Presentation is loading. Please wait.

Presentation is loading. Please wait.

IIT Indore © Neminath Hubballi

Published byAmbrose Greer Modified over 5 years ago

Similar presentations

Presentation on theme: "IIT Indore © Neminath Hubballi"— Presentation transcript:

1 IIT Indore © Neminath Hubballi
IP Spoofing Dr. Neminath Hubballi IIT Indore © Neminath Hubballi

2 IIT Indore © Neminath Hubballi
Outline Introduction IP address spoofing Mitigtion/Detection Techniques IIT Indore © Neminath Hubballi

3 IIT Indore © Neminath Hubballi
IP Address Spoofing IP spoofing is the creation of IP packets using somebody else’s IP address as source address of a IP packet Absence of state information makes IP protocol vulnerable to spoofing Peer is not authenticated IIT Indore © Neminath Hubballi

4 IIT Indore © Neminath Hubballi
Normal Interaction Source IP Destination IP Source IP Destination IP IIT Indore © Neminath Hubballi

5 Interaction Under Spoofing
Source IP Destination IP Source IP Destination IP IIT Indore © Neminath Hubballi

6 Interaction Under Spoofing
Source IP Destination IP When attacker uses a non existing IP address as source address Source IP Destination IP I have no way forward IIT Indore © Neminath Hubballi

7 IP Address Spoofing-Implications
Many network services use host names or address for identification and authentication Host wanting service prepare a message and send it to a remote service. Receiver either allows or disallows the service Many services are vulnerable to IP spoofing RPC ( ) NFS X window system Any service using IP address as authentication method IIT Indore © Neminath Hubballi

8 Defenses Against IP Address Spoofing
Ingress filtering Egress filtering Avoiding trust relationship based on IP address Unicast Reverse Path Forwarding TTL Value Packet marking IPSec Randomized Initial Sequence Number in TCP IIT Indore © Neminath Hubballi

9 Normal Scenario Source (192.168.1.1) Destination (192.168.2.1)
Source IP Destination IP TTL value 32 Source IP Destination IP TTL value 30 Source ( ) Destination ( ) Source IP Destination IP TTL value 31 Destination as me. I should verify this packet (ttl=30) using TCP probe request

10 Normal Scenario (contd.)
I received a TCP Syn. I should reply back with SYN-ACK. Source IP Destination IP TTL value 1 Source ( ) Destination ( ) Source IP Destination IP TTL value Source IP Destination IP TTL value (32-30)=2

11 Normal Scenario (contd.)
Source IP Destination IP TTL value 32 Source IP Destination IP TTL value 30 Source ( ) Destination ( ) Source IP Destination IP TTL value 31 I received probe reply from the same IP address with same TTL value, i.e. 30. Packet genuine.

12 Spoofing Scenario 1 Genuine source (192.168.1.1) Spoofer (192.168.1.1)
Destination as me. I should verify this packet (ttl = 29) using TCP probe request. Source IP Destination IP TTL value 32 Source IP Destination IP TTL value 30 Source IP Destination IP TTL value 31 Source IP Destination IP TTL value 29 Spoofer ( ) Destination ( )

13 Spoofing Scenario 1 (contd.)
Genuine source ( ) Source IP Destination IP TTL value 1 I received a TCP Syn. I should reply back with SYN-ACK. Source IP Destination IP TTL value (32-29)=3 Source IP Destination IP TTL value 2 Spoofer ( ) Destination ( )

14 Spoofing Scenario 1 (contd.)
Genuine source ( ) Source IP Destination IP TTL value 31 Source IP Destination IP TTL value 32 I received probe reply from the same IP address but different TTL value, i.e. 30 (not 29). Packet Spoofed. Source IP Destination IP TTL value 30 Spoofer ( ) Destination ( )

15 Spoofing Scenario 2 Genuine source (192.168.1.1) Spoofer (192.168.1.1)
Destination as me. I should verify this packet (ttl = 29) using TCP probe request. Source IP Destination IP TTL value 32 Source IP Destination IP TTL value 30 Source IP Destination IP TTL value 31 Source IP Destination IP TTL value 29 Spoofer ( ) Destination ( )

16 Spoofing Scenario 2 (contd.)
Genuine source ( ) Source IP Destination IP TTL value 1 I received a TCP Syn. I should reply back with SYN-ACK. Source IP Destination IP TTL value (32-29)=3 Source IP Destination IP TTL value 2 Spoofer ( ) Destination ( )

