CyberPatriot Advanced Topics: IP Spoofing Overview

Joshua WhiteDirector of CyOON Research and Development “Cyber Operations for Optical Networks”jwhite@everisinc.com

Everis Inchttp://www.EverisInc.com(315)-370-1535

Company Background IP Spoofing Overview Why Is It So Easy Types Of IP Spoofing Detection Techniques Prevention Techniques Conclusions

Agenda

IP Spoofing Overview

IP spoofing is a technique used to gain unauthorized access to computers/networks

The attacker sends messages to a computer using a forged IP address indicating that the message is coming from a trusted host

IP Spoofing Overview (2)

IP Spoofing Occurs When An Individual Inside Or Outside Of A Network Impersonates The Conversations Of A Trusted Node

Most Spoofing Attacks Fall Under Two Techniques: Using An IP Address Within The Range Of Trusted IP's Using An Authorized External IP Address That Is Trusted.

For Government And Enterprise Instances A Third Technique Exists: Using An IP Address Other Than Your Own To Place Blame On

Another Country Or Individual. This IP Address Is Neither Trusted or Untrusted, It Simply Is Not Truthful.

IP Spoofing Overview (3)

Considering The AAA Model For Secure Protocols, (RFC-2906) Some Example Uses Of IP Spoofing To Perpetrate Attacks Against It Are:

Injection of Malicious Data Or Code Into An Existing Data Stream (Authentication)

A Hacked Routing Table Set For The Attacker To Receive And Send From A Spoofed IP Would Allowing Them To Completely Replace The Legitimate Source. (Authorization)

DoS or Other Attacks Can Be Covered Up By Using A Spoofed IP Address To Shirk Responsibility For The Action. Thus Breaking The Rules Of Non-Repudiation (Accountability)

Why Is It So Easy?

IP Spoofing Is Easy Due To A Number Of Reasons Routers Forward Traffic Based On The Destination Address

(RFC-1812) Some Security Mechanisms Allow For IP As The Sole Means Of

Authentication (RFC-5406) Actually Changing The Source IP In a Packet Is Extremely Easy To

Do (LibPal, PacketForge, Etc.)

Types Of IP Spoofing

Everis Engineers Define IP Spoofing Attacks As Falling Under Three Categories:

Blind The Attacker Has Some Real-Time Knowledge Of The

Network, Such As Packet Sequence Identifiers. Used Heavily In Replay Attacks

Non-Blind The Attacker Has Has No Knowledge Or Access To Real-Time

Network Information Used Heavily In DoS and Probing

Infinite Knowledge The Attacker Is Sitting (Sniffing) A Live Session And HiJacks It

Using Both Spoofed IP, MAC, Authentication, Etc. Used Heavily In MITM Attacks

Advanced IP Spoofing Attacks

A Number Of Very Advanced Attacks Can Be Accomplished Through The Use Of IP Spoofing The Simplest Example Is SMURFING:

SMURF Attack A LAN Is Sent An ICMP Broadcast Packet With A Spoofed

Source Address. All Computers On The LAN Reply To The Owner Of The Real Address That Was Spoofed, Thus Overwhelming It (D-DoS)

Detection

There's No Sure Fire Way To Detect IP Spoofing Though Some Rule Of Thumb Exist:

If An Internal IP Address Shows Up In A Log File As Coming In Through An External Interface Then It's Probably Been Spoofed

If An Advanced Attack Is Happening On Your Network, You Can Make The Assumption That The Attacker Is Covering Their Tracks By Spoofing The Source Identifier

Prevention

There Are No Full Proof Prevention Mechanisms However To Better Protect Yourself:

Do Not Allow Authenticated Access Without Some Layered Mechanism Such As:

CHAP LEAP KERBEROS Etc.

Do Not Allow Certain Ranges Of IP's To Pass In/Out Of Your Border Gateway

For Instance Don't Allow The Internal Range Of IP's Access From The External Interface

Conclusion

Their Exists A Need For Mechanism Which Prevent/Detect/Traceback IP Spoofing Attacks

These Mechanisms Should Focus On Fixing The Problems In The AAA Security Model

Everis Is Currently Focused On Fixing The Non-Repudiation Aspect (Accountability) Which Is Broken By Not Being Able To Accurately Identify Who A Perpetrator Is.

Thanks

12

Thanks to:

Central NY ISSA for providing time to the CyberPatriot documentation project

www.issa.org Everis Inc. for hosting, technical support, experienced

staff and more www.everisinc.com

Griffiss Institute for providing space and support• http://www.griffissinstitute.org/

Rome AFRL for their support of STEM• http://www.wpafb.af.mil/afrl/ri/