Important: Use custom search function to get better results from our thousands of pages

Use " " for compulsory search eg:"electronics seminar" , use -" " for filter something eg: "electronics seminar" -"/tag/" (used for exclude results from tag pages)
Tags: ip spoofing fire, ip spoofing file sharing, ip spoofing firewall, ip spoofing for mac, ip spoofing download, ip spoofing definition, ip spoofing detection, ip spoofing defense, ip spoofing demystified, on the state of ip spoofing defense, how is ip spoofing done, network hacking tools ip spoofing download, ip spoofing example, ip spoofing attack, ip spoofing app, ip spoofing attack rails, ip spoofing advantages, ip spoofing abstract, ip spoofing application, ip spoofing asa, ip spoofing advantages and disadvantages,
Ask More Info Of  A Seminar Ask More Info Of A Project Post Reply  Follow us on Twitter
31-12-2009, 07:04 PM
Post: #1
ip spoofing seminar report

.doc  ip spoofing seminar report.doc (Size: 924.5 KB / Downloads: 1986)
.doc  ip spoofing ABSTRACT.doc (Size: 20.5 KB / Downloads: 1052)
ABSTRACT
IP spoofing is a method of attacking a network in order to gain unauthorized access. The attack is based on the fact that Internet communication between distant computers is routinely handled by routers which find the best route by examining the destination address, but generally ignore the origination address. The origination address is only used by the destination machine when it responds back to the source.
In a spoofing attack, the intruder sends messages to a computer indicating that the message has come from a trusted system. To be successful, the intruder must first determine the IP address of a trusted system, and then modify the packet headers to that it appears that the packets are coming from the trusted system.

In essence, the attacker is fooling (spoofing) the distant computer into believing that they are a legitimate member of the network. The goal of the attack is to establish a connection that will allow the attacker to gain root access to the host, allowing the creation of a backdoor entry path into the target system.


1. INTRODUCTION
Criminals have long employed the tactic of masking their true identity, from disguises to aliases to caller-id blocking. It should come as no surprise then, that criminals who conduct their nefarious activities on networks and computers should employ such techniques. IP spoofing is one of the most common forms of on-line camouflage. In IP spoofing, an attacker gains unauthorized access to a computer or a network by making it appear that a malicious message has come from a trusted machine by spoofing the IP address of that machine. In the subsequent pages of this report, we will examine the concepts of IP spoofing: why it is possible, how it works, what it is used for and how to defend against it.
Brief History of IP Spoofing
The concept of IP spoofing was initially discussed in academic circles in the 1980's. In the April 1989 article entitled: Security Problems in the TCP/IP Protocol Suite, author S. M Bellovin of AT & T Bell labs was among the first to identify IP spoofing as a real risk to computer networks. Bellovin describes how Robert Morris, creator of the now infamous Internet Worm, figured out how TCP created sequence numbers and forged a TCP packet sequence. This TCP packet included the destination address of his victim and using an IP spoofing attack Morris was able to obtain root access to his targeted system without a User ID or password. Another infamous attack, Kevin Mitnick's Christmas Day crack of Tsutomu Shimomura's machine, employed the IP spoofing and TCP sequence prediction techniques. While the popularity of such cracks has decreased due to the demise of the services they exploited, spoofing can still be used and needs to be addressed by all security administrators. A common misconception is that "IP spoofing" can be used to hide your IP address while surfing the Internet, chatting on-line, sending e-mail, and so forth. This is generally not true. Forging the source IP address causes the responses to be misdirected, meaning you cannot create a normal network connection. However, IP spoofing is an integral part of many network attacks that do not need to see responses (blind spoofing).
2. TCP/IP PROTOCOL SUITE
IP Spoofing exploits the flaws in TCP/IP protocol suite. In order to completely understand how these attacks can take place, one must examine the structure of the TCP/IP protocol suite. A basic understanding of these headers and network exchanges is crucial to the process.
2.1 Internet Protocol “ IP
The Internet Protocol (or IP as it generally known), is the network layer of the Internet. IP provides a connection-less service. The job of IP is to route and send a packet to the packet's destination. IP provides no guarantee whatsoever, for the packets it tries to deliver. The IP packets are usually termed datagrams. The datagrams go through a series of routers before they reach the destination. At each node that the datagram passes through, the node determines the next hop for the datagram and routes it to the next hop. Since the network is dynamic, it is possible that two datagrams from the same source take different paths to make it to the destination. Since the network has variable delays, it is not guaranteed that the datagrams will be received in sequence. IP only tries for a best-effort delivery. It does not take care of lost packets; this is left to the higher layer protocols. There is no state maintained between two datagrams; in other words, IP is connection-less.

The IP Header is shown above. The Version is currently set to 4. In order to distinguish it from the new version IPv6, IP is also referred to as IPv4. The source address and the destination address are 4-byte Internet addresses. The Options field contains various options such as source based routing, and record route. The source based routing allows the sender to specify the path the datagram should take to reach the destination. Record route allows the sender to record the route the datagram is taking. None of the IP fields are encrypted and there no authentication. It would be extremely easy to set an arbitrary destination address (or the source address), and IP would send the datagram. The destination has no way of ascertaining the fact that the datagram actually originated from an IP address other than the one in the source address field. It is easy to see why any authentication scheme based on IP-addresses would fail.
2.2 Transmission Control Protocol “ TCP
IP can be thought of as a routing wrapper for layer 4 (transport), which contains the Transmission Control Protocol (TCP). Unlike IP, TCP uses a connection-oriented design. This means that the participants in a TCP session must first build a connection - via the 3-way handshake (SYN-SYN/ACK-ACK) - then update one another on progress - via sequences and acknowledgements. This conversation, ensures data reliability, since the sender receives an OK from the recipient after each packet exchange.

As you can see above, a TCP header is very different from an IP header. We are concerned with the first 12 bytes of the TCP packet, which contain port and sequencing information. Much like an IP datagram, TCP packets can be manipulated using software. The source and destination ports normally depend on the network application in use (for example, HTTP via port 80). What's important for our understanding of spoofing are the sequence and acknowledgement numbers. The data contained in these fields ensures packet delivery by determining whether or not a packet needs to be resent. The sequence number is the number of the first byte in the current packet, which is relevant to the data stream. The acknowledgement number, in turn, contains the value of the next expected sequence number in the stream. This relationship confirms, on both ends, that the proper packets were received. Itâ„¢s quite different than IP, since transaction state is closely monitored.

2.3 Consequences of the TCP/IP Design
Now that we have an overview of the TCP/IP formats, let's examine the consequences. Obviously, it's very easy to mask a source address by manipulating an IP header. This technique is used for obvious reasons and is employed in several of the attacks discussed below. Another consequence, specific to TCP, is sequence number prediction, which can lead to session hijacking or host impersonating. This method builds on IP spoofing, since a session, albeit a false one, is built. We will examine the ramifications of this in the attacks discussed below.

3. SPOOFING ATTACKS
There are a few variations on the types of attacks that successfully employ IP spoofing. Although some are relatively dated, others are very pertinent to current security concerns. IP-spoofing consists of several steps, which I will briefly outline here, then explain in detail. First, the target host is chosen. Next, a pattern of trust is discovered, along with a trusted host. The trusted host is then disabled, and the target's TCP sequence numbers are sampled. The trusted host is impersonated, the sequence numbers guessed, and a connection attempt is made to a service that only requires address-based authentication. If successful, the attacker executes a simple command to leave a backdoor.
3.1 Non-Blind Spoofing
This type of attack takes place when the attacker is on the same subnet as the victim. The sequence and acknowledgement numbers can be sniffed, eliminating the potential difficulty of calculating them accurately. The biggest threat of spoofing in this instance would be session hijacking. This is accomplished by corrupting the data stream of an established connection, then re-establishing it based on correct sequence and acknowledgement numbers with the attack machine. Using this technique, an attacker could effectively bypass any authentication measures taken place to build the connection.
3.2 Blind Spoofing
This is a more sophisticated attack, because the sequence and acknowledgement numbers are unreachable. In order to circumvent this, several packets are sent to the target machine in order to sample sequence numbers. While not the case today, machines in the past used basic techniques for generating sequence numbers. It was relatively easy to discover the exact formula by studying packets and TCP sessions. Today, most OSes implement random sequence number generation, making it difficult to predict them accurately. If, however, the sequence number was compromised, data could be sent to the target. Several years ago, many machines used host-based authentication services (i.e. Rlogin). A properly crafted attack could add the requisite data to a system (i.e. a new user account), blindly, enabling full access for the attacker who was impersonating a trusted host.

Fig. Blind Spoofing
Usually the attacker does not have access to the reply, and abuses trust relationship between hosts. For example:
Host C sends an IP datagram with the address of some other host (Host A) as the source address to Host B. Attacked host (B) replies to the legitimate host (A)
3.3 Man In The Middle Attack
Both types of spoofing are forms of a common security violation known as a man in the middle (MITM) attack. In these attacks, a malicious party intercepts a legitimate communication between two friendly parties. The malicious host then controls the flow of communication and can eliminate or alter the information sent by one of the original participants without the knowledge of either the original sender or the recipient. In this way, an attacker can fool a victim into disclosing confidential information by spoofing the identity of the original sender, who is presumably trusted by the recipient.

If an attacker controls a gateway that is in the delivery route, he can
¢ sniff the traffic
¢ intercept / block / delay traffic
¢ modify traffic

Fig. Man in the Middle Attack
This is not easy in the Internet because of hop-by-hop routing, unless you control one of the backbone hosts or source routing is used. This can also be done combined with IP source routing option. IP source routing is used to specify the route in the delivery of a packet, which is independent of the normal delivery mechanisms. If the traffic can be forced through specific routes (=specific hosts), and if the reverse route is used to reply traffic, a host on the route can easily impersonate another host. The attack procedure could be:

Fig. Source Routing Attacks
Connection hijacking exploits a "desynchronized state" in TCP communication. When the sequence number in a received packet is not the same as the expected sequence number, the connection is said to be "desynchronized." Depending on the actual value of the received sequence number, the TCP layer may either discard or buffer the packet. There is a choice, because TCP uses a sliding window protocol to allow efficient communication even in the presence of packet loss and high network latency. So, if the received packet is not the one expected, but is within the current window, the packet will be saved on the premise that it will be expected later (various TCP mechanisms ensure that the expected packet will eventually arrive). If the received packet is outside of the current window, it will be discarded.
Thus, when two hosts are desynchronized enough, they will discard (ignore) packets from each other. An attacker can then inject forged packets with the correct sequence numbers (and potentially modify or add commands to the communication). Obviously, this requires the attacker to be located on the communication path between the two hosts so that he may eavesdrop, in order to replicate packets being sent. The key to this attack is creating the desynchronized state. Joncheray describes two possible ways to do this: one is during the three-way handshake, and the other is in the middle of an established connection.
Note that "ignored" packets may actually generate ACKs, rather than being completely ignored. When the other end receives packets with incorrect sequence numbers, it replies with an ACK packet containing the sequence number it is expecting. But the receiver of these ACK discards them, as they have the wrong sequence numbers! The receiver then sends its own ACK to notify the sender... Thus, a large number of ACKs are generated in this attack. This "signature" of the attack could be used to detect connection hijacking.

Fig. Connection Hijacking
Desynchronization during connection establishment
In this form of desynchronization, the attacker resets a connection during the three-way handshake. After host B sends the SYN&ACK packet to host A, the attacker forges new packets from B (to A) in which the connection is first closed via the RST bit, and then a new three-way handshake is initiated with A -- identical to the original, "real" handshake but with different sequence numbers. Host B now ignores messages from A (because A is using the attacker's new sequence numbers), and Host A ignores messages from B (because A is expecting messages with the attacker's sequence numbers).
The attacker then replicates new packets, with the correct sequence numbers, whenever A and B try to communicate. In doing so, the attacker may also modify the messages or inject his own.
Desynchronization in the middle of a connection
The previous attack is limited to the initial connection. If a RST packet is sent in the middle of a connection, the connection is closed -- and the application/user is notified of this. To cause desynchronization in the middle of a connection, without closing the connection, only the sequence number counters should be altered. The Telnet protocol, in particular, provides an interesting mechanism to do this. Telnet allows special "NOP" commands to be sent. These commands do nothing, but the act of sending the bytes in the NOP command increments the expected sequence number counter on the receiver. By sending enough of these NOP commands, an attacker can cause the connection to become desynchronized. The attacker can then begin replicating new packets, with the correct sequence numbers, as before.
3.4 Denial of Service Attack
IP spoofing is almost always used in what is currently one of the most difficult attacks to defend against “ denial of service attacks, or DoS. Since crackers are concerned only with consuming bandwidth and resources, they need not worry about properly completing handshakes and transactions. Rather, they wish to flood the victim with as many packets as possible in a short amount of time. In order to prolong the effectiveness of the attack, they spoof source IP addresses to make tracing and stopping the DoS as difficult as possible. When multiple compromised hosts are participating in the attack, all sending spoofed traffic, it is very challenging to quickly block traffic.