17 Spoofing Scenario 2 (contd.)
Genuine source ( ) Source IP Destination IP TTL value 31 I received two different TTL values for one probe request from the same IP address. Spoofing Scenario 2 detected Source IP Destination IP TTL value 32 Source IP Destination IP TTL value 30 Source IP Destination IP TTL value 29 Source IP Destination IP TTL value 32 Source IP Destination IP TTL value 30 Source IP Destination IP TTL value 31 Spoofer ( ) Destination ( )

18 Spoofing Scenario 3 Genuine source (192.168.1.1) Spoofer (192.168.1.1)
Destination as me. I should verify this packet (ttl = 30) using TCP probe request. Source IP Destination IP TTL value 32 Source IP Destination IP TTL value 30 Source IP Destination IP TTL value 31 Spoofer ( ) Destination ( )

19 Spoofing Scenario 3 (contd.)
Genuine source ( ) Source IP Destination IP TTL value ICMP Time Exceeded Message? Means that packet was spoofed one. Source IP Destination IP TTL value (32-30)=2 Source IP Destination IP TTL value 1 TTL=0. I should return ICMP Time Exceeded message back to Spoofer ( ) Destination ( )

20 Spoofing Scenario 4 Genuine source (192.168.1.1) Spoofer (192.168.1.1)
Destination as me. I should verify this packet (ttl = 30) using TCP probe request. Source IP Destination IP TTL value 32 Source IP Destination IP TTL value 30 Source IP Destination IP TTL value 31 Spoofer ( ) Destination ( )

21 Spoofing Scenario 4 (contd.)
Genuine source ( ) Source IP Destination IP TTL value TTL=0. I should return ICMP Time Exceeded message back to ICMP Time Exceeded Message and TTL=30 both? Means attacker is sending the reply with guess. Source IP Destination IP TTL value (32-30)=2 Source IP Destination IP TTL value 30 Source IP Destination IP TTL value 1 Source IP Destination IP TTL value 32 Source IP Destination IP TTL value 31 Spoofer ( ) Destination ( )

22 Spoofing Scenario 5 Spoofer (192.168.1.1) Destination (192.168.2.1)
Source IP Destination IP TTL value 32 Source IP Destination IP TTL value 30 Spoofer ( ) Destination ( ) Source IP Destination IP TTL value 31 Destination as me. I should verify this packet (ttl=30) using TCP probe request

23 Spoofing Scenario 5 (contd.)
I don’t know the route to destination so I should forward it to the default router by reducing TTL=0 I don’t know the route to destination so I should forward it to the default router by reducing TTL=1 The TTL value=0 so I should send back an ICMP Time Exceeded message back to the source. Any intermediate router Spoofer ( ) Destination ( ) ICMP Time Exceeded Message? That means the packet was spoofed one Source IP Destination IP TTL value (32-30)=2

Download ppt "IIT Indore © Neminath Hubballi"

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Computer Security and Penetration Testing

Computer Security and Penetration Testing
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.

Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
CSCI 4550/8556 Computer Networks Comer, Chapter 23: An Error Reporting Mechanism (ICMP)

CSCI 4550/8556 Computer Networks Comer, Chapter 23: An Error Reporting Mechanism (ICMP)
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
© 2003 By Default! A Free sample background from www.powerpointbackgrounds.com Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
© 2007 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.1 Computer Networks and Internets with Internet Applications, 4e By Douglas.

© 2007 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.1 Computer Networks and Internets with Internet Applications, 4e By Douglas.
ICMP: Ping and Trace CCNA 1 version 3.0 Rick Graziani Spring 2005.

ICMP: Ping and Trace CCNA 1 version 3.0 Rick Graziani Spring 2005.
1 ICMP – Using Ping and Trace CCNA Semester 2. 2 172.30.1.20 172.30.1.25.

1 ICMP – Using Ping and Trace CCNA Semester
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Connecting Networks © 2004 Cisco Systems, Inc. All rights reserved. Defining the IP Packet Delivery Process INTRO v2.0—4-1.

Connecting Networks © 2004 Cisco Systems, Inc. All rights reserved. Defining the IP Packet Delivery Process INTRO v2.0—4-1.
CCNA Introduction to Networking 5.0 Rick Graziani Cabrillo College

CCNA Introduction to Networking 5.0 Rick Graziani Cabrillo College

Similar presentations

Ads by Google