IP Spoofing :-
The term IP (Internet Protocol) address spoofing refers to the creation of IP packets with a forged (spoofed) source IP address with the purpose of concealing the identity of the sender or impersonating another computing system.
Why it works ?
IP-Spoofing works because trusted services only rely on network address based authentication. Since IP is easily duped, address forgery is not difficult.
The main reason is security weakness in the TCP protocol known as sequence number prediction.
How it works ?
To completely understand how ip spoofing can take place, one must examine the structure of the TCP/IP protocol suite. A basic understanding of these headers and network exchanges is crucial to the process.
Internet Protocol (IP) :
It is a network protocol operating at layer 3 (network) of the OSI model. It is a connectionless model, meaning there is no information regarding transaction state, which is used to route packets on a network. Additionally, there is no method in place to ensure that a packet is properly delivered to the destination.
Transmission Control Protocol (TCP) :
It is the connection-oriented, reliable transport protocol in the TCP/IP suite. Connection-oriented simply means that the two hosts participating in a discussion must first establish a connection via the 3-way handshake (SYN-SYN/ACK-ACK). Reliability is provided by data sequencing and acknowledgement. TCP assigns sequence numbers to every segment and acknowledges any and all data segments recieved from the other end.
As you can see above, the first 12 bytes of the TCP packet, which contain port and sequencing information.
TCP sequence numbers can simply be thought of as 32-bit counters. They range from 0 to 4,294,967,295. Every byte of data exchanged across a TCP connection (along with certain flags) is sequenced. The sequence number field in the TCP header will contain the sequence number of the *first* byte of data in the TCP segment. The acknowledgement number field in the TCP header holds the value of next *expected* sequence number, and also acknowledges *all* data up through this ACK number minus one.
TCP packets can be manipulated using several packet crafting softwares available on the internet.
The Attack
IP-spoofing consists of several steps. First, the target host is choosen. Next, a pattern of trust is discovered, along with a trusted host. The trusted host is then disabled, and the target's TCP sequence numbers are sampled. The trusted host is impersonated, the sequence numbers guessed, and a connection attempt is made to a service that only requires address-based authentication. If successful, the attacker executes a simple command to leave a backdoor.
Spoofing can be implemented by different ways as given below -
Non-Blind Spoofing :- This type of attack takes place when the attacker is on the same subnet as the victim. The sequence and acknowledgement numbers can be sniffed, eliminating the potential difficulty of calculating them accurately.
Blind Spoofing :- Here the sequence and acknowledgement numbers are unreachable. In order to circumvent this, several packets are sent to the target machine in order to sample sequence numbers.
Both types of spoofing are forms of a common security violation known as a Man In The Middle Attack. In these attacks, a malicious party intercepts a legitimate communication between two friendly parties. The malicious host then controls the flow of communication and can eliminate or alter the information sent by one of the original participants without the knowledge of either the original sender or the recipient. In this way, an attacker can fool a victim into disclosing confidential information by “spoofing” the identity of the original sender, who is presumably trusted by the recipient.
IP spoofing is almost always used in what is currently one of the most difficult attacks to defend against – Denial of Service attacks, or DoS.
 |
CounterMeasures | |
2) Encryption and Authentication :- Implementing encryption and authentication will also reduce spoofing threats. Both of these features are included in Ipv6, which will eliminate current spoofing threats.
3) Initial Sequence Number Randomizing.
IP Address :-
Definition :-
"An Internet Protocol (IP) address is a numerical identification (logical address) that is assigned to devices participating in a computer network utilizing the Internet Protocol for communication between its nodes". -- Wikipedia
The Internet Protocol (IP) has two versions currently in use which are IPv4 and IPv6.
This article represents to IPv4 version only.