4. MECHANISM OF THE ATTACK

Generally the attack is made from the root account on the attacking host against the root account on the target. If the attacker is going to all this trouble, it would be stupid not to go for root. (Since root access is needed to wage the attack, this should not be an issue.)
One often overlooked, but critical factor in IP-spoofing is the fact that the attack is blind. The attacker is going to be taking over the identity of a trusted host in order to subvert the security of the target host. The trusted host is disabled using the method described below. As far as the target knows, it is carrying on a conversation with a trusted pal. In reality, the attacker is sitting off in some dark corner of the Internet, forging packets purportedly from this trusted host while it is locked up in a denial of service battle. The IP datagrams sent with the forged IP-address reach the target fine (recall that IP is a connectionless-oriented protocol-- each datagram is sent without regard for the other end) but the datagrams the target sends back (destined for the trusted host) end up in the bit-bucket. The attacker never sees them. The intervening routers know where the datagrams are supposed to go. They are supposed to go the trusted host. As far as the network layer is concerned, this is where they originally came from, and this is where responses should go. Of course once the datagrams are routed there, and the information is demultiplexed up the protocol stack, and reaches TCP, it is discarded (the trusted host's TCP cannot respond-- see below). So the attacker has to be smart and *know* what was sent, and *know* what reponse the server is looking for. The attacker cannot see what the target host sends, but she can *predict* what it will send; that coupled with the knowledge of what it *will* send, allows the attacker to work around this blindness.
After a target is chosen the attacker must determine the patterns of trust (for the sake of argument, we are going to assume the target host *does* in fact trust somebody. If it didn't, the attack would end here). Figuring out who a host trusts may or may not be easy. A 'showmount -e' may show where file systems are exported, and rpcinfo can give out valuable information as well. If enough background information is known about the host, it should not be too difficult. If all else fails, trying neighboring IP addresses in a brute force effort may be a viable option.
Once the trusted host is found, it must be disabled. Since the attacker is going to impersonate it, she must make sure this host cannot receive any network traffic and foul things up. There are many ways of doing this, the one I am going to discuss is TCP SYN flooding.

A TCP connection is initiated with a client issuing a request to a server with the SYN flag on in the TCP header. Normally the server will issue a SYN/ACK back to the client identified by the 32-bit source address in the IP header. The client will then send an ACK to the server (as we saw in figure 1 above) and data transfer can commence. There is an upper limit of how many concurrent SYN requests TCP can process for a given socket, however. This limit is called the backlog, and it is the length of the queue where incoming (as yet incomplete) connections are kept. This queue limit applies to both the number of incomplete connections (the 3-way handshake is not complete) and the number of completed connections that have not been pulled from the queue by the application by way of the accept() system call. If this backlog limit is reached, TCP will silently discard all incoming SYN requests until the pending connections can be dealt with. Therein lies the attack.

The attacking host sends several SYN requests to the TCP port she desires disabled. The attacking host also must make sure that the source IP-address is spoofed to be that of another, currently unreachable host (the target TCP will be sending it's response to this address. (IP may inform TCP that the host is unreachable, but TCP considers these errors to be transient and leaves the resolution of them up to IP (reroute the packets, etc) effectively ignoring them.) The IP-address must be unreachable because the attacker does not want any host to receive the SYN/ACKs that will be coming from the target TCP (this would result in a RST being sent to the target TCP, which would foil our attack). The process is as follows:
1 Z(x) ---SYN---> B
Z(x) ---SYN---> B
Z(x) ---SYN---> B
Z(x) ---SYN---> B
Z(x) ---SYN---> B
...
2 X <---SYN/ACK--- B
X <---SYN/ACK--- B
...
3 X <---RST--- B
At
(1) the attacking host sends a multitude of SYN requests to the target (remember the target in this phase of the attack is the trusted host) to fill its backlog queue with pending connections.
(2) The target responds with SYN/ACKs to what it believes is the source of the incoming SYNs. During this time all further requests to this TCP port will be ignored. Different TCP implementations have different backlog sizes. BSD generally has a backlog of 5 (Linux has a backlog of 6). There is also a 'grace' margin of 3/2. That is, TCP will allow up to backlog*3/2+1 connections. This will allow a socket one connection even if it calls listen with a backlog of 0.

Now the attacker needs to get an idea of where in the 32-bit sequence number space the target's TCP is. The attacker connects to a TCP port on the target (SMTP is a good choice) just prior to launching the attack and completes the three-way handshake. In this process, the attacker will save the value of the ISN sent by the target host. Often times, this process is repeated several times and the final ISN sent is stored. The attacker needs to get an idea of what the RTT (round-trip time) from the target to her host is like. (The process can be repeated several times, and an average of the RTT's is calculated.) The RTT is necessary in being able to accurately predict the next ISN. The attacker has the baseline (the last ISN sent) and knows how the sequence numbers are incremented (128,000/second and 64,000 per connect) and now has a good idea of how long it will take an IP datagram to travel across the Internet to reach the target (approximately half the RTT, as most times the routes are symmetrical). After the attacker has this information, she immediately proceeds to the next phase of the attack (if another TCP connection were to arrive on any port of the target before the attacker was able to continue the attack, the ISN predicted by the attacker would be off by 64,000 of what was predicted). When the spoofed segment makes its way to the target, several different things may happen depending on the accuracy of the attacker's prediction:
¢ If the sequence number is EXACTLY where the receiving TCP expects it to be, the incoming data will be placed on the next available position in the receive buffer.
¢ If the sequence number is LESS than the expected value the data byte is considered a retransmission, and is discarded.
¢ If the sequence number is GREATER than the expected value but still within the bounds of the receive window, the data byte is considered to be a future byte, and is held by TCP, pending the arrival of the other missing bytes. If a segment arrives with a sequence number GREATER than the expected value and NOT within the bounds of the receive window the segment is dropped, and TCP will send a segment back with the *expected* sequence number.
Here is where the main thrust of the attack begins:
1 Z (b) ---SYN---> A
2 B <---SYN/ACK--- A
3 Z (b) ---ACK---> A
4 Z (b) ---PSH---> A
The attacking host spoofs her IP address to be that of the trusted host (which should still be in the death-throes of the D.O.S. attack) and sends its connection request to port 513 on the target (1). At 2), the target responds to the spoofed connection request with a SYN/ACK, which will make its way to the trusted host (which, if it *could* process the incoming TCP segment, it would consider it an error, and immediately send a RST to the target). If everything goes according to plan, the SYN/ACK will be dropped by the gagged trusted host. After (1), the attacker must back off for a bit to give the target ample time to send the SYN/ACK (the attacker cannot see this segment). Then, at (3) the attacker sends an ACK to the target with the predicted sequence number (plus one, because we're ACKing it). If the attacker is correct in her prediction, the target will accept the ACK. The target is compromised and data transfer can commence (4).
Generally, after compromise, the attacker will insert a backdoor into the system that will allow a simpler way of intrusion. (Often a `cat + + >> ~/.rhosts` is done. This is a good idea for several reasons: it is quick, allows for simple re-entry, and is not interactive. Remember the attacker cannot see any traffic coming from the target, so any responses are sent off into oblivion.)


5. METHODS TO PREVENT IP SPOOFING ATTACK
5.1 Packet filtering
The router that connects a network to another network is known as a border router. One way to mitigate the threat of IP spoofing is by inspecting packets when they the leave and enter a network looking for invalid source IP addresses. If this type of filtering were performed on all border routers, IP address spoofing would be greatly reduced. Egress filtering checks the source IP address of packets to ensure they come from a valid IP address range within the internal network. When the router receives a packet that contains an invalid source address, the packet is simply discarded and does not leave the network boundary. Ingress filtering checks the source IP address of packets that enter the network to ensure they do not come from sources that are not permitted to access the network. At a minimum, all private, reserved, and internal IP addresses should be discarded by the router and not allowed to enter the network. In Linux, packet filtering can be enabled using:
echo 2 > /proc/sys/net/ipv4/conf/*/rp_filter
Limits of packet filtering
Packet filtering normally may not prevent a system from participating in an attack if the spoofed IP address used could fall within the valid internal address range. However it will simplify the process of tracing the packets, since the systems will have to use a source IP address within the valid IP range of the network.
We take a campus network as example:

fig. Campus Network
The network number is 132.230.0.0/16. The packet filtering of the router is enabled. For IP packet 1, host 132.230.4.1 forges a packet from 132.230.4.4, the source IP address is in the valid IP range, the router thinks it is valid packet and sends it out to internet. For IP packet 2, host 132.230.4.4 forges a packet from 191.224.4.25, the source IP address is not in the valid IP range, the router thinks it is invalid and discards it. Packet filtering can pose problems if you use splitting routing (packets from you to a host take a different path than packets from that host to you). If splitting routing is in use, enabling packet filtering facility will block all packets with spoofed source addresses. To turn rp_filter off, use:
echo 0 > /proc/sys/net/ipv4/conf/<device>/rp_filter
or
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
Instances where you might need to disable packet filtering include:
¢ If you want to do asymmetric routing (accepting returning packets inbound an interface other than the outbound interface).
¢ If the box has multiple interfaces up on the same network.
¢ If you are using special VPN interfaces to tunnel traffic (e.g. FreeS/WAN)
Another problem is that many ISPs do not have the technical ability to arrange packet filtering to block packets with spoofed source addresses. Also, packet filtering reduces equipment performance.
5.2 Filtering at the Router
If your site has a direct connection to the Internet, you can use your router to help you out. First make sure only hosts on your internal LAN can participate in trust-relationships (no internal host should trust a host outside the LAN). Then simply filter out *all* traffic from the outside (the Internet) that purports to come from the inside (the LAN).
Implementing ingress and egress filtering on your border routers is a great place to start your spoofing defense. You will need to implement an ACL (access control list) that blocks private IP addresses on your downstream interface. Additionally, this interface should not accept addresses with your internal range as the source, as this is a common spoofing technique used to circumvent firewalls. On the upstream interface, you should restrict source addresses outside of your valid range, which will prevent someone on your network from sending spoofed traffic to the Internet.
5.3 Encryption and Authentication
Implementing encryption and authentication will also reduce spoofing threats. Both of these features are included in Ipv6, which will eliminate current spoofing threats. Additionally, you should eliminate all host-based authentication measures, which are sometimes common for machines on the same subnet. Ensure that the proper authentication measures are in place and carried out over a secure (encrypted) channel.

5.4 Be Un-trusting and Un-trustworthy
One easy solution to prevent this attack is not to rely on address-based authentication. Disable all the r* commands, remove all .rhosts files and empty out the /etc/hosts.equiv file. This will force all users to use other means of remote access (telnet, ssh, skey, etc).
5.5 Cryptographic Methods
An obvious method to deter IP-spoofing is to require all network traffic to be encrypted and/or authenticated. While several solutions exist, it will be a while before such measures are deployed as defacto standards.
5.6 Initial Sequence Number Randomizing
Since the sequence numbers are not chosen randomly (or incremented randomly) this attack works. Bellovin describes a fix for TCP that involves partitioning the sequence number space. Each connection would have it's own separate sequence number space. The sequence numbers would still be incremented as before, however, there would be no obvious or implied relationship between the numbering in these spaces. Suggested is the following formula:
ISN=M+F(localhost,localport,remotehost,remoteport)Where M is the 4 microsecond timer and F is a cryptographic hash. F must not be computable from the outside or the attacker could still guess sequence numbers. Bellovin suggests F be a hash of the connection-id and a secret vector (a random number, or a host related secret combined with the machine's boot time).

6. APPLICATIONS OF IP SPOOFING
6.1 Asymmetric routing (Splitting routing)
Asymmetric routing means traffic goes over different interfaces for directions in and out. In other words, asymmetric routing is when the response to a packet follows a different path from one host to another than the original packet did. The more correct and more general answer is, for any source IP address 'A' and destination 'B', the path followed by any packet (request or response) from 'A' to 'B' is different than the path taken by a packet from 'B' to 'A'.

Fig. Valid Source IP Address
Implementation of asymmetric routing
Modern O.S. allows us to receive packets from an input interface, different from the output interface.
In Linux, we can implement asymmetric routing using iptables (linux 2.4):
iptables “A POSTROUTING “t nat “j SNAT “to 192.168.0.5 “o eth0
This means, for all the packets going out via eth0, their source IP address will be changed to 192.168.0.5. We also have to "disable" reverse path filtering
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
6.2 SAT DSL
Satellite DSL (SAT DSL) makes use of asymmetric routing.

