The IP address spoofing is the making of IP packets using somebody else's IP source addresses. This method is used for obvious reasons and is worked in several of the attacks took later. Examining the IP header, we can observe that the first 12 bytes include various data about the packet. The next 8 bytes, however, includes the destination and source IP addresses. Using one of many tools, an attacker can simply transform these addresses - specifically the "source address" field.
A general miss links is that "IP spoofing" able to used to not show our IP address while surfing the Internet, sending e-mail, chatting on-line, and so forth. This is usually not true. Forging the source IP address types the replays to be misdirected, meaning you cannot generate a normal network connection.
Figure 1 is valid source IP address, illustrates a typical communication among a workstation with a right source IP address requesting web pages and the web server executing the requests. workstation requests a web page from the server that request keep both the address of the web server running the request (i.e. destination IP address 10.0.0.23) and the work station's address (i.e. source IP address 192.168.0.5). The web server precedes the web page by the source IP address particular in the request as the finish IP address, 192.168.0.5 and its have IP address as that source IP address, 10.0.0.23.
Figure 1: Valid source IP address
Figure 2 is Spoofed source IP address, illustrates the interaction among a workstation requesting pages have a spoofed source IP address and the server running the requests. If that is a spoofed source IP address (i.e. 172.16.0.6) is applied by the that workstation, the server executing the page request will attempt to run the request by sending data to the IP address of what it consider to be the developing machine (i.e. the workstation at 172.16.0.6). The machine at the spoofed IP address will get unsolicited connection attempts from the server that it will simply eliminate.
Figure 2: Spoofed source IP address
2 IP routing mechanism and problems
Figure 3: IP Routing mechanism.
IP routing is hop by hop. Every IP packet is routed independently. The route of a IP packet is determined by each the routers the packet goes through.
IP address spoofing is possible as routers only need inspection of the finished IP address in the packet to create routing conclusion. The source IP address is not necessary by routers and an not accessible source IP address will not affect the discharge of packets.
That address is only used by the final system when source get the replay back.
3 IP address spoofing and Applications
3.1 Asymmetric routing (Splitting routing)
Asymmetric routing means traffic leaved over dissimilar interfaces for instructions in and out. In other means, asymmetric routing is when the reply go to a packet follows another path from one host to a new than the original packet did. The more right and more general answer is, for whichever source IP address 'A' and final 'B', the way followed by any packet (request or replay) from 'A' to 'B' is different than the path taken by a packet from 'B' to 'A'.
Figure 4: Asymmetric routing.
3.2 Implementation of asymmetric routing
Modern O.S. gives us to get packets from an input interface, dissimilar from the result interface.
In Linux, we can implement asymmetric routing using iptables (linux 2.4):
iptables -A POSTROUTING -t nat -j SNAT -to 192.168.0.5 -o eth0
This means, for all the packets leaving out via eth0, their source IP address will be altered to
We also have to "disable" the reverse path filtering
Echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter
3.3 SAT DSL
Satellite DSL (SAT DSL) makes use of asymmetric routing.
Figure 5. Satellite DSL
The benefit of a satellite network is to give high bandwidth services independent of the users position over a wide geographical area. A satellite network include of two types of stations: receivers and feeds. Each receiver has a satellite dish connection to a user station. The user station has an extra interface, DSL modem linked to the ISP, this is called to return channel. All the requests to Internet are sent via DSL connection, and replays from network would be routed by a feed on the satellite network. After the data is travel from the feed to a satellite, it will be broadcast to all the receivers that depart to the satellite coverage. Installing feeds in strategic locations over the Internet will produce shorter paths and higher bandwidth sent by the satellite network. The user host has therefore both IP addresses, one for the usual connection subnetwork (return channel) and the other for the satellite subnetwork.
The traffic path of satellite dsl is:
Figure 6: Traffic Path of Satellite DSL
First we create the request (1) (using our network connection) to the Sat-Server, after it retrieves out info from network (2) it will send it to Satellite (3); in the end we would obtain information from the satellite(4) to our home using a parabolic antenna and a Sat Card.
3.4 Probable problem with AOLs DSL connection setup
AOL DSL service developed a certain connect setup procedure in order to apply VPN (Virtual Private Network) for its users. When a user dials in to the AOL DSL ISP, these actions are taken place:
1. User is linked to the ISP using a public account and so a network connection between user and the ISP is established. But user able to only get data using this connection, thus is can't to send any internet request.
