1 Tao Wan Digital Security Group School of Computer Science Carleton University Oct 30, 2003 IP Spoofing Attacks & Defenses
2 Outline Introduction IP Spoofing Attacks IP Spoofing Defenses Concluding Remarks
3 Introduction
4 Protocol Stacks Physical Layer Data Link Layer Network Layer Transport Layer Session Layer Presentation Layer Application Layer OSI Model others IP TCP UDP HTTPSNMP
5 Protocol Stacks others IP TCP UDP HTTPSNMP
6 Data Transmissions Data link/physical IP TCP UDP Application IP TCP UDP data TCP header IP header data TCP header data TCP header IP header data TCP header data AB routing Data link/physical Application
7 IP Header
8 TCP Header
9 Security Services Entity Authentication What do you know What do you have What do you inherit Integrity Message authentication Confidentiality Encryption …
10 IP Spoofing Attacks
11 IP Spoofing Attacks IP Spoofing DoS by Ping TCP Sync Flooding Session Hijacking
12 IP Spoofing A Src_IP dst_IP Any (>1024) Src_port 80 dst_port Src_IP dst_IP Any (>1024) Src_port 80 dst_port spoofing
13 IP Spoofing Attacks Smurf IP DoS A T1T1 T2T2 T3T3 TnTn ICMP Echo Request Dest: Source: V V ICMP Echo Reply Source: T1; Dest V
14 Mail Address Spoofing Attacks Mail-bombs A Sears Canadian Tire Bell Canada Catalog Request Return Addr: V V Boston Pizza Phonebook Request Return Addr: V Pizza orders Return Addr: V
15 IP Spoofing Attacks TCP 3 Way Handshake AB TCP SYN TCP SYN+ACK TCP ACK Half-open buffer Open buffer A A Half-open buffer has limited size Half-open connection has a timer associated with
16 IP Spoofing Attacks TCP Sync Flooding (DDos) A V BC D E FGH J I TCP SYN TCP SYN/ACK A B C D E Half-open buffer is full
17 IP Spoofing Defenses
18 IP Spoofing Defenses It is a VERY hard problem Ingress/Egress Filtering IP Authentication (IPsec AH) Cryptographic Generated Address (CGA)
19 IP Spoofing Defenses Ingress/Egress Filtering if src_addr is from then forward else drop if src_addr is from then forward else drop if src_addr is from then drop else forward
20 IP Spoofing Defenses IPSec (???) Two Protocols Authentication Header (AH) Encapsulating Security Payload Two Modes Transport Mode Tunnel Mode
21 IP Spoofing Defenses IP Authentication Header (AH) IP Header Payload IP Header Payload AH Header Original IP Packet New IP Packet AH in Transport Mode
22 IP Spoofing Defenses IP Authentication Header (AH) IP Header Payload New IP Header AH Header IP Header Payload New Payload Original IP Packet New IP Packet AH in Tunnel Mode
23 IP Spoofing Defenses IPSec (???) Data Origin Authentication IP address is not modified en route Is it a real or spoofed IP ?? Message Integrity Replay Prevention
24 IP Spoofing Defenses Cryptographic Generated Address (CGA) IPv6 MD5 64-bit Routing prefix Public KeyNonceDigital Signature 128-bit IPv6 addr Sent within IPv6 hdr
25 IP Spoofing Defenses Cryptographic Generated Address (CGA) IPv6 How about IPv4 Does everyone have a pair of private/public keys (authenticated)? DoS by engaging a recipient into a endless process of verifying CGAs
26 Concluding Remarks IP spoofing is a common technique for attacks There is not too much we can do about it
27 Thanks !