Fig. Satellite DSL
The advantage of a satellite network is to provide high bandwidth services independent of the users location over a wide geographical area. A satellite network consists of two types of stations: feeds and receivers. Every receiver has a satellite dish connected to a user station. The user station has an extra interface, DSL modem connected to the ISP, this is called return channel. All requests to Internet are sent via DSL connection, and responses from Internet should be routed by a feed on the satellite network. After the information is sent from the feed to a satellite, it will be broadcast to all the receivers that belong to the satellite coverage. Installing feeds in strategic positions over the Internet will create shorter paths and higher bandwidth provided by the satellite network. The user host has therefore two IP addresses, one for the satellite subnetwork and the other for the regular connection subnetwork (return channel).
The traffic path of satellite DSL is:

Fig. Traffic Path of Satellite DSL
First we make the request (1) (using our Internet connection) to the Sat-Server, after it retrieves out info from Internet (2) it will send it to Satellite (3); in the end we would receive data from the satellite(4) to our home using a parabolic antenna and a Sat Card.
Probable problem with AOLs DSL connection setup
AOL DSL service implements a certain connection setup procedure in order to apply VPN (Virtual Private Network) for its users. When a user dials in to the AOL DSL ISP, these procedures are taken place:
1. User is connected to the ISP using a public account and so a network connection between user and the ISP is established. But user can only receive data using this connection, thus is not able to send any internet request.
2. On top of this connection, A VPN is established using userâ„¢s private account. After the authentication succeeds, a user can send and receive data through this VPN connection. This certain procedures are AOLâ„¢s attempt to create secure internet traffic over DNS connection. But as it usually is, one solution to a security problem may lead to another problem. And this applies also to AOLâ„¢s DSL connection setup. With certain setup and an IP address spoofing technique, a user can connect to AOL DSL ISP, and download as much data as he wants using this connection without paying any cent. This picture depicts such setup and how the attack works.

Fig. Problem in AOL DSL
1. On first network interface, the user dials for a DSL connection to T-Online or other ISPs using his account. The user can send and receive data with this connection.
2. On second network interface, the user dials to AOL DSL ISP using a free public account to establish a DSL connection that goes one way from ISP to user.
3. Before the user sends packet through T-Online connection, he spoofs the source IP address of the packet into the IP address of the second network interface (which is connected to AOL DSL)
4. And so he sends requests through T-Online connection, and receives response through AOL DSL connection. This way the user only needs to pay for every bits he sends to T-Online, and get for free every bits he receives from AOL DSL, which would have cost a lot more than the cost for sending bits, because people usually spend more time downloading from the internet instead of sending data to the internet.
6.3 NAT
NAT is network address translation.
Normally, packets on a network travel from their source to their destination through many different links. None of these links really alter your packet, they just send it onward. If one of these links were to do NAT, then they would alter the source or destinations of the packet as it passes through. Usually the link doing NAT will remember how it mangled a packet, and when a reply packet passes through the other way, it will do the reverse mangling on that reply packet, so everything works.
NAT have several applications:
¢ Modem Connections To The Internet
Most ISPs give you a single IP address when you dial up to them. You can send out packets with any source address you want, but only replies to packets with this source IP address will return to you. If you want to use multiple different machines (such as a home network) to connect to the Internet through this one link, you'll need NAT.
¢ Multiple Servers
Sometimes you want to change where packets heading into your network will go. Frequently this is because (as above) you have only one IP address, but you want people to be able to get into the boxes behind the one with the `real' IP address. If you rewrite the destination of incoming packets, you can manage this. This type of NAT was called port-forwarding. A common variation of this is load-sharing, where the mapping ranges over a set of machines, fanning packets out to them.
¢ Transparent Proxying
Sometimes you want to pretend that each packet which passes through your Linux box is destined for a program on the Linux box itself. This is used to make transparent proxies: a proxy is a program which stands between your network and the outside world, shuffling communication between the two. The transparent part is because your network won't even know it's talking to a proxy, unless of course, the proxy doesn't work. NAT has two different types: Source NAT (SNAT) and Destination NAT (DNAT). Source NAT is when you alter the source address of the first packet: i.e. you are changing where the connection is coming from. Source NAT is always done post-routing, just before the packet goes out onto the wire. Masquerading is a specialized form of SNAT.
Destination NAT is when you alter the destination address of the first packet: i.e. you are changing where the connection is going to. Destination NAT is always done before routing, when the packet first comes off the wire. Port forwarding, load sharing, and transparent proxying are all forms of DNAT.

Fig. NAT
6.4 IP Masquerade
IP Masquerade, is a specific form of Network Address Translation (NAT) which allows internally connected computers that do not have registered Internet IP addresses to communicate to the Internet via the Linux server's Internet IP address. IP masquerading lets you use a single Internet-connected computer running Linux with a real IP address as a gateway for non-connected machines with "fake" IP addresses. The Linux box with a real address handles mapping packets from your intranet out to the Internet, and when responses come back, it maps them back to your intranet. This lets you browse the web and use other Internet functions from multiple machines without having a special network setup from your ISP.
IP Masquerade is a networking function in Linux similar to the one-to-many (1:Many) NAT (Network Address Translation) servers found in many commercial firewalls and network routers. For example, if a Linux host is connected to the Internet via PPP, Ethernet, etc., the IP Masquerade feature allows other "internal" computers connected to this Linux box (via PPP, Ethernet, etc.) to also reach the Internet as well. Linux IP Masquerading allows for this functionality even though these internal machines don't have an officially assigned IP address. IP masquerading is different from NAT. While IP masquerading implements a specific many-to-one NAT, IP NAT allows complex many-to-many translations. For static real IP address we use NAT, while for dynamic real IP address (via PPP) we use IP masquerading.

Fig. IP Masquerading
6.5 Services vulnerable to IP Spoofing
Configuration and services that are vulnerable to IP spoofing:
¢ RPC (Remote Procedure Call services)
¢ Any service that uses IP address authentication
¢ The X Window system
¢ The R services suite (rlogin, rsh, etc.)
6.6 TCP and IP spoofing Tools
1) Mendax for Linux
Mendax is an easy-to-use tool for TCP sequence number prediction and rshd spoofing.
2) spoofit.h
spoofit.h is a nicely commented library for including IP spoofing functionality into your programs.
3) ipspoof
ipspoof is a TCP and IP spoofing utility.
4) hunt
hunt is a sniffer which also offers many spoofing functions.
5) dsniff
dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic.

7. CONCLUSION
IP spoofing is less of a threat today due to the patches to the Unix Operating system and the widespread use of random sequence numbering. Many security experts are predicting a shift from IP spoofing attacks to application-related spoofing in which hackers can exploit a weakness in a particular service to send and receive information under false identities. As Security professionals, we must remain current with the Operating Systems that we use in our day to day activities. A steady stream of changes and new challenges is assured as the hacker community continues to seek out vulnerabilities and weaknesses in our systems and our networks.

8. REFERENCES
¢ Following the Journey of a Spoofed Packet
http://www.scs.carleton.ca/~dlwhyte/whyt...pspoof.htm
¢ NAT and Networks
http://www.suse.de/~mha/linux-ip-nat/diplom/node4.html
¢ Asymmetric routing - Jani Lakkakorpi
http://keskus.hut.fi/tutkimus/ipana/pape...metric.pdf
¢ TCP/IP protocol suite - Thomas Toth
http://www.infosys.tuwien.ac.at/Teaching...lides2.pdf
¢ Security problems in the TCP/IP protocol suite, S.M. Bellovin, AT&T Bell Laboratories, Murray Hill, New Jersey 07974
http://www.research.att.com/~smb/papers/ipext.pdf
¢ Linux 2.4 NAT HOWTO
http://www.netfilter.org/unreliable-guides/NAT-HOWTO/
¢ Linux IP Masquerade HOWTO
http://www.tldp.org/HOWTO/IP-Masquerade-...index.html
¢ Linux 2.4 Advanced Routing HOWTO
http://www.linuxdocs.org/HOWTOs/Adv-Routing-HOWTO.html
¢ Introduction To Network Address Translation (NAT)
http://www.firewall.cx/nat-intro.php
¢ Network Address Translation (NAT/ PAT/ IP Masquerading)
http://home.t-online.de/home/TschiTschi/...rading.htm
¢ Attacks over the internet
http://zork.net/~phil/Cracking/Internet.html
¢ IP spoofing
http://bear.cba.ufl.edu/teets/projects/I...index.html

ACKNOWLEDGEMENT
I take this occasion to thank the Almighty God for the blessing me with his grace and taking my endeavor to a successful culmination. I extend sincere and heart felt thanks to my esteemed guide Mr. Zainul Abid and Head of the Department, Computer Science & Engineering, M.E.S.C.E., Prof. M. N. Agnisarman Namboodiri, for providing me with the right guidance and advice at crucial junctures and for allowing me to use the facilities available. I would also like to thank the other faculty members in this regard. I express sincere gratitude and respect to my parents, who, though not directly related to this effort have been a constant source of inspiration. Finally yet importantly, I would like to thank my friends for the support and encouragement they have given me during the course of this work.
-Yashid Mohamed

CONTENTS
1. Introduction 1
2. TCP/IP Protocol Suite 2
2.1 Internet Protocol. 2
2.2 Transmission Control Protocol 3
2.3 Consequences of the TCP/IP Design 5
3. Spoofing Attacks 6
3.1 Non-Blind Spoofing 6
3.2 Blind Spoofing 6
3.3 Man In The Middle Attack 7
3.4 Denial of Service Attack 11
4. Mechanism of the Attack 12
5. Methods to Prevent IP Spoofing 19
5.1 Packet Filtering 19
5.2 Filtering at the Router 21
5.3 Encryption and Authentication 21
5.4 Be Un-trusting and Un-trustworthy 22
5.5 Cryptographic Methods 22
5.6 Initial Sequence Numbering Randomizing 22
6. Applications of IP Spoofing 23
6.1 Asymmetric Routing (Splitting Routing) 23
6.2 SAT DSL 24
6.3 NAT 27
6.4 IP Masquerade 28
6.5 Services Vulnerable to IP Spoofing 30
6.6 TCP and IP Spoofing Tools 30
7. Conclusion 31
8. References 32

Please Use Search http://www.seminarprojects.com/search.php wisely To Get More Information About A Seminar Or Project Topic
30-03-2010, 11:25 AM
Post: #2
RE: ip spoofing seminar report

