1 Figure 3-13: Internet Protocol (IP) IP Addresses and Security  IP address spoofing: Sending a message with a false IP address (Figure 3-17)  Gives sender anonymity so that attacker cannot be identified  Can exploit trust between hosts if spoofed IP address is that of a host the victim host trusts

2 Figure 3-17: IP Address Spoofing Trusted Server Victim Server Trust Relationship 2. Attack Packet Spoofed Source IP Address Attacker’s Identity is Not Revealed Attacker’s Client PC Server Accepts Attack Packet

3 Figure 3-13: Internet Protocol (IP) (Study Figure) IP Addresses and Security  LAND attack: send victim a packet with victim’s IP address in both source and destination address fields and the same port number for the source and destination (Figure 3-18). In 1997, many computers, switches, routers, and even printers, crashed when they received such a packet.

4 Figure 3-18: LAND Attack Based on IP Address Spoofing Victim Port 23 Open Crashes From: :23 To: :23 Attacker Source and Destination IP Addresses are the Same Source and Destination Port Numbers are the Same

5 Figure 3-13: Internet Protocol (IP) (Study Figure) Other IP Header Fields  Protocol field: Identifies content of IP data field Firewalls need this information to know how to process the packet  Time-to-Live field Each router decrements the TTL value by one Router decrementing TTL field to zero discards the packet

6 Figure 3-13: Internet Protocol (IP) (Study Figure) Other IP Header Fields  Time-to-Live field Router also sends an error advisement message to the sender The packet containing this message reveals the sender’s IP address to the attacker Traceroute uses TTL to map the route to a host (Figure 3-19)  Tracert on Windows machines

7 Figure 3-19: Tracert Program in Windows

8 Figure 3-13: Internet Protocol (IP) (Study Figure) Other IP Header Fields  Header Length field and Options With no options, Header Length is 5  Expressed in units of 32 bits  So, 20 bytes Many options are dangerous  So if Header Length is More Than 5, be Suspicious  Some firms drop all packets with options

9 Figure 3-13: Internet Protocol (IP) (Study Figure) Other IP Header Fields  Length Field Gives length of entire packet Maximum is 65,536 bytes Ping-of-Death attack sent IP packets with longer data fields Many systems crashed

10 Figure 3-20: Ping-of-Death Attack Victim Crashes IP Packet Containing ICMP Echo Message That is Illegally Long Attacker

11 Figure 3-13: Internet Protocol (IP) (Study Figure) Other IP Header Fields  Fragmentation Routers may fragment IP packets (really, packet data fields) en route  All fragments have same Identification field value  Fragment offset values allows fragments to be ordered  More fragments is 0 in the last fragment Harms packet inspection: TCP header, etc. only in first packet in series  Cannot filter on TCP header, etc. in subsequent packets

12 Figure 3-22: TCP Header is Only in the First Fragment of a Fragmented IP Packet 5. Firewall Can Only Filter TCP Header in First Fragment Attacker Fragmented IP Packet 2. Second Fragment 4. TCP Data Field No TCP Header IP Header TCP Data Field 2. First Fragment IP Header 3. TCP Header Only in First Fragment

13 Figure 3-13: Internet Protocol (IP) (Study Figure) Other IP Header Fields  Fragmentation Teardrop attack: Crafted fragmented packet does not make sense when reassembled Some firewalls drop all fragmented packets, which are rare today

14 Figure 3-21: Teardrop Denial-of- Service Attack Victim Crashes Attack Pretends to be Fragmented IP Packet When Reassembled, “Packet” does not Make Sense. Gaps and Overlaps Attacker “Defragmented” IP Packet” GapOverlap

15 Figure 3-24: IP Packet with a TCP Segment Data Field Source Port Number (16 bits)Destination Port Number (16 bits) Bit 0 Bit 31 Acknowledgment Number (32 bits) Sequence Number (32 bits) TCP Checksum (16 bits) Window Size (16 bits) Flag Fields (6 bits) Reserved (6 bits) Header Length (4 bits) Urgent Pointer (16 bits) IP Header (Usually 20 Bytes)