145 lines
8.1 KiB
HTML
145 lines
8.1 KiB
HTML
<!--startcut ==============================================-->
|
|
<!-- *** BEGIN HTML header *** -->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<HTML><HEAD>
|
|
<title>IP Spoofing LG #63</title>
|
|
</HEAD>
|
|
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
|
|
ALINK="#FF0000">
|
|
<!-- *** END HTML header *** -->
|
|
|
|
<CENTER>
|
|
<A HREF="http://www.linuxgazette.com/">
|
|
<H1><IMG ALT="LINUX GAZETTE" SRC="../gx/lglogo.png"
|
|
WIDTH="600" HEIGHT="124" border="0"></H1></A>
|
|
|
|
<!-- *** BEGIN navbar *** -->
|
|
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="okopnik.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue63/sharma.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="washington.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
|
|
<!-- *** END navbar *** -->
|
|
<P>
|
|
</CENTER>
|
|
|
|
<!--endcut ============================================================-->
|
|
|
|
<H4 ALIGN="center">
|
|
"Linux Gazette...<I>making Linux just a little more fun!</I>"
|
|
</H4>
|
|
|
|
<P> <HR> <P>
|
|
<!--===================================================================-->
|
|
|
|
<center>
|
|
<H1><font color="maroon">IP Spoofing</font></H1>
|
|
<H4>By <a href="mailto:kapil@linux4biz.net">Kapil Sharma</a></H4>
|
|
</center>
|
|
<P> <HR> <P>
|
|
|
|
<!-- END header -->
|
|
|
|
|
|
|
|
|
|
<p>A spoofing attack involves forging one's source address. It is the act of using
|
|
one machine to impersonate another. Most of the applications and tools in UNIX
|
|
rely on the source IP address authentication. Many developers have used the
|
|
host based access controls to secure their networks. Source IP address is a
|
|
unique identifier but not a reliable one. It can easily be spoofed.<br>
|
|
To understand the spoofing process, First I will explain about the <b>TCP and
|
|
IP authentication process</b> and then how an attacker can <b>spoof you network</b>.</p>
|
|
<p>The client system begins by sending a SYN message to the server. The server
|
|
then acknowledges the SYN message by sending SYN-ACK message to the client.
|
|
The client then finishes establishing the connection by responding with an ACK
|
|
message. The connection between the client and the server is then open, and
|
|
the service-specific data can be exchanged between the client and the server.
|
|
Client and server can now send service-specific data </p>
|
|
<p> TCP uses sequence numbers. When a virtual circuit establishes between two
|
|
hosts , then TCP assigns each packet a number as an identifying index. Both
|
|
hosts use this number for error checking and reporting. <br>
|
|
Rik Farrow, in his article "Sequence Number Attacks", explains the
|
|
sequence number system as follows:<br>
|
|
<BLOCKQUOTE>
|
|
"The sequence number is used to acknowledge receipt of data. At the
|
|
beginning of a TCP connection, the client sends a TCP packet with an initial
|
|
sequence number, but no acknowledgment. If there is a server application running
|
|
at the other end of the connection, the server sends back a TCP packet with
|
|
its own initial sequence number, and an acknowledgment; the initial number from
|
|
the client's packet plus one. When the client system receives this packet, it
|
|
must send back its own acknowledgment; the server's initial sequence number
|
|
plus one."
|
|
</BLOCKQUOTE>
|
|
<p></p>
|
|
<p>Thus an attacker has two problems:<br>
|
|
1) He must forge the source address.<br>
|
|
2) He must maintain a sequence number with the target. </p>
|
|
<p>The second task is the most complicated task because when target sets the initial
|
|
sequence number, the attacker must response with the correct response. Once the
|
|
attacker correctly guesses the sequence number, he can then synchronize with
|
|
the target and establish a valid session.</p>
|
|
<p><b>Services vulnerable to IP Spoofing:</b><br>
|
|
Configuration and services that are vulnerable to IP spoofing :</p>
|
|
<ul>
|
|
<li> RPC (Remote Procedure Call services)</li>
|
|
<li>Any service that uses IP address authentication</li>
|
|
<li>The X Window system</li>
|
|
<li>The R services suite (rlogin, rsh, etc.)</li>
|
|
</ul>
|
|
<p><b>TCP and IP spoofing Tools:</b><br>
|
|
1) Mendax for Linux<br>
|
|
<a href="http://rootshell.com/archive-j457nxiqi3gq59dv/199711/mendax_linux.tgz">Mendax</a>
|
|
is an easy-to-use tool for TCP sequence number prediction and rshd spoofing.
|
|
</p>
|
|
<p>2) spoofit.h<br>
|
|
<a href="http://air.csc.ncsu.edu/xzhao/docs/DogPack/spoofers/sp/spoofit.h">spoofit.h</a>
|
|
is a nicely commented library for including IP spoofing functionality into your
|
|
programs. <EM>[Current URL unknown. -Ed.]</EM></p>
|
|
<p>3) ipspoof<br>
|
|
<a href="http://www.ryanspc.com/spoof/ipspoof.c">ipspoof</a> is a TCP and IP
|
|
spoofing utility.</p>
|
|
<p>4) hunt<br>
|
|
<a href="http://www.ryanspc.com/sniffers/hunt-1.3.tgz">hunt</a> is a sniffer
|
|
which also offers many spoofing functions.</p>
|
|
<p>5) dsniff<br>
|
|
<a href="http://www.monkey.org/%7Edugsong/dsniff/">dsniff </a>is a collection
|
|
of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf,
|
|
msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data
|
|
(passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the
|
|
interception of network traffic. </p>
|
|
<p><br>
|
|
<b>Measures to prevent IP Spoofing Attacks:</b></p>
|
|
<ul>
|
|
<li>Avoid using the source address authentication. Implement cryptographic authentication
|
|
systemwide.</li>
|
|
<li>Configuring your network to reject packets from the Net that claim to originate
|
|
from a local address. This is most commonly done with a router.</li>
|
|
<li>If you allow outside connections from trusted hosts, enable encryption sessions
|
|
at the router.<br>
|
|
<br>
|
|
</li>
|
|
</ul>
|
|
<p><b>Conclusion:<br>
|
|
</b>Spoofing attacks are very dangerous and difficult to detect. They are becoming
|
|
more and more popular now. The only way to prevent these attacks are to implement
|
|
security measures like encrypted authentication to secure your network. </p>
|
|
|
|
|
|
|
|
|
|
<!-- *** BEGIN copyright *** -->
|
|
<P> <hr> <!-- P -->
|
|
<H5 ALIGN=center>
|
|
|
|
Copyright © 2001, Kapil Sharma.<BR>
|
|
Copying license <A HREF="../copying.html">http://www.linuxgazette.com/copying.html</A><BR>
|
|
Published in Issue 63 of <i>Linux Gazette</i>, Mid-February (EXTRA) 2001</H5>
|
|
<!-- *** END copyright *** -->
|
|
|
|
<!--startcut ==========================================================-->
|
|
<HR><P>
|
|
<CENTER>
|
|
<!-- *** BEGIN navbar *** -->
|
|
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="okopnik.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue63/sharma.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="washington.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
|
|
<!-- *** END navbar *** -->
|
|
</CENTER>
|
|
</BODY></HTML>
|
|
<!--endcut ============================================================-->
|