07-02-2013, 03:37 PM
Study of IP Spoofing
1Study of IP.pdf (Size: 192.55 KB / Downloads: 53)
THEORY:
IP Spoofing
In communication when IP packet originates from source, there is no validation of the IP addresses in a packet. Therefore, a hacker could modify the source address of the packet and make the packet appear to come from anywhere. The problem here is that return packets (such as the SYN ACK packet in a TCP connection) will not return to the sending machine. Thus, trying to spoof the IP address in order to establish a TCP connection should be very difficult. In addition to this, the TCP header contains a sequence number that is used to acknowledge packets. The initial sequence number (ISN) for each new connection is supposed to be pseudo-random.
In 1989, Steve Bellovin of AT&T Bell Labs published the paper "Security Problems in the TCP/IP Protocol Suite" in Computer and Communications Review, 19(2):32-48, April 1989. The paper describes that many implementations of the TCP/IP protocol stack did not choose the ISN randomly but instead incremented the number. Thus, if sufficient information were known about the last few ISNs, the next ISN could be predicted. Given this, we now have the ability to perform an IP spoofing attack.
Details of an IP Spoofing Attack
Figure shows the details of an IP spoofing attack. The hacker first identifies his target. While making this identification, he must determine the increment used in the ISNs. This can be determined by making a series of legitimate connections to the target and noting the ISNs that are returned. Obviously, this has some risk for the hacker, as these legitimate connections will show his real IP address.
Using IP Spoofing in the Real World
Using IP spoofing, we can fool a computer system into thinking that it is talking to some other system. Clearly, using this attack against e-mail service or Web service does not buy us much. The same is true with regard to trying a brute-force attack against a telnet prompt.
When rlogin (rlogin is a software utility for Unix-like computer operating systems that allows users to log in on another host via a network, communicating via TCP port 513.) or rsh (Remote Shell is a protocol that allows a user to execute commands on a remote system without
having to log in to the system) is configured on a system, the source IP address is an important component in determining who is allowed to use the service. Remote hosts that will be accepted on such connections are called trusted. If we can use IP spoofing to fool a target into thinking that we are coming from a trusted system, perhaps we can successfully compromise the system.