IP Spoofing

an article added by: Philip A Clare at 04092007


In: Categories » Computers and technology » Linux » IP Spoofing

An attacker might spoof a trusted IP address when communicating to a host in order to gain unauthorized access on that host. There are a variety of tools that can be found on the Internet to do IP spoofing. Using IP spoofing, attackers can also initiate Denial of Service by sending data with the source IP spoofed to the attacked IP address. The receiver then sends back replies that can contain large amounts of data to the attacked IP address resulting in a flood attack to that address. Sending data using the spoofed IP address to many hosts will result in a Distributed Denial-of-Service attack. To protect against IP spoofing, the Linux kernel has an option named "rp_filter", which can be modified at run time using:

root@router:~# echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter

This command disables rp_filter on all interfaces. To disable on one interface, eth0 for example, we can use:

root@router:~# echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter

Setting rp_filter to:

1 enables IP spoofing protection 0 disables IP spoofing protection

those IP packets must be on the same interface if rp_filter is set to 0.

Routing Protocols Attacks

Misconfigured dynamic routing protocols such as RIP, BGP, and OSPF may allow attackers to inject routes into the routing tables of the machines running instances of those protocols. This may allow attackers to conduct Denial-of-Service attacks by injecting wrong routes or IP sniffing by configuring its computer to act like a router from the network. We will discuss later in this article how to set up, configure, and secure BGP on Linux.

ICMP Attacks

ICMP is a very important part of the IP protocol enabling hosts and routers to exchange control messages. Using spoofed IP addresses, an attacker might disrupt communications between two hosts by sending "Time Exceeded" or "Destination Unreachable" messages to both hosts, resulting in a DoS attack. By sending ICMP "redirect" messages, an attacker might force a router to forward packets destined to one host to the attacker's IP address. With Linux, we can force the kernel not to accept redirect messages for one or all interfaces:

root@router:~# echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects

ICMP Flooding is one of the easiest ways to attack a host. ping is one of the most commonly used tools to verify connectivity, but it can also be used as a DoS attack tool. For example, using Linux, one can flood a host using ping –f. The following command floods the host 10.10.10.12 with 1000 packets:

root@router:~# ping -f 10.10.10.12 -c 1000 PING 10.10.10.12 (10.10.10.12) 56(84) bytes of data.

This type of attack can be stopped by limiting the number of ICMP echo-request messages with iptables:

root@router:~# iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 10/s -j ACCEPT

root@router:~# iptables -A FORWARD -p icmp --icmp-type echo-request –j DROP

Old ICMP implementations had some other vulnerabilities; for example, the Ping of Death. The ping of death crashed machines by sending ICMP "echo request" messages in IP packets larger than the maximum legal length of 65535 octets, causing a buffer overflow to crash the victim's device (computer, printer, etc.). A Linux patch for the ping of death was out in 2 hours, 35 minutes, and 10 seconds, and shortly after, patches for other OSes were available from vendors. However, the ping of death problem generated a trend of filtering ICMP packets, which, as you will see later in this article, is not a good practice.

Teardrop Attacks

Teardrop, targa, NewTear, Nestea Bonk, Boink, TearDrop2, Syndrop, and many others are all tools to crash machines that have a vulnerability in the IP stack. Those tools exploit a fragmentation bug in the IP stack implementation of some old Linux kernels (2.0), Windows NT, and Windows 95. Teardrop sent fragmented IP packets that could not be assembled properly by the attacked machine, by manipulating the offset values of the packets. The effect was a kernel panic in Linux or a blue screen in Windows. A reboot solved the problem until the next attack.

Layer 4 Security Threats

TCP and UDP are the transport protocols found at OSI Layer 4—transport. We've learned about them in more detail in Article 1, with TCP being more complex than UDP because it's a connection-oriented protocol that has a flow-control mechanism (windowing), while UDP is simple and connectionless, and with no flow-control implemented in the protocol. TCP Attacks

Being a connection-oriented protocol, a TCP connection is established using a three-way handshake as described in Article 1. An attacker can exploit this property of the protocol by sending a very large number of SYN packets without regarding the SYNACK the attacked host sends back. This type of attack is called TCP SYN attack or SYN flooding. SYN flooding can be successful as the attacked computer keeps track of partially opened connections for minimum 75 seconds in a "listen queue".

The queue is limited on various TCP implementations; therefore a SYN flood can fill it up, causing the machine to reboot or to crash. In Linux, the TCP listen queue differs from one kernel version to another. For 2.2 and older kernels, the default listen queue is 1024 for TCP connections in SYN_RECV state; for 2.0 kernels, there was a backlog keeping track of opened and partially opened TCP connections. Another TCP-related type of attack is the Land attack. The Land attack is very simple and was very devastating at the same time, as not only a large number of Unix versions and all Windows versions were affected, but also Cisco routers. The Land attack is conducted using a small program written in C (land.c) that sends a SYN packet to a host on an opened TCP port with the source IP address spoofed to the destination IP address (e.g. 192.168.1.1 port 139 to 192.168.1.1 port 139). Another popular TCP-related attack is a Man-In-the-Middle attack called TCP Connection Hijacking.

An attacker standing in the path of two computers communicating via TCP can seize control of the TCP connection during the three-way handshake, or afterwards, when the connection is in established, by creating a desynchronized state, which means that the TCP connection is established, no data is sent, and the SEQ number of one host differs from the ACK number of the other host and the other way around (A_SEQ <> B_ACK and B_SEQ <> A_ACK). During a desynchronized state, the hosts discard packets from one another (DoS), but the attacker can create a sequence of correct numbers, injecting commands into the communication.