Presented By:
Leila Fatmasari Rahman &
Rui Zhou
Albert-Ludwigs-Universitat Freiburg
Institute for Computer Science
Topic: Ip Address Spoofing
Abstract
The paper focuses on IP address spoofing and its application. In section one we introduce what is IP address spoofing. Section two is about IP routing mechanism and its problems. The section three is about forms of IP address spoofing and its applications, we concentrate on splitting routing (asymmetric routing), sat dsl, nat and IP masquerading. In section four we talk about some attacks based on IP address spoofing. Section five is about how to stop IP address spoofing. In the last section, we describe the experiment we did, a splitting routing IP spoofing scenario.
1 What is IP address spoofing
IP address spoofing is the creation of IP packets using somebody else's IP source addresses. This technique is used for obvious reasons and is employed in several of the attacks discussed later. Examining the IP header, we can see that the first 12 bytes contain various information about the packet. The next 8 bytes, however, contains the source and destination IP addresses. Using one of several tools, an attacker can easily modify these addresses - specifically the "source address" field.
A common misconception is that "IP spoofing" can be used to hide our IP address while surfing the Internet, chatting on-line, sending e-mail, and so forth. This is generally not true. Forging the source IP address causes the responses to be misdirected, meaning you cannot create a normal network connection.
Figure 1: Valid source IP address, illustrates a typical interaction between a workstation with a valid source IP address requesting web pages and the web server executing the requests. When the workstation requests a page from the web server the request contains both the workstation's IP address (i.e. source IP address 192.168.0.5) and the address of the web server executing the request (i.e. destination IP address 10.0.0.23). The web server returns the web page using the source IP address specified in the request as the destination IP address, 192.168.0.5 and its own IP address as the source IP address, 10.0.0.23.
Figure 2: Spoofed source IP address, illustrates the interaction between a workstation requesting web pages using a spoofed source IP address and the web server executing the requests. If a spoofed source IP address (i.e. 172.16.0.6) is used by the workstation, the web server executing the web page request will attempt to execute the request by sending information to the IP address of what it believes to be the originating system (i.e. the workstation at 172.16.0.6). The system at the spoofed IP address will receive unsolicited connection attempts from the web server that it will simply discard.
IP source IP destination
172.16.0.6 10.0.0.23
Workstation
192.168.0.5
Internet
Web server
10.0.0.23
IP source IP destination
10.0.0.23 172.16.0.6
Workstation
172.16.0.6
Figure 2: Spoofed source IP address
2 IP routing mechanism and problems
IP routing is hop by hop. Every IP packet is routed separately. The route of a IP packet is decided by all the routers the packet goes through.
IP address spoofing is possible because routers only require inspection of the destination IP address in the packet to make routing decisions. The source IP address is not required by routers and an invalid source IP address will not affect the delivery of packets.
That address is only used by the destination machine when it responds back to the source.
3 IP address spoofing and Applications 3.1 Asymmetric routing (Splitting routing)
Asymmetric routing means traffic goes over different interfaces for directions in and out. In other words, asymmetric routing is when the response to a packet follows a different path from one host to another than the original packet did. The more correct and more general answer is, for any source IP address 'A' and destination 'B', the path followed by any packet (request or response) from 'A' to 'B' is different than the path taken by a packet from 'B' to 'A'.
192.168.1.5
IntGrfacGO
IP source IP destination
192.168.0.5 1D.D.0.23
WortGfation
192.168.0.5 Interfacel
Internet
IP source
1 n n n n
IP destination
1 cn 1 CP n c
Web server
10.0.0.23
Figure 4: Asymmetric routing
3.2 Implementation of asymmetric routing
Modern O.S. allows us to receive packets from an input interface, different from the output interface.
In Linux, we can implement asymmetric routing using iptables (linux 2.4):
iptables -A POSTROUTING -t nat -j SNAT -to 192.168.0.5 -o eth0 This means, for all the packets going out via eth0, their source IP address will be changed to 192.168.0.5.
We also have to "disable" reverse path filtering
Echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter
3.3 SAT DSL
Satellite DSL (SAT DSL) makes use of asymmetric routing.
Figure 5. Satellite DSL
The advantage of a satellite network is to provide high bandwidth services independent of the users location over a wide geographical area. A satellite network consists of two types of stations: feeds and receivers. Every receiver has a satellite dish connected to a user station. The user station has an extra interface, DSL modem connected to the ISP, this is called return channel. All requests to Internet are sent via DSL connection, and responses from Internet should be routed by a feed on the satellite network. After the information is sent from the feed to a satellite, it will be broadcast to all the receivers that belong to the satellite coverage. Installing feeds in strategic positions over the Internet will create shorter paths and higher bandwidth provided by the satellite network.
The user host has therefore two IP addresses, one for the satellite subnetwork and the other for the regular connection subnetwork (return channel).
The traffic path of satellite dsl is:
First we make the request (1) (using our Internet connection) to the Sat-Server, after it retrieves out info from Internet (2) it will send it to Satellite (3); in the end we would receive data from the satellite(4) to our home using a parabolic antenna and a Sat Card.
3.4 Probable problem with AOLs DSL connection setup
AOL DSL service implements a certain connection setup procedure in order to apply VPN (Virtual Private Network) for its users. When a user dials in to the AOL DSL ISP, these procedures are taken place:
1. User is connected to the ISP using a public account and so a network connection between user and the ISP is established. But user can only receive data using this connection, thus is not able to send any internet request.
2. On top of this connection, A VPN is established using user's private account. After the authentication succeeds, a user can send and receive data through this VPN connection.
This certain procedures are AOL's attempt to create secure internet traffic over DNS connection. But as it usually is, one solution to a security problem may lead to another problem. And this applies also to AOL's DSL connection setup. With certain setup and an IP address spoofing technique, a user can connect to AOL DSL ISP, and download as much data as he wants using this connection without paying any cent. This picture depicts such setup and how the attack works.
Send (using source address IP2)
IP1 i
IP2a <
I
Using private user account,
VPN is established
Figure 7: Problem in AOL DSL
1. On first network interface, the user dials for a DSL connection to T-Online or other ISPs using his account. The user can send and receive data with this connection.
2. On second network interface, the user dials to AOL DSL ISP using a free public account to establish a DSL connection that goes one way from ISP to user.
3. Before the user sends packet through T-Online connection, he spoofs the source IP address of the packet into the IP address of the second network interface (which is connected to AOL DSL)
4. And so he sends requests through T-Online connection, and receives response through AOL DSL connection. This way the user only needs to pay for every bits he sends to T-Online, and get for free every bits he receives from AOL DSL, which would have cost a lot more than the cost for sending bits, because people usually spend more time downloading from the internet instead of sending data to the internet.
3.5 NAT
NAT is network address translation.
Normally, packets on a network travel from their source to their destination through many different links. None of these links really alter your packet, they just send it onward.
If one of these links were to do NAT, then they would alter the source or destinations of the packet as it passes through. Usually the link doing NAT will remember how it mangled a packet, and when a reply packet passes through the other way, it will do the reverse mangling on that reply packet, so everything works.
NAT have several applications:
¢ Modem Connections To The Internet
Most ISPs give you a single IP address when you dial up to them. You can send out packets with any source address you want, but only replies to packets with this source IP address will return to you. If you want to use multiple different machines (such as a home network) to connect to the Internet through this one link, you'll need NAT.
¢ Multiple Servers
Sometimes you want to change where packets heading into your network will go. Frequently this is because (as above) you have only one IP address, but you want people to be able to get into the boxes behind the one with the 'real' IP address. If you rewrite the destination of incoming packets, you can manage this. This type of NAT was called port-forwarding.A common variation of this is load-sharing, where the mapping ranges over a set of machines, fanning packets out to them.
¢ Transparent Proxying
Sometimes you want to pretend that each packet which passes through your Linux box is destined for a program on the Linux box itself. This is used to make transparent proxies: a proxy is a program which stands between your network and the outside world, shuffling communication between the two. The transparent part is because your network won't even know it's talking to a proxy, unless of course, the proxy doesn't work.
NAT has two different types: Source NAT (SNAT) and Destination NAT (DNAT).
Source NAT is when you alter the source address of the first packet: i.e. you are changing where the connection is coming from. Source NAT is always done post-routing, just before the packet goes out onto the wire. Masquerading is a specialized form of SNAT.
Destination NAT is when you alter the destination address of the first packet: i.e. you are changing where the connection is going to. Destination NAT is always done before routing, when the packet first comes off the wire. Port forwarding, load sharing, and transparent proxying are all forms of
DNAT.
Figure 8: NAT
3.6 IP masquerade:
IP Masquerade, is a specific form of Network Address Translation (NAT) which allows internally connected computers that do not have registered Internet IP addresses to communicate to the Internet via the Linux server's Internet IP address. IP masquerading lets you use a single Internet-connected computer running Linux with a real IP address as a gateway for non-connected machines with "fake" IP addresses. The Linux box with a real address handles mapping packets from your intranet out to the Internet, and when responses come back, it maps them back to your intranet. This lets you browse
the web and use other Internet functions from multiple machines without having a special network setup from your ISP.
IP Masquerade is a networking function in Linux similar to the one-to-many (1:Many) NAT (Network Address Translation) servers found in many commercial firewalls and network routers. For example, if a Linux host is connected to the Internet via PPP, Ethernet, etc., the IP Masquerade feature allows other "internal" computers connected to this Linux box (via PPP, Ethernet, etc.) to also reach the Internet as well. Linux IP Masquerading allows for this functionality even though these internal machines don't have an officially assigned IP address.
IP masquerading is different from NAT. While IP masquerading implements a specific many-to-one NAT, IP NAT allows complex many-to-many translations. For static real IP address we use NAT, while for dynamic real IP address (via PPP) we use IP masquerading.
4 IP address spoofing attack 4.1 Blind IP spoofing
Usually the attacker does not have access to the reply, abuse trust relationship between hosts. For example:
Host C sends an IP datagram with the address of some other host (Host A) as the source address to Host B. Attacked host (B) replies to the legitimate host (A)
i-| Host A
Gateway
Gateway
Trust RelLitionship
Host C
Host B
Figure 10: Blind IP Spoofing
4.2 Man-in-the-middle attacks
If an attacker controls a gateway that is in the delivery route, he can
¢ sniff the traffic
¢ intercept / block / delay traffic
¢ modify traffic
Gateway \ Gateway ” Gateway
Host C
Attacker controls th is gateway
Host A
Figure 11: Man-in-the-middle attacks
This is not easy in the Internet because of hop-by-hop routing, unless you control one of the backbone hosts or source routing is used.
This can also be done combined with IP source routing option. IP source routing is used to specify the route in the delivery of a packet, which is independent of the normal delivery mechanisms. If the traffic can be forced through specific routes (=specific hosts), and if the reverse route is used to reply traffic, a host on the route can easily impersonate another host. The attack procedure could be:
router
LJiSS^ 1. Forged IP packet,
Src = A
2. With Source Routing,
B replies A Attacker in it
attacker
Through attacker
Figure 12: Source Routing attacks
4.3 Attacks concerning the routing protocols
A host can send spoofed RIP packets in order to "inject" routes into a host. This is easy to implement, it only requires IP/UDP spoofing. On a LAN with RIPv2 passwords have to be used for updating routes, but plaintext passwords are used. The plaintext passwords can be sniffed.
Attacker sends a forged RIP packet router 2 and says it has the shortest path to the network that routerl connects. Then all the packets to that network will be routed to attacker. The attacker can sniff the traffic.
4.4 IP address spoofing attack with ICMP
4.4.1 ICMP Echo attacks
¢ Map the hosts of a network
The attack sends ICMP echo datagram to all the hosts in a subnet, then he collects the replies and determines which hosts are alive.
¢ Denial of service attack (SMURF attack)
The attack sends spoofed (with victim's IP address) ICMP Echo Requests to subnets, the victim will get ICMP Echo Replies from every machine.
191.168.1.2
Host 1
191.168.1.3
Host 3 H
191.168.1.4
Host 4 H
191.168.1.5
Host 2
4.4.2 ICMP Redirect attacks
ICMP redirect messages can be used to re-route traffic on specific routes or to a specific host that is not a router at all.
The ICMP redirect attack is very simple: just send a spoofed ICMP redirect message that appears to come from the host's default gateway.
For example: Host 192.168.1.4 sends a forged ICMP packet to host 192.168.1.3, saying the route through 192.168.1.4 is a better way to internet. The source IP address of this forged ICMP packet is the gateway's IP address 192.168.1.1. Then all the traffic from 192.168.1.3 to internet will go through 192.168.1.4.
j=njj92_168.1.2
Forged packet
t
192.168.1.4
Figure 16: Before ICMP redirect attack
192.168.1.2
192.168.1.3
192.168.1.1
1
192.168.1.4
Figure 17: After ICMP redirect attack
4.4.3 ICMP destination unreachable attacks
ICMP destination unreachable message is used by gateways to state that the datagram cannot be delivered. It can be used to "cut" out nodes from the network. It is a denial of service attack (DOS)
Example:
An attacker injects many forged destination unreachable messages stating that 100.100.100.100 is unreachable) into a subnet (e.g. 128.100.100.*). If someone from the 128.100.100.* net tries to contact 100.100.100.100, he will immediately get an ICMP Time Exceeded from the attacker's host. For 128.100.100.* this means that there is no way to contact 100.100.100.100, and therefore communication fails.
4.5 UDP attacks
Figure 19: UDP spoofing
UDP is an unreliable transport layer protocol. It relies on IP, it is connectionless, and its checksum is optional. Therefore, the delivery, integrity, non-duplication and ordering are not guaranteed. It is easy to send a forged packet to the target. Compared with this, TCP is connection oriented and the TCP connection setup sequence number is hard to predicated, so it is hard to insert forged packet into the TCP connection. Therefore UDP traffic is more vulnerable for IP spoofing than TCP.
Figure 20: UDP hijacking
4.6 TCP attacks
Although it is hard to do IP spoofing on TCP, it is still can be realized on the specific OS. The attack aims at impersonating another host mostly during the TCP connection establishment phase.
For example:
1) Node A trusts node B (e.g. login with no password)
2) Node C wants to impersonate B with respect to A in opening a TCP connection
3) C kills B (flooding, redirecting or crashing) firstly
4) C sends A an TCP segment in a spoofed IP packet with B's address as the source IP and 11000 as the sequence number.
5) A replies with a TCP SYN/ACK segment to B with 54002 as the sequence number
6) C does not receive the segment from A to B, but in order to finish the handshake it has to send an ACK segment with 54002+1 as the acknowledge number to A. C has to guess or predicate
the value of 54002.
Figure 21: TCP spoofing
5 Stopping IP address spoofing attack 5.1 Packet filtering
The router that connects a network to another network is known as a border router. One way to mitigate the threat of IP spoofing is by inspecting packets when they the leave and enter a network looking for invalid source IP addresses. If this type of filtering were performed on all border routers, IP address spoofing would be greatly reduced.
Egress filtering checks the source IP address of packets to ensure they come from a valid IP address range within the internal network. When the router receives a packet that contains an invalid source address, the packet is simply discarded and does not leave the network boundary.
Ingress filtering checks the source IP address of packets that enter the network to ensure they do not come from sources that are not permitted to access the network. At a minimum, all private, reserved, and internal IP addresses should be discarded by the router and not allowed to enter the network.
In Linux, packet filtering can be enabled using: echo 2 > /proc/sys/net/ipv4/conf/*/rp_filter
5.2 Limits of packet filtering
Packet filtering normally may not prevent a system from participating in an attack if the spoofed IP address used could fall within the valid internal address range. However it will simplify the process of tracing the packets, since the systems will have to use a source IP address within the valid IP range of the network.
The network number is 132.230.0.0/16. The packet filtering of the router is enabled.
For IP packet 1, host 132.230.4.1 forges a packet from 132.230.4.4, the source IP address is in the
valid IP range, the router thinks it is valid packet and sends it out to internet.
For IP packet 2, host 132.230.4.4 forges a packet from 191.224.4.25, the source IP address is not in the valid IP range, the router thinks it is invalid and discards it.
Packet filtering can pose problems if you use splitting routing (packets from you to a host take a different path than packets from that host to you). If splitting routing is in use, enabling packet filtering facility will block all packets with spoofed source addresses. To turn rp_filter off, use:
echo 0 > /proc/sys/net/ipv4/conf/<device>/rp_filter
or
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
Instances where you might need to disable packet filtering include:
¢ If you want to do asymmetric routing (accepting returning packets inbound an interface other than the outbound interface).
¢ If the box has multiple interfaces up on the same network.
¢ If you are using special VPN interfaces to tunnel traffic (e.g. FreeS/WAN)
Another problem is that many ISPs do not have the technical ability to arrange packet filtering to block packets with spoofed source addresses. Also, packet filtering reduces equipment performance.
6 Experiment
Goal: Implement an example environment for splitting routing, IP spoofing scenario.
6.1 Scenario description
192.168.1.34 eth1
192.168.1.33
eth1
Rui
Packet 2 reply
Leila
132.230.1.34 eth0
Packet 2request
132.230.1.33
eth0
Packet 1 request
Ethernet cross line
Figure 23: experiment scenario
6.2 Configuration
We do the experiment under Linux Suse 8.0. The tools needed are:
¢ Iptables
¢ Ethereal
The configuration is: Leila:
ifconfig eth0 132.230.1.33 ifconfig eth1 192.168.1.33
iptables -A POSTROUTING -t nat -j SNAT -to 192.168.1.33 -o eth0 echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter
Rui:
ifconfig eth0 132.230.1.34 ifconfig eth1 192.168.1.34
iptables -A POSTROUTING -t nat -j SNAT -to 192.168.1.34 -o eth0 echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter
6.3 Experiment procedure
Packet 1: Rui”Leila:
ping 132.230.1.33
The request packet is sent from interface eth0/Rui, using the IP address of interface eth1/Rui, i.e. 192.168.1.34.
Packet 2: Leila- Rui:
ping 132.230.1.34
The request packet is sent from interface eth0/Leila, using the IP address of interface eth1/Leila, i.e. 192.168.1.33.
6.4 Experiment result
EthO: ICMP ping quest packet from Rui to Leila
<capture> - Ethereal
File Edit Capture Display Tools
Help
u
EG Frame 1 (98 on wire, 98 captured) E Ethernet II
EG Internet Protocol, Src Addr: 192.168.1.34 (192.168.1.34), Est Addr: 132.230.1.33 (132.230.1.33) S Internet Control Message Protocol
Filter:
Apply
File: <capture> Drops: 0
Ethl: ICMP reply packet from Leila to Rui
^capture* - Ethereal <2>
File Edit Capture Display Tools
Help
0000 00 02 2d 66 36 e7 00 eO 63 50 7a e8 08 00 45 00 ..-f6c.a cPie. .E.
0010 00 54 01 19 00 00 40 01 31 bf 84 e6 01 21 cO a8 .T....0. li.s.I A"
0020 01 22 00 00 fa 7d 51 05 01 00 e7 42 f7 3e e3 f7 ."..U>Q. ..cB-K>a-j-
0030 06 00 08 09 0a 0b 0c Od Oe Of 10 11 12 13 14 15 ++++++++ ++++++++
0040 16 17 18 19 la lb lc Id le If 20 21 22 23 24 25 ++++++++ .. I'W
0050 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 &'()*+,- ./012345
0060 36 37 67 J
Filter:
Reset
Apply File: <capture> Drops: 0
EthO: ICMP ping request packet from Leila to Rui
<captire> - Ethereal;
Help
u
H Frame 3 (88 on wire, 88 captured) El Ethernet II
El Internet Protocol, Src Addr: 192.1G8.1.33 (192.168.1.33), S Internet Control Message Protocol
Dst Addr: 132.230.1.34 (132.230.1.34)
-J-
0000 00 02 3f af 3d 04 00 00
'0010 00 54 01 41 40 00 40 01
J0020 01 22 08 00 b9 a4 33 06
50030 09 00 08 09 0a 0b 0c Od
,0040 16 17 18 19 la lb lc Id
10050 26 27 28 28 2a 2b 2c 2d
,0060 36 37
39 bb 8e d2 08 00 45 00 fl 96 cO a8 01 21 84 e6 01 00 la 46 f7 3e 04 cd Oe Of 10 11 12 13 14 15 le If 20 21 22 23 24 25 2e 2f 30 31 32 33 34 35
&'()*+,
67
9»,o..E, n.fl".! .*
...FT>,I
./012345
Filter:
/ Reset Apply File: <capture> Drops; 0
am
Help
Display Tools
Ethl: ICMP reply packet from Rui to Leila
File Edit Capture
No. Time Source Destination Protocol Info . 1
1 0.000000 Agere_66;36;e7 ff:ff:ff:ff:ff:ff ARP Who has 192.168,1,33 Tell 132,230,1,34 J
2 0.000020 CABLETR0_50;7a:e8 Agere_66;36;e7 ARP 192.168,1,33 is at 00;e0:63:50:7a;e8
3 0.001725 132.230.1.34 192.168.1.33 ICMP Echo (pinq) reply 1
4 1.007839 132.230.1.34 192,168.1.33 ICMP Echo (ping) reply
5 2.017828 132.230.1.34 192,168.1.33 ICMP Echo (ping) reply
6 3.027833 132.230.1.34 192.168.1.33 ICMP Echo (ping) reply /
J
El Frame 3 (98 on wire, 98 captured) El Ethernet II
El Internet Protocol, Src Addr: 132.230,1,34 (132,230,1,34), Dst Addr; 182,168,1,33 (192,168,1,33) El Internet Control Message Protocol
1
0000 00 eO 63 50 7a e8 00 02
0010 00 54 00 99 00 00 40 01
0020 01 21 00 00 cl a4 33 06
0030 09 00 08 09 0a 0b 0c Od
0040 16 17 18 18 la lb lc Id
0050 26 27 28 28 2a 2b 2c 2d
0060 36 37
2d 66 36 e7 08 00 45 00 32 3f 84 e6 01 22 cO a8 01 00 la 46 f7 3e 04 cd Oe Of 10 11 12 13 14 15 le If 20 21 22 23 24 25 2e 2f 30 31 32 33 34 35
.acPze.. -f6g..E. ,T,,,,e. 2.S."A" ,!,,AH3. ...FT>.I
+ + + + + + + + ++ !
V {)*+,- ./012345
67
Filter:
Reset Apply
File; <capture> Drops; 0
7 Reference
[I] Following the Journey of a Spoofed Packet
http://www.scs.carleton.ca/~dlwhyte/whyt...pspoof.htm
[2] NAT and Networks
http://www.suse.de/~mha/linux-ip-nat/diplom/node4.html [3] Asymmetric routing
Jani Lakkakorpi
http://keskus.hut.fi/tutkimus/ipana/pape...metric.pdf [4] TCP/IP protocol suite Thomas Toth
http://www.infosys.tuwien.ac.at/Teaching...lides2.pdf [5] Security problems in the TCP/IP protocol suite, S.M. Bellovin, AT&T Bell Laboratories,
Murray Hill, New Jersey 07974
http://www.research.att.com/~smb/papers/ipext.pdf [6] Linux 2.4 NAT HOWTO
http://www.netfilter.org/unreliable-guides/NAT-HOWTO/ [7] Linux IP Masquerade HOWTO
http://www.tldp.org/HOWTO/IP-Masquerade-...index.html [8] Linux 2.4 Advanced Routing HOWTO
http://www.linuxdocs.org/HOWTOs/Adv-Routing-HOWTO.html [9] Introduction To Network Address Translation (NAT)
http://www.firewall.cx/nat-intro.php [10] Network Address Translation (NAT/ PAT/ IP Masquerading)
http://home.t-online.de/home/TschiTschi/...rading.htm
[II] Attacks over the internet
http://zork.net/~phil/Cracking/Internet.html
[12] IP spoofing
http://bear.cba.ufl.edu/teets/projects/I...index.html