2. On top of this connection, A VPN is formed using user's private account. After the verification succeeds, a user can send and get data through this VPN connection.
This certain events are AOL's attempt to generate protected internet traffic more than DNS connection. But as it regularly is, one solution to a protection problem may lead to another complexity. And this applies also to AOL's DSL connection setup. With positive setup and an IP address spoofing way, a user can connect to AOL DSL ISP, and download as much information as he needs using this connection without paying any money. This picture shows such setup and how this attack works.
Figure 7: Problem in AOL DSL
1. On 1st internet interface, the user dials for a DSL connection to T-Online or other ISPs using his account. The user can send and receive information with this connection.
2. On 2nd internet interface, the user dials to AOL DSL ISP using a free public account to create a DSL connection that leaved one way from ISP to user.
3. previous to the user sends packet through T-Online connection, he spoofs the source IP address of the packet into the IP address of the second internet interface (which is linked to AOL DSL)
4. And so he gives requests through T-Online connection, and get replay through AOL DSL connection. This way the user just needs to pay for every data he sends to T-Online, and receive for free each bits he get from AOL DSL, which would have price a lot more than the cost for paying bits, because user typically spend extra time downloading from the internet instead of paying data to the internet.
NAT means to network address translation.
In computer networking, network address translation (NAT) is the process of translate the IP address information in IP packet headers while in transit across a traffic routing device.
If one of these links were to make network address translation, then they would modify the destinations or source of the packet as it passes through. the link doing network address translation will memorize how it mangled a packet, and when a respond packet passes through the new way, it will do the reverse mangling on that replay packet, so all are works.
NAT have several applications:
â€¢ Modem Connections to the Internet
Most ISPs provide you only one IP address when you dial up to a source. You be able to send out packets with at all source address you want, but only respond to packets keep this source IP address will come back to you. If you want to use many different machines to connect to the Internet through this one link, you will require NAT.
â€¢ Multiple Servers
Sometimes you need to change where packets caption into your system will go. Frequently this is because you have single IP address, but you need user can get into the boxes behind the single with the `real' IP address. If you override the purpose of incoming packets, you be able to manage this. This kind of NAT was called port-forwarding. A general unmatched of this is load-sharing, where the mapping ranges over a set of systems, fanning packets out to them.
â€¢ Transparent Proxying
Sometimes you need to pretend that every packet which passes through your Linux box is destined for a application on the Linux box itself. This method is used to create transparent proxies: a proxy is a application which stands among your network and the external world, shuffling communication among the two. The transparent part is because your internet network won't even identify it's talking to a proxy, if not of course, the proxy doesn't work.
NAT types: Destination NAT (DNAT) and Source NAT (SNAT).
Source NAT is when you modify the source address of the 1st packet: i.e. you are altering where the connection is arriving from. Source NAT is every time done post-routing, just previous to the packet goes out onto the wire. Masquerading is a specific form of SNAT.
Destination NAT is when you change the destination address of the 1st packet: i.e. you are altering where the connection is departing to. Destination NAT is every time done before routing, when the packet first arrives off the wire. Port forwarding, load distributing, and transparent proxying are every forms of DNAT.
Figure 8: NAT
3.6 IP masquerade:
IP Masquerade, mean to is a correct form of Network Address Translation (NAT) which allows inside linked machine that do not have registered network IP addresses to commutate to the Internet via the Linux server's Internet IP address. IP masquerading lets use a solo network linked computer running Linux with a real IP address as a gateway for non-connected computers with "forged" IP addresses. The Linux box with a real IP address handle mapping packets from your intranet out to the Internet, and when return the reply, it maps them back to your intranet. This lets you browse the web and use other Internet equation from multiple systems without having a special network setup from your ISP.
IP Masquerade is a networking equation in Linux like to the one-to-many (1:Many) Network Address Translation ( NAT) servers found in many profitable firewalls and network routers. For example, if a Linux host is connected to the Internet via Ethernet, PPP, etc., the IP Masquerade feature allows other "internal" systems connected to this Linux box (via Ethernet, PPP, etc.) to also reach the Internet as fine Linux IP Masquerading allows for this functionality still though these internal computers don't have an officially assigned IP address.
