LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/LG/issue63/sharma.html

145 lines
8.1 KiB
HTML
Raw Permalink Blame History

<!--startcut ==============================================-->
<!-- *** BEGIN HTML header *** -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML><HEAD>
<title>IP Spoofing LG #63</title>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
ALINK="#FF0000">
<!-- *** END HTML header *** -->
<CENTER>
<A HREF="http://www.linuxgazette.com/">
<H1><IMG ALT="LINUX GAZETTE" SRC="../gx/lglogo.png"
WIDTH="600" HEIGHT="124" border="0"></H1></A>
<!-- *** BEGIN navbar *** -->
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="okopnik.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue63/sharma.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="washington.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
<!-- *** END navbar *** -->
<P>
</CENTER>
<!--endcut ============================================================-->
<H4 ALIGN="center">
"Linux Gazette...<I>making Linux just a little more fun!</I>"
</H4>
<P> <HR> <P>
<!--===================================================================-->
<center>
<H1><font color="maroon">IP Spoofing</font></H1>
<H4>By <a href="mailto:kapil@linux4biz.net">Kapil Sharma</a></H4>
</center>
<P> <HR> <P>
<!-- END header -->
<p>A spoofing attack involves forging one's source address. It is the act of using
one machine to impersonate another. Most of the applications and tools in UNIX
rely on the source IP address authentication. Many developers have used the
host based access controls to secure their networks. Source IP address is a
unique identifier but not a reliable one. It can easily be spoofed.<br>
To understand the spoofing process, First I will explain about the <b>TCP and
IP authentication process</b> and then how an attacker can <b>spoof you network</b>.</p>
<p>The client system begins by sending a SYN message to the server. The server
then acknowledges the SYN message by sending SYN-ACK message to the client.
The client then finishes establishing the connection by responding with an ACK
message. The connection between the client and the server is then open, and
the service-specific data can be exchanged between the client and the server.
Client and server can now send service-specific data </p>
<p> TCP uses sequence numbers. When a virtual circuit establishes between two
hosts , then TCP assigns each packet a number as an identifying index. Both
hosts use this number for error checking and reporting. <br>
Rik Farrow, in his article &quot;Sequence Number Attacks&quot;, explains the
sequence number system as follows:<br>
<BLOCKQUOTE>
&quot;The sequence number is used to acknowledge receipt of data. At the
beginning of a TCP connection, the client sends a TCP packet with an initial
sequence number, but no acknowledgment. If there is a server application running
at the other end of the connection, the server sends back a TCP packet with
its own initial sequence number, and an acknowledgment; the initial number from
the client's packet plus one. When the client system receives this packet, it
must send back its own acknowledgment; the server's initial sequence number
plus one.&quot;
</BLOCKQUOTE>
<p></p>
<p>Thus an attacker has two problems:<br>
1) He must forge the source address.<br>
2) He must maintain a sequence number with the target. </p>
<p>The second task is the most complicated task because when target sets the initial
sequence number, the attacker must response with the correct response. Once the
attacker correctly guesses the sequence number, he can then synchronize with
the target and establish a valid session.</p>
<p><b>Services vulnerable to IP Spoofing:</b><br>
Configuration and services that are vulnerable to IP spoofing :</p>
<ul>
<li> RPC (Remote Procedure Call services)</li>
<li>Any service that uses IP address authentication</li>
<li>The X Window system</li>
<li>The R services suite (rlogin, rsh, etc.)</li>
</ul>
<p><b>TCP and IP spoofing Tools:</b><br>
1) Mendax for Linux<br>
<a href="http://rootshell.com/archive-j457nxiqi3gq59dv/199711/mendax_linux.tgz">Mendax</a>
is an easy-to-use tool for TCP sequence number prediction and rshd spoofing.
</p>
<p>2) spoofit.h<br>
<a href="http://air.csc.ncsu.edu/xzhao/docs/DogPack/spoofers/sp/spoofit.h">spoofit.h</a>
is a nicely commented library for including IP spoofing functionality into your
programs. <EM>[Current URL unknown. -Ed.]</EM></p>
<p>3) ipspoof<br>
<a href="http://www.ryanspc.com/spoof/ipspoof.c">ipspoof</a> is a TCP and IP
spoofing utility.</p>
<p>4) hunt<br>
<a href="http://www.ryanspc.com/sniffers/hunt-1.3.tgz">hunt</a> is a sniffer
which also offers many spoofing functions.</p>
<p>5) dsniff<br>
<a href="http://www.monkey.org/%7Edugsong/dsniff/">dsniff </a>is a collection
of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf,
msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data
(passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the
interception of network traffic. </p>
<p><br>
<b>Measures to prevent IP Spoofing Attacks:</b></p>
<ul>
<li>Avoid using the source address authentication. Implement cryptographic authentication
systemwide.</li>
<li>Configuring your network to reject packets from the Net that claim to originate
from a local address. This is most commonly done with a router.</li>
<li>If you allow outside connections from trusted hosts, enable encryption sessions
at the router.<br>
<br>
</li>
</ul>
<p><b>Conclusion:<br>
</b>Spoofing attacks are very dangerous and difficult to detect. They are becoming
more and more popular now. The only way to prevent these attacks are to implement
security measures like encrypted authentication to secure your network. </p>
<!-- *** BEGIN copyright *** -->
<P> <hr> <!-- P -->
<H5 ALIGN=center>
Copyright &copy; 2001, Kapil Sharma.<BR>
Copying license <A HREF="../copying.html">http://www.linuxgazette.com/copying.html</A><BR>
Published in Issue 63 of <i>Linux Gazette</i>, Mid-February (EXTRA) 2001</H5>
<!-- *** END copyright *** -->
<!--startcut ==========================================================-->
<HR><P>
<CENTER>
<!-- *** BEGIN navbar *** -->
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="okopnik.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue63/sharma.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="washington.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
<!-- *** END navbar *** -->
</CENTER>
</BODY></HTML>
<!--endcut ============================================================-->
Reference in New Issue View Git Blame Copy Permalink