Attached File(s)
.pdf  IpSpoofingPaper.pdf (Size: 664.84 KB / Downloads: 443)

Please Use Search http://seminarprojects.com/search.php wisely To Get More Information About A Seminar Or Project Topic
01-04-2010, 11:35 AM
Post: #3
RE: ip spoofing seminar report
IP SPOOFING
What is IP SPOOFING?
IP spoofing is the creation of IP packets using forged (spoofed) source IP address.

INTERNET PROTOCOL
The IP (Internet Protocol) header
TCP Header
3-WAY HANDSHAKE
The Client sends a SYN Packet with its Initial sequence number

SYN=1 ACK=0

The Host on receiving this packet will respond with an SYN/ACK Packet, with servers Initial Sequence Number.

SYN=1 ACK=1

The Client then replies with an ACK packet.

SYN=0 ACK=1
SPOOFING ATTACKS
IP spoofing in brief consists of several interim steps:
Selecting a target host ( or victim).
Identify a host that has a "trust" relationship with the target host.
The trusted host is then disabled.
The trusted host is then impersonated, the sequence numbers forged (after being calculated) .
A connection attempt is made to a service that only requires address-based authentication (no user id or password).
If a successful connection is made, the attacker executes a simple command to leave a backdoor.

1.NON-BLIND SPOOFING
The attacker is on the same subnet as the victim & thus the sequence and acknowledgement numbers can be sniffed
The biggest threat of spoofing in this instance would be session hijacking.
2.BLIND SPOOFING
This is a more sophisticated attack, because the sequence and acknowledgement numbers are unreachable
So several packets are sent to the target machine in order to sample sequence numbers.
It was relatively easy to discover the exact formula by studying packets and TCP sessions
3. MAN IN THE MIDDLE ATTACK
This is also called connection hijacking
A malicious party intercepts a legitimate communication between two hosts
Connection hijacking exploits a "desynchronized state" in TCP communication.
An Attacker can then inject forged packets with the correct sequence numbers and potentially modify or add messages to the communication
4. DENIAL OF SERVICE (DoS) ATTACK
They flood the victim with as many packets as possible in a short amount of time using spoofed IP Addresses.
MECHANISM OF THE ATTACK
DISABLING THE TRUSTED HOST


There is an upper limit of how many concurrent SYN requests TCP can process for a given socket. This limit is called the backlog .
If this backlog limit is reached, TCP will silently discard all incoming SYN requests.
SYN Flooding
The attacking host sends several SYN requests to the target(from forged IP Address), to fill its backlog queue with pending connections.
The target tries to respond each one of them with SYN/ACK packet.
It then waits for the ACK message from the forged IP Addresses.


Since these IP Addresses does not actually exists , the target never receives the ACK packets.
It thus queues up all these requests until it receives the ACK message & they are not removed until it receives the ACK message.
Hence these requests take up the valuable resource of the target machine.
As the target receives a number of connection requests , the memory of the target system gets hogged up , thus it is unable to cater request for legitimate users.
But according to the rules of TCP/IP , after a certain time, a time out takes place and the connection requests queued up by target system gets discarded , thus a part of the hogged memory gets freed up.

However in a typical SYN flooding attack , the attacker keeps on sending connection requests at a rate faster than the timed out of earlier connection requests.

As a result , even though due to timed out , the queued up connection requests gets discarded , the memory of the target does not get freed up , as the attacker is continuously sending more and more spoofed connections.
GETTING THE FINAL SEQUENCE NUMBER AND PREDICTING THE SUCCEEDING ONES
Sequence Numbers
A sequence number is a 32 bit number ranging from 1 to 2*32 - 1.
The host is assigned a sequence number called Initial Sequence Number (ISN) when the system is being bootstrapped.(Typically 1).
Once system is assigned a ISN value of 1 , this value goes on incrementing at the rate of 128,000/sec and with every connection established , it gets incremented by 64,000.
Every octet of data sent over a TCP connection has a sequence number.