IP masquerading is unlike from NAT. While IP masquerading develops a specific many-to-one NAT, IP NAT allows complex many-to-many translations. For static real IP address we use NAT, while for dynamic real IP address (via PPP) we use IP masquerading.
Figure 9: IP Masquerading
4 IP address spoofing attack
4.1 Blind IP spoofing
often the attacker does not have access to the reply, abuse trust relationship between hosts.
Host C sends an IP datagram with the address of some other host (Host A) as the source address to
Host B. Attacked host (B) responds to the legitimate host (A)
Figure 10: Blind IP Spoofing
4.2 Man-in-the-middle attacks
An attacker handles a gateway that is in the release route, he can
â€¢ sniff the traffic
â€¢ intercept / block / delay traffic
â€¢ modify traffic
Figure 11: Man-in-the-middle attacks.
This type of attack is not easy in the Internet because these are of hop-by-hop routing, if not you manage one of the source routing or backbone hosts is used.
This can also be done joint with IP source routing choice. IP source routing is used to identify the route in the release of a packet, which is independent of the usual delivery mechanisms. If the traffic able to forced through exact routes or exact hosts, and if the reverse route is used to respond traffic, a host on the route can simply impersonate another host. The attack method could be:
Figure 12: Source Routing attacks.
4.3 Attacks concerning the routing protocols
A host able to send spoofed RIP packets in order to "inject" routes into a host. This is simple to implement, it only want IP/UDP spoofing. On a LAN with RIPv2 passwords have to be produce for updating routes, but plaintext passwords are used. The plaintext passwords able to sniffed.
Figure 13: Link state before RIP attack
Attacker sends a fake RIP packet router 2 and says it has the shortest path to the network that router1 connects. Then all the packets to that network will be routed to attacker. The attacker able to sniff the traffic.
Figure 14: Link State after RIP attack
4.4 IP address spoofing attack with ICMP
4.4.1 ICMP Echo attacks
â€¢ Map the hosts of a network
The attack sends ICMP echo datagram to all the hosts in a subnet, then he collects the replies and determines which hosts are alive.
â€¢ Denial of service attack (SMURF attack)
The attack sends spoofed (with victim's IP address) ICMP Echo Requests to subnets, the victim will get ICMP Echo Replies from every machine.
Figure 15: Smurf attack
4.4.2 ICMP Redirect attacks
ICMP redirect messages able to use to re-route traffic on exact routes or to a exact host that is not a router at all.
The ICMP redirect attack is very simple: just send a spoofed ICMP redirect messages that appears to arrive from the host's default gateway.
For example: Host 192.168.1.4 sends a phony ICMP packet to host 192.168.1.3, sawing the route through 192.168.1.4 is a greatest way to internet. The source IP address of this phony ICMP packet is the gateway's IP address 192.168.1.1. Then all the traffic from 192.168.1.3 to internet will send through
Figure 16: Before ICMP redirect attack
Figure 17: After ICMP redirect attack
4.4.3 ICMP destination unreachable attacks
ICMP purpose unreachable message is used by gateways to state that the datagram unable to delivered. It can be used to "cut" out nodes from the network. It is a denial of service attack (DOS)
An attacker injects many forged destination inaccessible messages stating that 100.100.100.100 is inaccessible) into a subnet (e.g. 128.100.100.*). If someone from the 128.100.100.* net tries to contact 100.100.100.100, he will without delay get an ICMP Time Exceeded from the attacker's host. For 128.100.100.* this means that there is no way to contact 100.100.100.100, and therefore communication fails.
Figure 18: ICMP destination unreachable attacks
4.5 UDP attacks
UDP is an unreliable transport layer protocol. It relies on IP, it is connectionless, and its checksum is voluntary. Therefore, the non-duplication , integrity, delivery and ordering are not guaranteed. It is simple to send a forged packet to the goal. Checked with this, TCP is connection oriented and the TCP connection setup series number is hard to predicated, so it is not simple to insert forged packet into the TCP connection. Therefore UDP traffic is more susceptible for IP spoofing than TCP.
