; smurf/fraggle spoofs victims address, causing everyone to respond to the victim.[6]

3.5 Details of an Attack

IP spoofing in brief consists of several interim steps;

- Selecting a target host ( or victim).
- The trust relationships are reviewed to identify a host that has a “trust” relationship with the target host.
- The trusted host is then disabled and the target’s TCP sequence numbers are sampled.
- The trusted host is then impersonated, the sequence numbers forged (after being calculated) .
- A connection attempt is made to a service that only requires address-based authentication (no user id or password).
- If a successful connection is made, the attacker executes a simple command to leave a Backdoor[6]

3.6 Why IP Spoofing is easy?

- Problem with the Routers. IP routing is hop by hop. Every IP packet is routed separately. The route of a IP packet is decided by all the routers the packet goes through.
- Routers look at Destination addresses only.
- Authentication based on Source addresses only.
- To change source address field in IP header field is easy.[7]

illustration not visible in this excerpt

Fig 3.4: IP routing mechanism

3.7 Application

IP spoofing is most frequently used in denial-of-service attacks. In such attacks, the goal is to flood the victim with overwhelming amounts of traffic, and the attacker does not care about receiving responses to the attack packets. Packets with spoofed addresses are thus suitable for such attacks. They have additional advantages for this purpose—they are more difficult to filter since each spoofed packet appears to come from a different address, and they hide the true source of the attack. Denial of service attacks that use spoofing typically randomly choose addresses from the entire IP address space, though more sophisticated spoofing mechanisms might avoid unroutable addresses or unused portions of the IP address space. The proliferation of large botnets makes spoofing less important in denial of service attacks, but attackers typically have spoofing available as a tool, if they want to use it, so defenses against denial-of-service attacks that rely on the validity of the source IP address in attack packets might have trouble with spoofed packets. Backscatter, a technique used to observe denial-of-service attack activity in the Internet, relies on attackers' use of IP spoofing for its effectiveness.

IP spoofing can also be a method of attack used by network intruders to defeat network security measures, such as authentication based on IP addresses. This method of attack on a remote system can be extremely difficult, as it involves modifying thousands of packets at a time. This type of attack is most effective where trust relationships exist between machines. For example, it is common on some corporate networks to have internal systems trust each other, so that users can log in without a username or password provided they are connecting from another machine on the internal network (and so must already be logged in). By spoofing a connection from a trusted machine, an attacker may be able to access the target machine without an authentication.^]

3.8 Why Spoof the IP Source Address?

What is the advantage of sending a spoofed packet? It is that the sender has some kind of malicious intention and does not want to be identified. You can use the source address in the header of an IP datagram to trace the sender's location. Most systems keep logs of Internet activity, so if attackers want to hide their identity, they need to change the source address. The host receiving the spoofed packet responds to the spoofed address, so the attacker receives no reply back from the victim host. But if the spoofed address belongs to a host on the same subnet as the attacker, then the attacker can "sniff" the reply. You can use IP spoofing for several purposes; for some scenarios an attacker might want to inspect the response from the target victim (called "nonblind spoofing"), whereas in other cases the attacker might not care (blind spoofing). Following is a discussion about reasons to spoof an IP packet.

3.9 Internet Protocol - IP

An identifier for a computer or device on a TCP/IP network. Networks using the TCP/IP protocol route messages based on the IP address of the destination. The format of an IP address is a 32-bit numeric address written as four numbers separated by periods. Each number can be zero to 255. For example, 1.160.10.240 could be an IP address.

Within an isolated network, you can assign IP addresses at random as long as each one is unique. However, connecting a private network to the Internet requires using registered IP addresses (called Internet addresses) to avoid duplicates.

The four numbers in an IP address are used in different ways to identify a particular network and a host on that network. Four regional Internet registries -- ARIN, RIPE NCC, LACNIC and APNIC -- assign Internet addresses from the following three classes.

- Class A- supports 16 million hosts on each of 126 networks
- Class B- supports 65,000 hosts on each of 16,000 networks
- Class C- supports 254 hosts on each of 2 million networks

The number of unassigned Internet addresses is running out, so a new classless scheme called CIDR is gradually replacing the system based on classes A, B, and C and is tied to adoption of IPv6. Another, Internet protocol (IP) is a network protocol operating at layer 3 (network) of the OSI model. It is a connectionless model, meaning there is no information regarding transaction state, which is used to route packets on a network. Additionally, there is no method in place to ensure that a packet is properly delivered to the destination.

illustration not visible in this excerpt

Fig 3.5: IP header

Examining the IP header, we can see that the first 12 bytes (or the top 3 rows of the header) contain various information about the packet. The next 8 bytes (the next 2 rows), however, contains the source and destination IP addresses. Using one of several tools, an attacker can easily modify these addresses - specifically the “source address” field. It's important to note that each datagram is sent independent of all others due to the stateless nature of IP. Keep this fact in mind as we examine TCP in the next section.

3.10 TCP/IP Overview

The Open Systems Interconnection Reference Model (OSI model) groups network protocols, communications, and applications into seven distinct layers [22]. It is a model that is used to understand how protocols or applications can work to interconnect networks. The model represents all the specifications, functions, and activities that need to occur for successful networking. Each layer in the model represents a group of related functions, specifications, and activities. TCP/IP is not a single protocol but rather a suite of protocols. It is comprised of the Internet Protocol (IP), Transmission Control Protocol (TCP), User Packet Protocol (UDP), and the Internet Message Control Protocol (ICMP). Using a suite of protocols rather than a single protocol simplifies the design and implementation of the hardware and software that allow computing platforms to be connected together. For a detailed explanation of the exact format and description of the TCP/IP protocol suite please refer to RFC 791 [28] and RFC 793 [14].

3.10.1 Ethernet

The TCP/IP protocol suite governs how data is transported across networks from host to host, but does not specify how data is transmitted across different physical media. Layer 2 of the OSI model governs how the raw signals on a physical line are interpreted and converted into bits and then organized in frames for transport. To transmit these frames over physical media most networks use Ethernet. Ethernet is an IEEE 802.3 series standard that specifies how two or more systems sharing a common cabling system can interact [23]. Ethernet uses its own addressing scheme that consists of a unique 48-bit number. This address is known as the Media Access Controller (MAC) address and is assigned to network interface cards (NIC) by the manufacturer. Each manufacturer is assigned a block of these addresses by the IEEE Registration Authority [24]. MAC addresses encapsulate packets transmitted over networks that use Ethernet.

[...]