UDP Attacks

Since UDP is a simple protocol with no connection establishment procedures, the only way UDP can be affected is by sending a large number of UDP packets to random ports at the attacked machine. This type of attack is called UDP flooding. The attacked machine will try to determine the application that the packet is destined for. If no application listens on that UDP port, the packet will be discarded. By flooding the victim with these types of packets, the victim computer might overload, resulting in system a crash.

TCP and UDP Port Scan Attacks

Port scanning is probably the first thing an attacker does when trying to hack a victim. Using a tool from a variety of programs found on the Internet (e.g. Nmap), an attacker can discover which TCP and UDP ports a host has opened in order to identify running services for further exploitation of vulnerabilities.

Layer 5, 6, and 7 Security Threats

We have grouped Layers 5, 6, and 7 of the OSI model corresponding to the TCP/IP Layer 4 application. There are a lot of applications that are known from the past to be vulnerable to exploits. Most of these applications had problems at all of the three upper layers of the OSI model. We will present a few of these applications, known to contain a large number of vulnerabilities, and that are very popular.

legal notice

Our website is not responsible for the information contained by this article. Web-articles is a free articles resource.
Suggestion: If you need fresh, daily updated content for your website, feel free to use our service. Click here for more information.

Useful tools and features

Link to this article from your page    Send this article to you or to a friend
If you like this article (tutorial), please link to it from your web page using the information above.

related articles

1. TCP IP Protocols
Let's think about one world-wide service that wouldn't have been possible without standardization, like email services. There are so many email client software applications out there, and all of them use the same protocols to transmit and receive data. Let's say you are in a company LAN and you want to send an email. Layer 7: You use an email client (like Outlook Express for example), which has SMTP and POP3 functions according to OSI Layer 7 (application). Layer 6: You send t...

2. The TCP/IP Internet Layer
The Internet layer in the TCP/IP model has the functions of OSI Layer 3 network. The purpose for the Internet layer is to select a path (preferably the best path) in the network for end-to-end delivery. The main protocol found at the Internet layer is IP (Internet Protocol), which provides connectionless, best-effort delivery routing of packets. IP handles logical addressing, and its primary concern is to find the best path between the endpoints, without caring about the contents of the packet. IP does not perform error checking and...

3. IP Addressing, IP Subnetting, and IP Supernetting
The Internet Protocol (IP) found at OSI Layer 3 is responsible for end-to-end delivery of data between computers in an IP network (the Internet). To find a path between two computers in a large network such as the Internet, computers must be uniquely identified. To do that, the Internet Protocol defines IP Addresses, which are unique 32 bit sequences of one and zeros. For example, 11000000101010000000000100000001 is a valid IP address. For the ease of use, IP addresses are represented in a form called the dotted decimal forma...

4. Public and Private IP Addresses
The Internet is a public network, and therefore a device connected directly to the Internet has a public IP address. Those IP addresses must be administered by someone in such way that two devices connected to the public network don't use the same IP address or that two networks don't have the same network address. This job was done by InterNIC (Internet Network Information Center), which has been succeeded by IANA (Internet Assigned Numbers Authority). IANA makes sure to provide unique IP network addresses to Internet Service Provide...

5. IP Supernetting or CIDR
CIDR stands for "Classless Inter-Domain Routing". It is a new addressing scheme for the Internet, intended to replace the old classful (Class A, B, C) address scheme. CIDR allows a more efficient allocation of IP addresses and uses routing aggregation for minimizing the routing table entries, and is also called supernetting. A recapitulation of classful IP addressing shows us the following: Address ...

6. Linux Security Threats
Creating firewalls may block some malicious attempts on your network, but this step is far from running an entirely secure network. As a network administrator or security consultant, to design a proper firewall for your network you need to know what you defend your network from. We cannot fully discuss this topic, even in 1000 pages, but we want to explain some principles that you should consider in running a safe network. As hard as it may seem to protect your network from the outside world, the most dangerous threats always come f...

7. BIND Domain Name System DNS
BIND (Berkley Internet Name Domain) is the most used DNS server on the Internet. Nowadays, every Linux distribution has a BIND package for DNS services. The problem with BIND and any DNS server is that in order to be able to translate names into IP addresses it has to communicate with a whole lot of other DNS servers, and so, filtering DNS packets is not possible. DNS services are vital for internet connection; so in order to disrupt services to victims, attackers have a great interest in bringing down DNS servers. Although BIN...

8. Simple Network Management Protocol SNMP
These days, most network devices use SNMP for remote monitoring and configuration. SNMP is a simple protocol used usually to create monitoring software that can retrieve information such as network traffic, CPU load, disk load, etc., and also to modify configuration of devices such as wireless equipment, broadband routers, etc. Most SNMP implementations on those kinds of network devices use version 1 or version 2, which have a very weak authentication method. SNMP version 1 contains a set of bugs in the way SNMP traps and reques...

9. Firewalls, netfilter/iptables
The two things needed to build firewalls and Quality of Service (QoS) with Linux are two packages named netfilter and iproute. While netfilter is a packet filtering framework included in the Linux kernels 2.4 and 2.6, iproute is a package containing a few utilities that allow Linux users to do advanced routing and traffic shaping. This article is intended to introduce the tools we will use throughout this article. However, netfilter ...