28-02-2013, 03:55 PM
Intrusion Detection and Hackers Exploits IP Spoofing Attack
Intrusion Detection.ppt (Size: 1.23 MB / Downloads: 159)
IP spoofing
IP spoofing is a technique used to gain unauthorized access to computers, where by the attacker sends messages to a computer with a forging IP address indicating that the message is coming from a trusted host.
Attacker puts an internal, or trusted, IP address as its source. The access control device sees the IP address as trusted and lets it through.
Why IP Spoofing is easy?
Problem with the Routers.
Routers look at Destination addresses only.
Authentication based on Source addresses only.
To change source address field in IP header field is easy.
Spoofing Attacks:
There are a few variations on the types of attacks that using IP spoofing.
Spoofing is classified into :-
1.non-blind spoofing This attack takes place when the attacker is on the same subnet as the target that could see sequence and acknowledgement of packets.
Using the spoofing to interfere with a connection that sends packets along your subnet.
Man in the Middle Attack
This is also called connection hijacking. In this attacks, a malicious party intercepts a legitimate communication between two hosts to controls the flow of communication and to eliminate or alter the information sent by one of the original participants without their knowledge.
Spoofing Attacks:
IP spoofing can also be a method of attack used by network intruders to defeat network security measures, such as authentication based on IP addresses. This method of attack on a remote system can be extremely difficult, as it involves modifying thousands of packets at a time. This type of attack is most effective where trust relationships exist between machines.
For example, it is common on some corporate networks to have internal systems trust each other, so that a user can log in without a username or password provided they are connecting from another machine on the internal network (and so must already be logged in). By spoofing a connection from a trusted machine, an attacker may be able to access the target machine without authenticating.
Detection of IP Spoofing:
Another way to detect IP spoofing is to compare the process accounting logs between systems on your internal network. If the IP spoofing attack has succeeded on one of your systems, you may get a log entry on the victim machine showing a remote access; on the apparent source machine, there will be no corresponding entry for initiating that remote access.
Prevention IP spoofing
The best method of preventing the IP spoofing problem is to install a filtering router that restricts the input to your external interface (known as an input filter) by not allowing a packet through if it has a source address from your internal network. In addition, you should filter outgoing packets that have a source address different from your internal network in order to prevent a source IP spoofing attack originating from your site.