The Internet Protocol (IP) provides for two and only two functions. It defines a datagram that can be routed through the Internet, and it provides a means for fragmenting datagrams into packets and reassembling packets into the original datagrams. The IP Datagram is as follows.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| IHL |Type of Service| Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification |Flags| Fragment Offset | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time to Live | Protocol | Header Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | data | \ \ \ \ | data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
On the Internet, "to spoof" can mean:
IP spoofing replaces the IP address of (usually) the sender or (in rare cases) the destination with a different address. Because the IP layer of the OS normally adds these IP addresses to a data packet, a spoofer has to circumvent the IP layer and talk directly to the raw network device. IP spoofing is normally used to deposit another exploit on the target machine.
The attacker A takes over the identity of a trusted host T in order to subvert the security of the target host U. The trusted host T is either discovered to be down (temporarily for a few seconds say) or is disabled using a variety of methods. In the blind attack A is unable to see the replies, if any, that U gives T. In the non-blind attack, all conversation between U and T is seen by A. Depending on how carefully the intervening routers are configured, it is not necessary that A reside on the same subnet as T.
Any services that authenticate based on the IP addresses or host names are vulnerable. Services that are so vulnerable to the IP spoofing attack include RPC, NFS, r-commands, anything wrapped by the TCP daemon wrappers, X windows, and other applications that use source IP addresses for authentication.
[using Dunnigan and Nofi's classification scheme]
Another way to view this issue is in terms of the net effect on information in information systems.
The attacker A takes over the identity of a trusted host T in order to subvert the security of the target host U. The trusted host T is disabled using a method described in a later section. As far as U knows, it is carrying on a conversation with a trusted pal T. The IP datagrams sent by A with the forged IP sender address reach the target U fine but the datagrams U sends back (destined for T) end up in the bit-bucket. The attacker A also never sees them, and hence the name of this attack. The intervening routers do route the response packets of U to T. But T's TCP layer will discard them because the packets are "replies" to packets it never sent. So the attacker must know what was sent, and predict what response the server will send.
Non-blind spoofing is related to session hijacking, and will be described in a later lecture.
There are three main mechanisms by which an attacker can spoof routing information.
Spoofing of the DNS can occur when the DNS server has been compromised by a security attack. The spoof could happen in two ways; when the security attack itself modifies its tables or when the attacker modifies the tables after having compromised the security of the DNS server. DNS has two types of ``nameservers''; primary and secondary. There can only be one primary nameserver and it is the most ``authoritative'' one can find within a domain's namespace. The secondary nameservers get their infomation from the primary nameserver. If the primary nameserver has been compromised, all the secondary nameservers will have incorrect information. If such information eventually propagates throughout the entire Internet, it may have devastating effects.
We can monitor packets using network-monitoring software (such as netlog). A packet on an external interface that has both its source and destination IP addresses in the local domain is an indication of IP spoofing. Another way to detect IP spoofing is to compare the process accounting logs between systems on your internal network. If the IP spoofing attack has succeeded on one of your systems, you may get a log entry on the victim machine showing a remote access; on the apparent source machine, there will be no corresponding entry for initiating that remote access.
All routers must employ proper IP filtering rules. They should only route packets from sources that could legitimately come from the interface the packet arrives on. Most routers now have options to turn off the ability to spoof IP source addresses by checking the source address of a packet against the routing table to ensure the return path of the packet is through the interface it was received on. We will be discussing IP filtering techniques and tools in a later lecture.
When packets are too large to be sent in a single IP packet, due to interface hardware limitations for example, they can be split up by an intermediate router unless prohibited by the Don't Fragment flag. IP fragmentation occurs a router receives a packet larger than the MTU (Maximum Transmission Unit) of the next network segment. All such fragments will have the same Identification field value, and the fragment offset indicates the position of the current fragment in the context of the pre-split up segment. Intermediate routers are not expected to re-assemble the fragments. The final destination will reassemble all the fragments of an IP packet and pass it to higher protocol layers (like TCP or UDP).
In the IP layer implementations of nearly all OS, there are bugs in the reassembly
code. An attacker can create and send a pair of carefully crafted but malformed
IP packets which in the process of reassembly cause a server to panic and crash.
Two well known attack programs of this kind are teardrop
and
land
.
Microsfot issued patch for an IP fragment attack as recently as May 19, 2000; see http://www.microsoft. com/technet/security/bulletin/fq00-029.asp
"Smurf" is the name of an automated program that attacks a network by exploiting IP broadcast addressing and certain other aspects of Internet operation. Smurf and similar programs can cause the attacked part of a network to become "inoperable." The exploit of smurfing, as it has come to be known, takes advantage of certain known characteristics of the Internet Protocol (IP) and the Internet Control Message Protocol (ICMP). The ICMP is used by network nodes and their administrators to exchange information about the state of the network. ICMP can be used to ping other nodes to see if they are operational. An operational node returns an echo message in response to a ping message.
A smurf program builds a network packet that appears to originate from another address (this is known as "spoofing" an IP address). The packet contains an ICMP ping message that is addressed to an IP broadcast address, meaning all IP addresses in a given network. If the routing device delivering traffic to those broadcast addresses performs the IP broadcast to layer 2 broadcast function, most hosts on that IP network will reply to it with an ICMP echo reply each. The echo responses to the ping message are sent back to the "victim" address. Enough pings and resultant echoes can flood the network making it unusable for real traffic.
The "smurf" attack's cousin is called "fraggle", which uses UDP echo packets
in the same fashion as the ICMP echo packets; it was a simple re-write of "smurf".
There are two parties who are hurt by this attack: the intermediary (broadcast)
devices, and the spoofed address target. The attackers rely on the ability to source
spoofed packets to the "amplifiers" in order to generate the traffic which causes
the denial of service. In order to stop this, all networks should perform
filtering either at the edge of the network where customers connect (access layer)
or at the edge of the network with connections to the upstream providers, in order
to defeat the possibility of source address spoofed packets from entering from downstream
networks, or leaving for upstream networks.
One way to defeat smurfing is to disable IP broadcast addressing at each network router since it is seldom used. This is one of several suggestions provided by the CERT Coordination Center. The CERT Coordination Center's Advisory on "smurf" IP Denial-of-Service Attacks provides an explanation and suggestions for network administrators on how to avoid being part of a smurf attack.
It's possible to transmit data in ICMP ECHO request and reply messages. This allows you to code simple client/server applications that ride on IP directly and don't require transport layer overhead.
tbd