In general, an IP address is a 32-bit decimal number that is normally written as four numbers between 1 to 255 (8 bits or 1 byte each), each seperated from the other by a decimal point. This standard is known as "Dotted Decimal Notation".
e.g.- 117.200.77.110
IP addresses are divided into number of ranges/classes as given in the table below-
| Class | Range |
|---|---|
| A | 0.0.0.0 to 127.255.255.255 |
| B | 128.0.0.0 to 191.255.255.255 |
| C | 192.0.0.0 to 223.255.255.255 |
| D | 224.0.0.0 to 239.255.255.255 |
| E | 240.0.0.0 to 255.255.255.255 |
e.g.- IP Address 192.168.24.114 belongs to Class 'C'.
How to find out IP Address of your system ?
1) Connect to the Internet.
2) Launch MS-DOS Command Prompt.
3) Type "netstat -n", Press Enter.
You will get the output similar to following-
The IP Address shown in local address field denotes IP Address of your system.
In this case it is 117.200.160.151
IP Address Formats :-
Four different formats of IP Address along with example is as given below-
1) Domain Name System (DNS) : www.insecure.in
2) DWORD Format : 2928008962
3) Octal Format : 0256.0205.0337.002
4) Dotted Decimal Format : 174.133.223.2
Converting DNS IP Address into Normal IP Address :-
You can easily get the IP Address of any domain by various methods such as WHOIS, Netstat, Ping, Traceroute, etc.
Here I have used 'Ping' to get IP Address.
1) Connect to the Internet.
2) Launch MS-DOS Command Prompt.
3) Type "ping domainname", Press Enter.
You will get the output similar to following-
Here, IP Address for Domain "www.insecure.in" is "174.133.223.2"
Thus by typing "http://www.insecure.in" OR "http://2928008962" OR "0256.0205.0337.02" OR "174.133.223.2" in your browser will take you to the same site.
| Not all of these formats work in all browsers. |
Packet Header Analysis :-
Following are the easy to analyze ICMP, TCP and UDP packet headers along with short description.
All header Drawings by- "Matt Baxter" (www.fatpipe.org/~mjb/Drawings/)
ICMP Message Types :- ICMP message type-code/name format
0 Echo Reply
3 Destination Unreachable
4 Source Quench
5 Redirect
8 Echo
11 Time Exceeded
12 Parameter Problem
13 Timestamp
14 Timestamp Reply
15 Information Request
16 Information Reply
Checksum :- The checksum is the 16-bit ones's complement of the one's complement sum of the ICMP message starting with the ICMP Type.
RFC 792 :- Please refer to RFC 792 for Internet Control Message Protocol (ICMP) Specification.
| TCP Flags :- C E U A P R S F |
| C 0x80 Reduced (CWR) |
| E 0x40 ECN Echo (ECE) |
| U 0x20 Urgent |
| A 0x10 Ack |
| P 0x08 Push |
| R 0x04 Reset |
| S 0x02 Syn |
| F 0x01 Fin |
| TCP Options :- |
| 0 End of Options List |
| 1 No Operation (NOP, Pad) |
| 2 Maximum Segment Size |
| 3 Window Scale |
| 4 Selective ACK ok |
| 8 Timestamp |
Checksum :- Checksum of entire TCP segment and pseudo header (parts of IP header)
Offset :- Number of 32-bit words in TCP header, minimum value of 5. Multiply by 4 to get byte count.
RFC 793 :- Please refer to RFC 793 for Transmission Control Protocol (TCP) Specification.
Source Port :- an optional field, when meaningful, it indicates the port of the sending process, and may be assumed to be the port to which a reply should be addressed in the absence of any other information. If not used, a value of zero is inserted.
Destination Port :- Destination Port has a meaning within the context of a particular internet destination address.
Length :- Length is the length in octets of this user datagram including this header and the data. (This means the minimum value of the length is eight.)
Checksum :- Checksum is the 16-bit one's complement of the one's complement sum of a pseudo header of information from the IP header, the UDP header, and the data, padded with zero octets at the end (if necessary) to make a multiple of two octets.
RFC 768 :- Please refer to RFC 768 for User Datagram Protocol (UDP) Specification.
The different types of 
