Presentation on web's most dangerous attack - IP Spoofing.

1. NETWORK SECURITY A PAPER ON P ITFALLS AND PROBLEMS ENCOUNTERED IN IP-SPOOFING Arpit Gupta Deepika Chug

2. Bad Practices Spread It is easy to see the faults of others but not so easy to see one’s own faults If I just open a bunch of ports in the firewall my app will work. I think I will wedge the computer room door open. Much easier. They have blocked my favorite Web site. Lucky I have a modem. I think I will use my first name as a password. Say, we run a network too. How do you configure your firewalls? Why do we need the door locked? Hey, nice modem. What's the number of that line? I can never think of a good password. What do you use?

3. Understanding The Landscape Author Script-Kiddie Hobbyist Hacker Expert Specialist Vandal Thief Spy Trespasser National Interest Personal Gain Personal Fame Curiosity

4. An Evolving Threat Hobbyist Hacker Expert Specialist Largest area by volume Largest area by $ lost Script-Kiddie Largest segment by $ spent on defense Fastest growing segment Author Vandal Thief Spy Trespasser National Interest Personal Gain Personal Fame Curiosity

5. IP -> Internet Protocol.. Spoofing -> Hiding.. It is a trick played on servers to fool the target computers into thinking that it is receiving data from source other than the trusted host. This Attack is actually a Trust-Relationship Exploitation. “ Things are not what they seem and that is why the world gets conned” WHAT IS IP-SPOOFING ???

6. A B C B is on line A disguising his voice,making it sound more like that of B If we now,replace the 3 people by computers and change the term “voice” with “IP-Address” then you would know what we mean by IP-SPOOFING… REAL LIFE EXAMPLE TO EXPLAIN WHAT IS IP SPOOFING.

7. HACKER 203.45.98.01 VICTIM 202.14.12.10 FAKE 202.23.45.89 FAKE 202.23.45.89 Remote Host Datagram (Data Packets) Trusted Host Attacking Host IP SPOOFING

8. C B A CLIENT HOST A B C PACKETS DISCRIPTION: SYN =client’s ISN (4894305) ACK= 0 SYN= Host’s ISN (1896955367) ACK= client’s ISN +1 (4894306) ACK= Host’s ISN +1 (1896955368) THE 3-WAY HANDSHAKE ..

10. THE ATTACK HACKER 203.45.98.01 VICTIM 202.14.12.10 FAKE 202.23.45.89 Remote Host Packets with IP Address of Trusted Host (FAKE) Attacking Host

11. THE ATTACK VICTIM 202.14.12.10 FAKE 202.23.45.89 Trusted Host SYN / ACK PACKETS , Remote Host

12. As soon as we find the TRUSTED-HOST ( FAKE),our next Step is to disable it. WHY ???? “ -- FAKE must not at any time respond to the SYN/ACK packet send by VICTIM -- “ How to do it ???? Use up all the memory of TRUSTED-HOST so that it will not able to respond to the SYN/ACK packet sent to it by the VICTIM . So one very easy method of doing so is to Perform the SYN Flooding Denial of Service Attack TRUSTED HOST DISABLING..

13. SYN SYN SYN SYN SYN SYN QUEUE FULL There is a upper limit of how many concurrent SYN request TCP can process for a given socket, this limit is called BACKLOG LIMIT B A C k L O G Q U E U E Backlog limit = length (Queue) SO what is SYN FLOODing ???

14. BLIND ATTACK FAKE 202.23.45.89 Trusted Host SYN / ACK PACKETS , VICTIM 202.14.12.10 Remote Host HACKER 203.45.98.01 Attacking Host

15. THE ATTACK HACKER 203.45.98.01 VICTIM 202.14.12.10 Remote Host SYN/ACK Packets acknowledging Trusted Host has received SYN/ACK Packets Attacking Host

17. 1.Packet Filtering 2. Firewall 3.Initial Sequence Number Randomizing Preventive Measures

19. Our network is secure, right? Oh sure, Don’t worry. We have several firewalls

20. Initial Sequence Number (ISN) Randomizing ISN Incrementation At every connection --incremented by 64,000 At every sec. – incremented by 128,000 Its value gets wrapped every 9.32hrs. So,it’s easy for any genius to do the guesswork and calculate the correct sequence number

22. CONCLUSION IP-Spoofing is an exploitation of trust-based relationship and can be curbed effectively if proper measures are used.Understanding how and why spoofing attacks are used , combined with a few simple prevention methods, can help protect networks from these malicious cloaking and cracking techniques.

23. Make your Network Secure

24. IP-Spoofing Software In Technical Discussion Client Client Client/Server Target Victim Hacker Part 1 : Target is being attacked 192.168.1.2 192.168.1.20 192.168.1.30 Target is being attacked With the UDP packets, when No measures were taken UDP 192.168.1.20

25. IP-Spoofing Software In Technical Discussion Client Client Client/Server Target Victim Hacker Part 2 : Target is being attacked but the software is interface to this 192.168.1.2 192.168.1.20 192.168.1.30 The s/w UDP 192.168.1.20 UDP 192.168.1.20

26. IP-Spoofing Software In technical Discussion Part 3: The s/w Role as an Interface 1)Scans all the Registered IP Addresses for their Authenticity. myip log file (List of registered clients) While scanning these it also resolves The respective Mac Address at runtime. 2) (Maintains the list of spoofed Clients) log file

27. IP-Spoofing Software In technical Discussion Part 3.1: The s/w Role as an Interface 3) Maintains the list of Registered Clients whenever they communicate. myhost log file (List of registered clients) 4)The unauthorised user is blocked.

29. UDP HEADER 16 32 Source port Destination port Length Checksum Data

30. 16 32 bits Source port Destination port Sequence number Acknowledgement number Offset Resrvd U A P R S F Window Checksum Urgent pointer Option + Padding Data TCP header structure