ACKNOWLEDGMENT NUMBER
It is a 32-Bit Number.
It is mainly used to for two purposes:
1. The value of the next sequence number the host expects the client to send.
2. To acknowledge that all data up to this number (acknowledge Number) minus one has reached safely.
SEQUENCE NUMBERS AND CONNECTION ESTABLISHMENTS
The following three-steps are essential for a complete and successful connection to take place b/w host and client :
1. Client sends a SYN packet ,containing itâ„¢s ISN, to the server , requesting for a connection to be established .
2.The Host (Server) on receiving this packet will respond with a SYN/ACK packet containing itâ„¢s ISN . It will also contain the acknowledge number , which will be clientâ„¢s acknowledgement number plus one.
3.The Client then replies with an ACK packet . Here the acknowledgement number will be Serverâ„¢s ISN plus one.



Consider the following Example:


Client----->SYN(250000)------->Host

Host ------->SYN(500000)&ACK(250001)------->Client

Client------->ACK(500001)------>Host
PREDICTION OF SEQUENCE NUMBERS
The attacker connects to a TCP port on the target (SMTP is a good choice).
So he can Receive packets sent by the target & record Sequencing number of the last packet sent by the target.
The attacker must then calculate the Round Trip Time (RTT).
Round Trip Time (RTT)
It is the time taken by a packet to travel from source to destination and then back.
So the time taken by the packet to reach from source to destination is RTT/2.

Steps to perform prediction effectively
Record the RTT and , in turn , the time taken for a packet to travel from attacker to target.
Once you have logged the last sequence number of the target , calculate the next sequence number.
For example if the last sequence number recorded is Ëœsâ„¢
and RTT/2=Ëœtâ„¢ , then the next sequence number the target expects is = s + t * 128000.
Once you have calculated the last sequence number , start the attack immediately , since there is a chance of another system in the internet to establish connection with the target ,and hence increasing its sequence number by 64,000 more than what you have predicted.
When the spoofed segment makes its way to the target, several different things may happen depending on the accuracy of the attacker's prediction:
METHODS TO PREVENT IP SPOOFING
1. Packet filtering
One way to mitigate the threat of IP spoofing is by inspecting packets at the border routers when they the leave and enter a network looking for invalid source IP addresses.

Egress filtering checks the source IP address of packets to ensure they come from a valid IP address range within the internal network. When the router receives a packet that contains an invalid source address, the packet is simply discarded and does not leave the network boundary.

Ingress filtering checks the source IP address of packets that enter the network to ensure they do not come from sources that are not permitted to access the network.

2. Encryption and Authentication
Implementing encryption and authentication will also reduce spoofing threats.
Both of these features are included in Ipv6, which will eliminate current spoofing threats.
Eliminate all host-based authentication measures.
3. Initial Sequence Number Randomizing
The following formula is being suggested to calculate the sequence number : ISN=M+F(localhost,localport,remotehost,remoteport)
Where M is the 4 microsecond timer F is a cryptographic hash of the connection-id and a secret vector (a random number, or a host related secret combined with the machine's boot time).

APPLICATIONS OF IP SPOOFING
1. Asymmetric routing (Splitting routing)
Asymmetric routing is when the response to a packet follows a different path from one host to another than the original packet did.
Satellite DSL (SAT DSL) makes use of asymmetric routing
2. NETWORK ADDRESS TRANSLATION (NAT)
NAT is essentially the translation of IP addresses in one network into those for a different network.
NAT replaces the internal network IP address (Source) for each Internet Protocol (IP) packet passing through the firewall with a dummy one from a fixed pool of addresses.
The actual IP addresses of computers on the private network are thus hidden from users
IP Masquerade
NAT technique that is frequently implemented on Linux machines
All the IP addresses of the private network are hidden to outsiders, who can access only the single IP address of the interface exposed to the public network.





So arbitrary number of Transmission Control Protocol (TCP) connections can be multiplexed through the single IP address by assigning each connection a different port numbers

SERVICES VULNERABLE TO IP SPOOFING
RPC (Remote Procedure Call services
Any service that uses IP address authentication
The X Window system
The R services suite (rlogin, rsh, etc.)
TCP AND IP SPOOFING TOOLS
1) Mendax for Linux
Mendax is an easy-to-use tool for TCP sequence number prediction and rshd spoofing.
2)  spoofit.h
spoofit.h is a nicely commented library for including IP spoofing functionality into your programs.
3) ipspoof ipspoof is a TCP and IP spoofing utility.
4) hunt hunt is a sniffer which also offers many spoofing functions.
5) dsniff dsniff is a collection of tools for network auditing and penetration testing.
THANKS to ONE and ALL


Attached File(s)
.ppt  ip spoofing.ppt (Size: 841 KB / Downloads: 344)

Please Use Search http://seminarprojects.com/search.php wisely To Get More Information About A Seminar Or Project Topic
24-09-2010, 09:22 AM
Post: #4
Wink ip spoofing with ppt
This article is presented by:Rajkumar


.ppsx  IP Spoofing.ppsx (Size: 5.12 MB / Downloads: 267)


.pdf  IP Spoofing.pdf (Size: 777.87 KB / Downloads: 366)


ABSRACT



In IP spoofing, an attacker gains unauthorized access to a computer or a network by making it appear that a malicious message has come from a trusted machine by “spoofing” the IP address of that machine. In the subsequent pages of this report, we will examine the concepts of IP spoofing: why it is possible, how it works, what it is used for and how to defend against it. To engage in IP spoofing, a hacker must first use a variety of techniques to find an IP address of a trusted host and then modify the packet headers so that it appears that the packets are coming from that host. After the occurrence of the infamous Internet Worm, IP spoofing has been identified as a real risk to the Internet and computer network community. Since then, the Internet has suffered a huge number of large-scale attacks. There are many variants of IP spoofing used in an attack. In this paper, we aim to examine the attack methods, and to identify counter-measures. IP spoofing uses the idea of trust relationships. The attack is a "blind" one, meaning the attacker will be assuming the identity of a "trusted" host. From the perspective of the target host, it is simply carrying on a "normal" conversation with a trusted host. In reality, the host is conversing with an attacker who is busy forging IP packets. The data that the target sends back (destined for the trusted host) will go to the trusted host, which the attacker never “sees” them. To prevent disruption from the trusted host, he has to disable the trusted host, using DOS, so that it will not respond to the target‟s replies. The attacker must guess what the target sends and the type of response the server is looking for. By trial communication with the target, the attacker can predict the initial sequence number (ISN) in the target‟s response. He then does not need to actually "see" the response. This allows him to work in the "blind" and manipulate the system.
Undecided
27-09-2010, 05:47 PM
Post: #5
RE: ip spoofing seminar report

.pdf  controlling ip spoofing.pdf (Size: 2.74 MB / Downloads: 279)
Controlling IP Spoofing through
Interdomain Packet Filters



Zhenhai Duan,
Member, IEEE,
Xin Yuan, Member,
IEEE, and Jaideep Chandrashekar,
Member, IEEE


abstract

Abstract—The Distributed Denial-of-Service (DDoS) attack is a serious threat to the legitimate use of the Internet. Prevention
mechanisms are thwarted by the ability of attackers to forge or spoof the source addresses in IP packets. By employing IP spoofing,
attackers can evade detection and put a substantial burden on the destination network for policing attack packets. In this paper, we
propose an interdomain packet filter (IDPF) architecture that can mitigate the level of IP spoofing on the Internet. A key feature of our
scheme is that it does not require global routing information. IDPFs are constructed from the information implicit in Border Gateway
Protocol (BGP) route updates and are deployed in network border routers. We establish the conditions under which the IDPF framework
correctly works in that it does not discard packets with valid source addresses. Based on extensive simulation studies, we show that, even
with partial deployment on the Internet, IDPFs can proactively limit the spoofing capability of attackers. In addition, they can help localize
the origin of an attack packet to a small number of candidate networks.
28-10-2010, 11:05 AM
Post: #6
RE: ip spoofing seminar report

.pdf  Spoofing.pdf (Size: 224.21 KB / Downloads: 320)
Spoofing

IP Spoofing


• IP spoofing is the creation of TCP/IP packets with
somebody else's IP address in the header.
• Routers use the destination IP address to forward
packets, but ignore the source IP address.
• The source IP address is used only by the destination
machine, when it responds back to the source.
• When an attacker spoofs someone’s IP address, the
victim’s reply goes back to that address.
• Since the attacker does not receive packets back, this is
called a one-way attack or blind spoofing.
• To see the return packets, the attacker must intercept
them.
Misconception (IP spoofing)
• A
12-01-2011, 11:12 AM
Post: #7
RE: ip spoofing seminar report



.ppt  IP Spoofing.ppt (Size: 230 KB / Downloads: 169)
BY

ASHISH KUMAR

BT – IT

UNDER GUIDANCE OF

MRS.ASHA JYOTI



IP SPOOFING ?

IP Spoofing is a technique used to gain unauthorized access to computers.
IP: Internet Protocol
Spoofing: using somebody else’s information
Exploits the trust relationships
Intruder sends messages to a computer with an IP address of a trusted host.

WHY IP SPOOFING IS EASY ?

Problem with the Routers.
Routers look at Destination addresses only.
Authentication based on Source addresses only.
To change source address field in IP header field is easy

IP SPOOFING STEPS

Selecting a target host (the victim)
Identify a host that the target “trust”
Disable the trusted host, sampled the target’s TCP sequence
The trusted host is impersonated and the ISN forged.
Connection attempt to a service that only requires address-based authentication.
If successfully connected, executes a simple command to leave a backdoor.

Spoofing Attacks

Spoofing is classified into :-

1. Non-blind spoofing :
This attack takes place when the attacker is on the same subnet as the target that could see sequence and acknowledgement of packets.

2. Blind spoofing :
This attack may take place from outside where sequence and acknowledgement numbers are unreachable. Attackers usually send several packets to the target machine in order to sample sequence numbers, which is doable in older days .

3. Denial of Service Attack :
IP spoofing is almost always used in denial
of service attacks (DoS), in which attackers
are concerned with consuming bandwidth
and resources by flooding the target with as
many packets as possible in a short amount
of time.

4. SMURF ATTACK :
Send ICMP ping packet with spoofed IP source address to a LAN which will broadcast to all hosts on the LAN
Each host will send a reply packet to the spoofed IP address leading to denial of service

5. Man - in - the – middle :
Packet sniffs on link between the two
endpoints, and therefore can pretend to
be one end of the connection.


Detection of IP Spoofing

1. If you monitor packets using network-monitoring software such as netlog, look for a packet on your external interface that has both its source and destination IP addresses in your local domain. If you find one, you are currently under attack.

2. Another way to detect IP spoofing is to compare the process accounting logs between systems on your internal network. If the IP spoofing attack has succeeded on one of your systems, you may get a log entry on the victim machine showing a remote access; on the apparent source machine, there will be no corresponding entry for initiating that remote access .

IP-Spoofing Counter-measures

No insecure authenticated services
Disable commands like ping
Use encryption
Strengthen TCP/IP protocol
Firewall
IP trace back

IP Trace-back
To trace back as close to the attacker’s location as possible
Limited in reliability and efficiency
Require cooperation of many other network operators along the routing path
Generally does not receive much attention from network operators

Misconception of IP Spoofing
A common misconception is that "IP Spoofing" can
be used to hide your IP address while surfing the
Internet, chatting on-line, sending e-mail, and so
forth.

This is generally not true. Forging the source IP
address causes the responses to be misdirected,
meaning you cannot create a normal network
connection. However, IP spoofing is an integral part of
many networks that do not need to see responses.

IP-Spoofing Facts

IP protocol is inherently weak
Makes no assumption about sender/recipient
Nodes on path do not check sender’s identity
There is no way to completely eliminate IP spoofing
Can only reduce the possibility of attack

Applications

Asymmetric routing (Splitting routing)

SAT DSL

NAT

IP Masquerade

ADVANTAGES


Multiple Servers :
Sometimes you want to change where packets heading into your network will go. Frequently this is because you have only one IP address, but you want people to be able to get into the boxes behind the one with the `real' IP address.


Transparent Proxying :

Sometimes you want to pretend that each packet which passes through your Linux box is destined for a program on the Linux box itself. This is used to make transparent proxies: a proxy is a program which stands between your network and the outside world, shuffling communication between the two. The transparent part is because your network won't even know it's talking to a proxy, unless of course, the proxy doesn't work.

