Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Tao Wan Digital Security Group School of Computer Science Carleton University Oct 30, 2003 IP Spoofing Attacks & Defenses.

Published byErick McCarthy Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Tao Wan Digital Security Group School of Computer Science Carleton University Oct 30, 2003 IP Spoofing Attacks & Defenses."— Presentation transcript:

1 1 Tao Wan Digital Security Group School of Computer Science Carleton University Oct 30, 2003 IP Spoofing Attacks & Defenses

2 2 Outline Introduction IP Spoofing Attacks IP Spoofing Defenses Concluding Remarks

3 3 Introduction

4 4 Protocol Stacks Physical Layer Data Link Layer Network Layer Transport Layer Session Layer Presentation Layer Application Layer OSI Model 802.3802.11others IP TCP UDP HTTPSNMP

5 5 Protocol Stacks 802.3802.11others IP TCP UDP HTTPSNMP

6 6 Data Transmissions Data link/physical IP TCP UDP Application IP TCP UDP data TCP header IP header data TCP header data TCP header IP header data TCP header data AB routing Data link/physical Application

7 7 IP Header

8 8 TCP Header

9 9 Security Services Entity Authentication What do you know What do you have What do you inherit Integrity Message authentication Confidentiality Encryption …

10 10 IP Spoofing Attacks

11 11 IP Spoofing Attacks IP Spoofing DoS by Ping TCP Sync Flooding Session Hijacking

12 12 IP Spoofing A 10.10.10.1 www.carleton.ca 134.117.1.60 http://www.carleton.ca 10.10.10.1 Src_IP 134.117.1.60 dst_IP Any (>1024) Src_port 80 dst_port 11.11.11.1 Src_IP 134.117.1.60 dst_IP Any (>1024) Src_port 80 dst_port spoofing

13 13 IP Spoofing Attacks Smurf IP DoS A T1T1 T2T2 T3T3 TnTn 192.168.1.0 ICMP Echo Request Dest: 192.168.1.255 Source: V V ICMP Echo Reply Source: T1; Dest V

14 14 Mail Address Spoofing Attacks Mail-bombs A Sears Canadian Tire Bell Canada Catalog Request Return Addr: V V Boston Pizza Phonebook Request Return Addr: V Pizza orders Return Addr: V

15 15 IP Spoofing Attacks TCP 3 Way Handshake AB TCP SYN TCP SYN+ACK TCP ACK Half-open buffer Open buffer A A Half-open buffer has limited size Half-open connection has a timer associated with

16 16 IP Spoofing Attacks TCP Sync Flooding (DDos) A V BC D E FGH J I TCP SYN TCP SYN/ACK A B C D E Half-open buffer is full

17 17 IP Spoofing Defenses

18 18 IP Spoofing Defenses It is a VERY hard problem Ingress/Egress Filtering IP Authentication (IPsec AH) Cryptographic Generated Address (CGA)

19 19 IP Spoofing Defenses Ingress/Egress Filtering 10.10.10.0 10.10.0.0 if src_addr is from 10.10.10.0 then forward else drop if src_addr is from 10.10.0.0 then forward else drop if src_addr is from 10.10.0.0 then drop else forward

20 20 IP Spoofing Defenses IPSec (???) Two Protocols Authentication Header (AH) Encapsulating Security Payload Two Modes Transport Mode Tunnel Mode

21 21 IP Spoofing Defenses IP Authentication Header (AH) IP Header Payload IP Header Payload AH Header Original IP Packet New IP Packet AH in Transport Mode

22 22 IP Spoofing Defenses IP Authentication Header (AH) IP Header Payload New IP Header AH Header IP Header Payload New Payload Original IP Packet New IP Packet AH in Tunnel Mode

23 23 IP Spoofing Defenses IPSec (???) Data Origin Authentication IP address is not modified en route Is it a real or spoofed IP ?? Message Integrity Replay Prevention

24 24 IP Spoofing Defenses Cryptographic Generated Address (CGA) IPv6 MD5 64-bit Routing prefix Public KeyNonceDigital Signature 128-bit IPv6 addr Sent within IPv6 hdr

25 25 IP Spoofing Defenses Cryptographic Generated Address (CGA) IPv6 How about IPv4 Does everyone have a pair of private/public keys (authenticated)? DoS by engaging a recipient into a endless process of verifying CGAs

26 26 Concluding Remarks IP spoofing is a common technique for attacks There is not too much we can do about it

27 27 Thanks !

Download ppt "1 Tao Wan Digital Security Group School of Computer Science Carleton University Oct 30, 2003 IP Spoofing Attacks & Defenses."

Similar presentations

IPSec.

IPSec.
TCP/IP Protocol Suite 1 Chapter 27 Upon completion you will be able to: Next Generation: IPv6 and ICMPv6 Understand the shortcomings of IPv4 Know the IPv6.

TCP/IP Protocol Suite 1 Chapter 27 Upon completion you will be able to: Next Generation: IPv6 and ICMPv6 Understand the shortcomings of IPv4 Know the IPv6.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Network Security. Reasons to attack Steal information Modify information Deny service (DoS)

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
Henric Johnson1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.

Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Intrusion Detection and Hackers Exploits IP Spoofing Attack Yousef Yahya & Ahmed Alkhamaisa Prepared for Arab Academy for Banking and Financial Sciences.

Intrusion Detection and Hackers Exploits IP Spoofing Attack Yousef Yahya & Ahmed Alkhamaisa Prepared for Arab Academy for Banking and Financial Sciences.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 

Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.

Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.
By Rod Lykins.  Background  Benefits  Security Advantages ◦ Address Space ◦ IPSec  Remaining Security Issues  Conclusion.

By Rod Lykins.  Background  Benefits  Security Advantages ◦ Address Space ◦ IPSec  Remaining Security Issues  Conclusion.
Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.

Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.

Similar presentations

Ads by Google