Figure 19: UDP spoofing
Figure 20: UDP hijacking
4.6 TCP attacks
Although it is hard to do IP spoofing on TCP, it is still can be realized on the specific OS. The attack aims at impersonating another host mostly during the TCP connection establishment phase.
Node A trusts node B (e.g. login with no password)
Node C needs to impersonate B with respect to A in opening a TCP connection
C kills B (redirecting , flooding or crashing) firstly
C sends A an TCP segment in a spoofed IP packet with B's address as the source IP and 11000 as the series number.
A responds with a TCP SYN/ACK segment to B with 54002 as the series number
C does not receive the segment from A to B, but in order to finish the handshake it has to send an ACK segment with 54002+1 as the acknowledge number to A. C has to deduction or predicate the value of 54002.
Figure 21: TCP spoofing
5 Stopping IP address spoofing attack
5.1 Packet filtering
The router that plugs a network to another network is recognized as a border router. One method to mitigate the handle of IP spoofing is by testing packets when they depart and enter a network looking for unacceptable source IP addresses. If this kind of filtering were performed on all edge routers, IP address spoofing would be very much reduced.
Egress filtering view the source IP address of packets to make sure they arrive from a correct IP address range within the inside network. When the router gets a packet that includes an unacceptable source address, the packet is easy throwaway and does not went the network boundary.
Ingress filtering views the source IP address of packets that coming the network to ensure they do not arrive from sources that are not permitted to allow the network. At a minimum, all reserved, internal and private IP addresses should be unnecessary by the router and not satisfactory to enter the network.
In Linux, packet filtering can be enabled using:
echo 2 > /proc/sys/net/ipv4/conf/*/rp_filter
5.2 Limits of packet filtering
Packet filtering regularly may not prevent a machine from participating in an attack if the spoofed IP address used could fall within the accessible internal address range. However it will shorten the process of tracing the packets, since the machines will have to use a source IP address within the valid IP range of the network.
We take the campus network as example:
Figure 22: Campus network
The IP address is 18.104.22.168/16. The packet filtering of the router is enabled. For IP packet 1, host 22.214.171.124 forges a packet from 126.96.36.199, the source IP address is in the accessible IP range, the router thinks it is correct packet and sends it out to network.
For IP packet 2, host 188.8.131.52 forges a packet from 184.108.40.206, the source IP address is not in the valid IP range, the router decides it is invalid and discards it.
Packet filtering able to pose troubles if you use splitting routing (packets from you to a host get a unlike path than packets from that host to you). If splitting routing is in use, enabling packet filtering ability will band all packets with spoofed source addresses. To turn rp_filter off, use:
echo 0 > /proc/sys/net/ipv4/conf/<device>/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
Instances where you might need to disable packet filtering contain:
â€¢ If you need to do asymmetric routing (accepting returning packets inbound an interface other than the outbound interface).
â€¢ If the box has multiple interfaces up on the like network.
â€¢ If you are using special VPN interfaces to tunnel traffic (e.g. FreeS/WAN)
Another complexity is that lots of ISPs do not have the technical ability to arrange packet filtering to band packets with spoofed source addresses. Also, packet filtering reduces equipment presentation.
Goal: Implement an example environment for splitting routing, IP spoofing scenario.
6.1 Scenario description
Figure 23: experiment scenario
We do the experiment under Linux Suse 8.0. The tools needed are:
The configuration is:
ifconfig eth0 220.127.116.11
ifconfig eth1 192.168.1.33
iptables -A POSTROUTING -t nat -j SNAT -to 192.168.1.33 -o eth0
echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter
ifconfig eth0 18.104.22.168
ifconfig eth1 192.168.1.34
iptables -A POSTROUTING -t nat -j SNAT -to 192.168.1.34 -o eth0
echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter
6.3 Experiment procedure
Packet 1: Rui!Leila:
The request packet is sent from interface eth0/Rui, using the IP address of interface
eth1/Rui, i.e. 192.168.1.34.
Packet 2: Leila!Rui:
The request packet is sent from interface eth0/Leila, using the IP address of interface
eth1/Leila, i.e. 192.168.1.33.
6.4 Experiment result
Eth0: ICMP ping quest packet from Rui to Leila
Eth1: ICMP reply packet from Leila to Rui
Eth0: ICMP ping request packet from Leila to Rui
Eth1: ICMP reply packet from Rui to Leila