DISADVANTAGES

Blind to Replies :
A drawback to ip source address spoofing is that reply packet will go back to the spoofed ip address rather than to the attacker. This is fine for many type of attack packet. However in the scanning attack as we will see next the attacker may need to see replies .in such cases ,the attacker can not use ip address spoofing .

Serial attack platforms :
However, the attacker can still maintain anonymity by taking over a chain of attack hosts. The attacker attacks the target victim using a point host-the last host in the attack chain .Even if authorities learn the point host’s identity .They might not be able to track the attack through the chain of attack hosts all the way back to the attackers base host.

CONCLUSION

IP spoofing attacks is unavoidable.

Understanding how and why spoofing attacks are used, combined with a few simple prevention methods, can help protect your network from these malicious cloaking and cracking techniques.



01-03-2011, 11:27 AM
Post: #8
RE: ip spoofing seminar report
PRESENTED BY:
ASHISH KUMAR


.ppt  IP Spoofing111111.ppt (Size: 218 KB / Downloads: 101)
IP Spoofing
• IP Spoofing is a technique used to gain unauthorized access to computers.
– IP: Internet Protocol
– Spoofing: using somebody else’s information
• Exploits the trust relationships
• Intruder sends messages to a computer with an IP address of a trusted host.
WHY IP SPOOFING IS EASY ?
• Problem with the Routers.
• Routers look at Destination addresses only.
• Authentication based on Source addresses only.
• To change source address field in IP header field is easy
IP SPOOFING STEPS
• Selecting a target host (the victim)
• Identify a host that the target “trust”
• Disable the trusted host, sampled the target’s TCP sequence
• The trusted host is impersonated and the ISN forged.
• Connection attempt to a service that only requires address-based authentication.
• If successfully connected, executes a simple command to leave a backdoor.
Spoofing Attacks
Spoofing is classified into :-

1. Non-blind spoofing :
This attack takes place when the attacker is on the same subnet as the target that could see sequence and acknowledgement of packets.
2. Blind spoofing :
This attack may take place from outside where sequence and acknowledgement numbers are unreachable. Attackers usually send several packets to the target machine in order to sample sequence numbers, which is doable in older days .
3. Denial of Service Attack :
IP spoofing is almost always used in denial of service attacks (DoS), in which attackers
are concerned with consuming bandwidth and resources by flooding the target with as
many packets as possible in a short amount of time
4. SMURF ATTACK :
 Send ICMP ping packet with spoofed IP source address to a LAN which will broadcast to all hosts on the LAN
 Each host will send a reply packet to the spoofed IP address leading to denial of service
5. Man - in - the – middle :
 Packet sniffs on link between the two
 endpoints, and therefore can pretend to
 be one end of the connection.
03-03-2011, 03:06 PM
Post: #9
RE: ip spoofing seminar report
PRESENTED BY :
Prashant Singh


.ppt  myspoofing_presentation.ppt (Size: 3.77 MB / Downloads: 140)
ip spoofing
What is IP Spoofing?
 IP spoofing is a technique used to gain unauthorized access to computers, where by the attacker sends messages to a computer with a forging IP address indicating that the message is coming from a trusted host
 Attacker puts an internal, or trusted, IP address as its source. The access control device sees the IP address as trusted and lets it through
When Spoofing occurs?
 IP spoofing occurs when a hacker inside or outside a network impersonates the conversations of a trusted computer.
 Two general techniques of IP spoofing:
• A hacker uses an IP address that is within the range of trusted IP addresses.
• A hacker uses an authorized external IP address that is trusted
3-Way Handshake in TCP/IP
 The client selects and transmits an initial sequence number ISNC ,the server acknowledges it and sends its own sequence number ISNS ,and the client acknowledges it.
 The exchange may show schematically as follows
CàS: SYN(ISNC)
SàC: SYN(ISNS) , ACK(ISNC)
CàS: ACK(ISNS)
CàS: DATA
OR
SàC: DATA

How Spoofing take place?
 Suppose, there is a way for an intruder X to predict ISNS .In this case , it could send the following sequence to impersonate trusted host T :
XàS: SYN(ISNX ) , SRC=T
SàT: SYN(ISNS) , ACK(ISNX)
XàS: ACK(ISNS) , SRC=T
XàS: ACK(ISNS) , SRC=T , nasty data

• Basic Concept of IP Spoofing
• IP Spoofing
• Why IP Spoofing is so easy?
 Problem with the Routers.
 Routers look at Destination addresses only.
 Authentication based on Source addresses only.
 To change source address field in IP header field is easy by the use of the software.
• Types of Spoofing Attack
The number of IP Spoofing attacks are:
 Non-Blinding Attack
This attack take place when the Victim and the Attacker are on the same network.
 In this the we have to make the assumption to find the sequence number passed from Target to Victim.
• Non- Blinding Spoofing
• Spoofing Attacks
 Blind Spoofing
 It is mainly used to abuse the trust relationship between hosts.
 Today, most OSs implement random sequence number generation, making it difficult to predict them accurately.
 In this many packet are sent to the victim
• Spoofing Attacks:
• Blinding Attack
• Spoofing Attacks:
 Man in the Middle Attack( Connection Hijacking)
 In this the attacker control the gateway that is in the delivery route, he can
• sniff the traffic
• intercept / block / delay traffic
• modify traffic:
Spoofing Attacks:
 ICMP Echo attacks
• Map the hosts of a network
The attack sends ICMP echo datagram to all the hosts in a subnet, then he collects the replies and determines which hosts are alive.
• Denial of service attack (SMURF attack)
The attack sends spoofed (with victim‘s IP address) ICMP Echo Requests to subnets, the victim will get ICMP Echo Replies from every machine.
Smurf Attack
Spoofing Attacks:

 ICMP Redirect attacks
• ICMP redirect messages can be used to re-route traffic on specific routes or to a specific host that is not a router at all.
• The ICMP redirect attack is very simple: just send a spoofed ICMP redirect message that appears to come from the host‘s default gateway.
ICMP Redirect attacks
ICMP destination unreachable attacks

 ICMP destination unreachable message is used by gateways to state that the datagram cannot be delivered. It can be used to “cut” out nodes from the network. It is a denial of service attack (DOS)
Example:
An attacker injects many forged destination unreachable messages stating that 100.100.100.100 is unreachable) into a subnet (e.g. 128.100.100.*). If someone from the 128.100.100.* net tries to contact 100.100.100.100, he will immediately get an ICMP Time Exceeded from the attacker‘s host. For 128.100.100.* this means that there is no way to contact 100.100.100.100, and therefore communication fails.
ICMP destination unreachable attacks
Stopping IP address spoofing attack
Packet filtering
The router that connects a network to another network is known as a border router. One way to mitigate the threat of IP spoofing is by inspecting packets when they leave and enter a network looking for invalid source IP addresses. If this type of filtering were performed on all border routers, IP address spoofing would be greatly reduced.
• Ingress Filtering
• Egress Filtering
Packet filtering
Detection of IP Spoofing

 If you monitor packets using network-monitoring software such as netlog, look for a packet on your external interface that has both its source and destination IP addresses in your local domain. If you find one, you are currently under attack
Detection of IP Spoofing
 Another way to detect IP spoofing is to compare the process accounting logs between systems on your internal network. If the IP spoofing attack has succeeded on one of your systems, you may get a log entry on the victim machine showing a remote access; on the apparent source machine, there will be no corresponding entry for initiating that remote access
How we prevent IP Spoofing?
To prevent IP spoofing happen in your network, the following are some common practices:
1- Avoid using the source address authentication. Implement cryptographic authentication system-wide.
2- Configuring your network to reject packets from the Net that claim to originate from a local address.
3- Implementing ingress and egress filtering on the border routers and implement an ACL (access control list) that blocks private IP addresses on your downstream interface.
If you allow outside connections from trusted hosts, enable encryption sessions
Our Misconception
Software for IP Spoofing

 Mac Spoofing
 Macaroni Screen Saver Bundle
 SpoofMAC
 sTerm
 MAC Change
Software to Stop IP Spoofing
 StopCut
 Find Mac Address pro
 SecurityGateway for Exchange / SMTP
 PacketCreator
 Responder Pro
21-03-2011, 04:23 PM
Post: #10
RE: ip spoofing seminar report

.doc  IP address spoofing.doc (Size: 200 KB / Downloads: 122)
IP address spoofing
In computer networking, the term IP address spoofing or IP spoofing refers to the creation of Internet Protocol (IP) packets with a forged source IP address, called spoofing, with the purpose of concealing the identity of the sender or impersonating another computing system.
Background
The basic protocol for sending data over the Internet network and many other computer networks is the Internet Protocol ("IP"). The header of each IP packet contains, among other things, the numerical source and destination address of the packet. The source address is normally the address that the packet was sent from. By forging the header so it contains a different address, an attacker can make it appear that the packet was sent by a different machine. The machine that receives spoofed packets will send response back to the forged source address, which means that this technique is mainly used when the attacker does not care about the response or the attacker has some way of guessing the response.
In certain cases, it might be possible for the attacker to see or redirect the response to his own machine. The most usual case is when the attacker is spoofing an address on the same LAN or WAN. Hence the attackers have an unauthorized access over computers.
History
The concept of IP spoofing, was initially discussed in academic circles in the 1980's. While known about for sometime, it was primarily theoretical until Robert Morris, whose son wrote the first Internet Worm, discovered a security weakness in the TCP protocol known as sequence prediction. Stephen Bellovin discussed the problem in-depth in Security Problems in the TCP/IP Protocol Suite, a paper that addressed design problems with the TCP/IP protocol suite. Another infamous attack, Kevin Mitnick's Christmas Day crack of Tsutomu Shimomura's machine, employed the IP spoofing and TCP sequence prediction techniques. While the popularity of such cracks has decreased due to the demise of the services they exploited, spoofing can still be used and needs to be addressed by all security administrators.
Applications
IP spoofing is most frequently used in denial-of-service attacks. In such attacks, the goal is to flood the victim with overwhelming amounts of traffic, and the attacker does not care about receiving responses to the attack packets. Packets with spoofed addresses are thus suitable for such attacks. They have additional advantages for this purpose—they are more difficult to filter since each spoofed packet appears to come from a different address, and they hide the true source of the attack. Denial of service attacks that use spoofing typically randomly choose addresses from the entire IP address space, though more sophisticated spoofing mechanisms might avoid unroutable addresses or unused portions of the IP address space. The proliferation of large botnets makes spoofing less important in denial of service attacks, but attackers typically have spoofing available as a tool, if they want to use it, so defenses against denial-of-service attacks that rely on the validity of the source IP address in attack packets might have trouble with spoofed packets. Backscatter, a technique used to observe denial-of-service attack activity in the Internet, relies on attackers' use of IP spoofing for its effectiveness.
IP spoofing can also be a method of attack used by network intruders to defeat network security measures, such as authentication based on IP addresses. This method of attack on a remote system can be extremely difficult, as it involves modifying thousands of packets at a time. This type of attack is most effective where trust relationships exist between machines. For example, it is common on some corporate networks to have internal systems trust each other, so that users can log in without a username or password provided they are connecting from another machine on the internal network (and so must already be logged in). By spoofing a connection from a trusted machine, an attacker may be able to access the target machine without an authentication.
Why Spoof the IP Source Address?
What is the advantage of sending a spoofed packet? It is that the sender has some kind of malicious intention and does not want to be identified. You can use the source address in the header of an IP datagram to trace the sender's location. Most systems keep logs of Internet activity, so if attackers want to hide their identity, they need to change the source address. The host receiving the spoofed packet responds to the spoofed address, so the attacker receives no reply back from the victim host. But if the spoofed address belongs to a host on the same subnet as the attacker, then the attacker can "sniff" the reply. You can use IP spoofing for several purposes; for some scenarios an attacker might want to inspect the response from the target victim (called "nonblind spoofing"), whereas in other cases the attacker might not care (blind spoofing). Following is a discussion about reasons to spoof an IP packet.
Internet Protocol – IP
Internet protocol (IP) is a network protocol operating at layer 3 (network) of the OSI model. It is a connectionless model, meaning there is no information regarding transaction state, which is used to route packets on a network. Additionally, there is no method in place to ensure that a packet is properly delivered to the destination.
Examining the IP header, we can see that the first 12 bytes (or the top 3 rows of the header) contain various information about the packet. The next 8 bytes (the next 2 rows), however, contains the source and destination IP addresses. Using one of several tools, an attacker can easily modify these addresses – specifically the “source address” field. It's important to note that each datagram is sent independent of all others due to the stateless nature of IP. Keep this fact in mind as we examine TCP in the next section.
Transmission Control Protocol – TCP
IP can be thought of as a routing wrapper for layer 4 (transport), which contains the Transmission Control Protocol (TCP). Unlike IP, TCP uses a connection-oriented design. This means that the participants in a TCP session must first build a connection - via the 3-way handshake (SYN-SYN/ACK-ACK) - then update one another on progress - via sequences and acknowledgements. This “conversation”, ensures data reliability, since the sender receives an OK from the recipient after each packet exchange.
As you can see above, a TCP header is very different from an IP header. We are concerned with the first 12 bytes of the TCP packet, which contain port and sequencing information. Much like an IP datagram, TCP packets can be manipulated using software. The source and destination ports normally depend on the network application in use (for example, HTTP via port 80). What's important for our understanding of spoofing are the sequence and acknowledgement numbers. The data contained in these fields ensures packet delivery by determining whether or not a packet needs to be resent. The sequence number is the number of the first byte in the current packet, which is relevant to the data stream. The acknowledgement number, in turn, contains the value of the next expected sequence number in the stream. This relationship confirms, on both ends, that the proper packets were received. It’s quite different than IP, since transaction state is closely monitored.
Consequences of the TCP/IP Design
Now that we have an overview of the TCP/IP formats, let's examine the consequences. Obviously, it's very easy to mask a source address by manipulating an IP header. This technique is used for obvious reasons and is employed in several of the attacks discussed below. Another consequence, specific to TCP, is sequence number prediction, which can lead to session hijacking or host impersonating. This method builds on IP spoofing, since a session, albeit a false one, is built. We will examine the ramifications of this in the attacks discussed below.
Spoofing Attacks
There are a few variations on the types of attacks that successfully employ IP spoofing. Although some are relatively dated, others are very pertinent to current security concerns.
Non-Blind Spoofing
This type of attack takes place when the attacker is on the same subnet as the victim. The sequence and acknowledgement numbers can be sniffed, eliminating the potential difficulty of calculating them accurately. The biggest threat of spoofing in this instance would be session hijacking. This is accomplished by corrupting the datastream of an established connection, then re-establishing it based on correct sequence and acknowledgement numbers with the attack machine. Using this technique, an attacker could effectively bypass any authentication measures taken place to build the connection.
Blind Spoofing
This is a more sophisticated attack, because the sequence and acknowledgement numbers are unreachable. In order to circumvent this, several packets are sent to the target machine in order to sample sequence numbers. While not the case today, machines in the past used basic techniques for generating sequence numbers. It was relatively easy to discover the exact formula by studying packets and TCP sessions. Today, most OSs implement random sequence number generation, making it difficult to predict them accurately. If, however, the sequence number was compromised, data could be sent to the target. Several years ago, many machines used host-based authentication services (i.e. Rlogin). A properly crafted attack could add the requisite data to a system (i.e. a new user account), blindly, enabling full access for the attacker who was impersonating a trusted host.
07-04-2011, 03:23 PM
Post: #11
RE: ip spoofing seminar report
PRESENTED BY
SHARANJIT KAUR


