by May 5, 2003 0 comments

The IP basically works with small portions of data called datagrams that contain a small header used for address information. This header contains two addresses: 

n The destinations IP address. 
The sources IP address. 

The destinations IP address determines where the datagram should go. The sources IP address tells the destination where the datagram originated. There is a problem in the handling of the sources IP address. One of the merits of the IP protocol is that it is connection-less, and so, routers make routing actions based on the destination address without any influence by the source address. In processing a packet or message, information about the source essentially remains unused until the item reaches its destination. For this reason, attackers can forge a packet’s source address by setting it to that of another computer or even a nonexistent computer but the packet will still reach its destination. Thus, one way of concealing identity on the Internet is to simply forge source addresses. It has been long known that the IP protocol permits anonymous attacks. 

In his 1985 paper on TCP/IP weaknesses, Morris says: “In order to bring down the victim host, attackers create packets with spoofed source IP addresses. This exploits applications that use authentication based on IP addresses and leads to unauthorized user and, possibly, root access on the targeted system. It is possible to route packets through filtering-router firewalls if they are not configured to filter incoming packets whose source address is in the local domain.” 

IP Spoofing techniques Simple forging 

Forging or spoofing an address is a one-way communication is as simple as putting any desired address in the source address in the source address field as shown in page 27.

Using a reflector host 
Attackers can use IP address forging to manipulate an innocent (uncompromised) host into attacking a victim. The attacker host sends a packet designed to elicit a response to a reflector host. If the attacker spoofs the victim’s source as the packet’s source, then the reflector will innocently direct its response toward the victim as
shown below.

For the victim, the attack seems to come from the reflector. At the reflector, initiating packets appear to come from the victim while the attacker is seemingly uninvolved.


Laundering attack packets
Attackers use stolen or phantom accounts to launder packets before they reach a victim. When laundering takes place, the laundering host actually receives and processes the attacking host’s packets, transmitting other packets toward the victim as shown in the figure below. 

This process changes the source address to that of the laundering host, and can also give the laundered packets different content and/or time from that of the attacker’s original packets. In these ways, attackers can use laundering hosts to disguise their identity.

Detection of IP spoofing attacks
One can monitor packets using network-monitoring software such as netlog. To do this, look for a packet on your external interface that has both its source and destination IP addresses in his local domain. If you find such a packet, the network is currently under attack. 

Prevention of IP spoofing 
The best method of preventing the IP spoofing problem is to install a filtering router that restricts the input to your external interface (known as an input filter) by not allowing a packet through if it has a source address from your internal network. In addition, the network operator should filter outgoing packets that have a source address different from his internal network in order to prevent a source IP spoofing attack originating from your site. 

J Suresh Kumar

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.