.ppt  IP SPOOFING.ppt (Size: 126 KB / Downloads: 153)
IP SPOOFING
“IP SPOOFING IS SOMEWHAT SIMILAR TO THE HIJACKING OF A PLANE”
IP SPOOFING ?
• IP spoofing is a technique used to gain unauthorized access to computers.
• It refers to creation of internet protocol (IP) packets with a forged source IP address , with the purpose of concealing the identity of the sender or impersonating another computer system.
• Spoofing is the creation of TCP/IP packets using somebody else's IP address.
IP SPOOFING
Why IP spoofing is easy?

• Problem with the routers.
• Routers looks only at the destination address.
• Authentication based on the source addresses only.
• To change source address field in IP header field is easy.
SPOOFING ATTACKS
Spoofing attacks are-

• Non Blind Spoofing
• Blind Spoofing
• Man in the middle (MITM) attack
• Denial of service (DoS) attack
Non Blind Spoofing-
• This type of attack takes place when the attacker is on the same subnet as the victim.
• The biggest threat of spoofing in this instance would be session hijacking.
Blind Spoofing-
• IP spoofing is an integral part of many network attacks that do not need to see responses .
• Blind spoofing predicts responses from a host, allowing commands to be sent, but cannot get immediate feedback.
Man in the middle attack-
• Both types of spoofing are forms of a common security violation known as a man in the middle (MITM) attack.
• In these attacks, a malicious party intercepts a legitimate communication between two friendly parties. The malicious host then controls the flow of communication and can eliminate or alter the information sent by one of the original participants without the knowledge of either the original sender or the recipient.
• In this way, an attacker can fool a victim into disclosing confidential information by “spoofing” the identity of the original sender, who is presumably trusted by the recipient.
• Packet sniffs on link between the two end points and can therefore pretend to be one end of the connection.
Denial of Service Attack-
• IP spoofing is almost always used in what is currently one of the most difficult attacks to defend against – denial of service attacks.
• Crackers wish to flood the victim with as many packets as possible in a short amount of time.
WHY IP SPOOFING IS USED?
• IP spoofing is used to commit criminal activity online and to breach network security.
• Hackers use IP spoofing so they do not get caught spamming and to perpetrate denial of service attacks.
• These are attacks that involve massive amounts of information being sent to computers over a network in an effort to crash the entire network. The hacker does not get caught because the origin of the messages cannot be determined due to the bogus IP address .
• IP spoofing is also used by hackers to breach network security measures by using a bogus IP address that mirrors one of the addresses on the network. This eliminates the need for the hacker to provide a user name and password to log onto the network.
DEFENDING AGAINST SPOOFING
There are a few precautions that can be taken to limit IP spoofing risks on your network, such as
• Filtering at the Router
• Encryption and Authentication
MISCONCEPTION OF SPOOFING
• A common misconception is that “IP Spoofing” can be used to hide your IP address while surfing the internet , chatting on-line ,sending e-mail and so forth. This is generally not true.
• Forging the source IP address causes the responses to be misdirected ,meaning you cannot create a normal network connection.
CONCLISION
• IP Spoofing is a problem without an easy solution, since it’s inherent to the design of the TCP/IP suite.
• Understanding how and why spoofing attacks are used, combined with a few simple prevention methods, can help protect your network from these malicious cloaking and cracking techniques.
07-05-2011, 12:03 PM
Post: #12
RE: ip spoofing seminar report
Presented by:
suvendu kumar sahu


.doc  suvendu.doc (Size: 1,010.5 KB / Downloads: 79)
Introduction
History:

• The Concept of IP Spoofing was Discussed in 1980’s
• Spoofing problem Arises due to in-depth Security problem in TCP/IP Protocol Suite
• Spoofing can still be used and needs to be addressed by all security administrators.
Definition of ip:
The Internet Protocol is a network-layer protocol that contains addressing information and some control information that enables
packets to be routed .
WHAT IS SPOOFING…???
Spoofing refers to creation of IP packets with a forged IP source address.
TYPES OF SPOOFING ?
• IP Spoof
• Web Spoof
• E-mail Spoof
• Non Technical Spoof
Some background on AES
In 1997 the US National Institute of Standards and Technology put out a call for candidates for a replacement for the ageing Data Encryption Standard, DES. 15 candidates were accepted for further consideration, and after a fully public
process and three open international conferences, the number of candidates was reduced to five. In February 2001, the final candidate was announced and comments were solicited. 21 organizations and individuals submitted comments..
AES is founded on solid and well-published mathematical ground, and appears to resist all known attacks well. There’s a strong indication that in fact no
back-door or known weakness exists since it has been published for a long time, has been the subject of intense scrutiny by researchers all over the world, and
such enormous amounts of economic value and information is already
successfully protected by AES. There are no unknown factors in its design,
and it was developed by Belgian researchers in Belgium therefore voiding the conspiracy theories sometimes voiced concerning an encryption standard
developed by a United States government agency. A strong encryption algorithm need only meet only single main criteria:
• There must be no way to find the unencrypted clear text if the key is unknown, except brute force, i.e. to try all possible keys until the right one is found.
• The number of possible keys must be so large that it is computationally infeasible to actually stage a successful brute force attack in short enough a time.
The older standard, DES or Data Encryption Standard, meets the first criterion, but no longer the secondary one – computer speeds have caught up with it,
or soon will. AES meets both criteria in all of its variants: AES-128, AES-192
and AES-256.
Encryption must be done properly
AES may, as all algorithms, be used in different ways to perform encryption. Different methods are suitable for different situations. It is vital that the correct method is applied in the correct manner for each and every situation, or the
result may well be insecure even if AES as such is secure. It is very easy to implement a system using AES as its encryption algorithm, but much more skill and experience is required to do it in the right way for a given situation. No more than a hammer and a saw will make anyone a good carpenter, will AES make a system secure by itself. To describe exactly how to apply AES for varying
purposes is very much out of scope for this short introduction.
Strong keys
Encryption with AES is based on a secret key with 128, 192 or 256 bits. But if the key is easy to guess it doesn’t matter if AES is secure, so it is as critically vital to use good and strong keys as it is to apply AES properly. Creating good and strong keys is a surprisingly difficult problem and requires careful design when done
with a computer. The challenge is that computers are notoriously deterministic, but what is required of a good and strong key is the opposite – unpredictability
and randomness. Keys derived into a fixed length suitable for the encryption algorithm from passwords or pass phrases typed by a human will seldom correspond to 128 bits much less 256. To even approach 128--bit equivalence in a pass phrase, at least 10 typical passwords of the kind frequently used in day-to-day work are needed. Weak keys can be somewhat strengthened by special techniques by adding computationally intensive steps which increase the amount of computation necessary to break it. The risks of incorrect usage,
implementation and weak keys are in no way unique for AES; these are shared
by all encryption algorithms. Provided that the implementation is correct, the security provided reduces to a relatively simple question about how many bits the chosen key, password or pass phrase really corresponds to.
20-06-2011, 12:57 PM
Post: #13
RE: ip spoofing seminar report

.doc  seminar report.doc (Size: 699.5 KB / Downloads: 97)
INTRODUCTION
In computer networking, the term IP address spoofing or IP spoofing refers to the creation of Internet Protocol (IP) packets with a forged source IP address, called spoofing, with the purpose of concealing the identity of the sender or impersonating another computing system
Spoofing is the creation of TCP/IP packets using somebody else's IP address. Routers use the "destination IP" address in order to forward packets through the Internet, but ignore the "source IP" address. That address is only used by the destination machine when it responds back to the source.
A common misconception is that "IP spoofing" can be used to hide your IP address while surfing the Internet, chatting on-line, sending e-mail, and so forth. This is generally not true. Forging the source IP address causes the responses to be misdirected, meaning you cannot create a normal network connection.
However, IP spoofing is an integral part of many network attacks that do not need to see responses (blind spoofing).
Examples of spoofing:
Man-in-the-middle
Packet sniffs on link between the two end points, and can therefore pretend to be one end of the connection
Routing redirect
Redirects routing information from the original host to the hacker's host (this is another form of man-in-the-middle attack).
Source routing
Redirects individual packets by hackers host
Blind spoofing
Predicts responses from a host, allowing commands to be sent, but can't get immediate feedback.
Flooding
SYN flood fills up receive queue from random source addresses; smurf/fraggle spoofs victims address, causing everyone respond to the victim.
OSI MODEL
The standard model for networking protocols and distributed applications is the International Standard Organization's Open System Interconnect (ISO/OSI) model. It defines seven network layers.
Short for Open System Interconnection, an ISO standard for worldwide communications that defines a networking framework for implementing protocols in seven layers. Control is passed from one layer to the next, starting at the application layer in one station, and proceeding to the bottom layer, over the channel to the next station and back up the hierarchy.
At one time, most vendors agreed to support OSI in one form or another, but OSI was too loosely defined and proprietary standards were too entrenched. Except for the OSI-compliant X.400 and X.500 e-mail and directory standards, which are widely used, what was once thought to become the universal communications standard now serves as the teaching model for all other protocols.
Control is passed from one layer to the next, starting at the application layer in one station, and proceeding to the bottom layer, over the channel to the next station and back up the hierarchy.
08-07-2011, 01:54 PM
Post: #14
RE: ip spoofing seminar report
haiiiiiiiiiiiiiiiiii
[/align]
08-07-2011, 01:59 PM
Post: #15
RE: ip spoofing seminar report
haiiiiiiiiiiiiiiiiiii
09-07-2011, 11:27 AM
Post: #16
RE: ip spoofing seminar report
already added these topics " ip spoofing seminar report" please see bellow post

http://www.seminarprojects.com/Thread-ip...nar-report
26-01-2012, 02:33 PM
Post: #17
RE: ip spoofing PPT
IP Spoofing


.ppt  IP Spoofing.ppt (Size: 145 KB / Downloads: 134)

Sometimes on the internet, a girl named Alice is really a man named Yves


TCP/IP in 3 minute or less

General use of term describes the Architecture upon which the Interweb is built.
TCP/IP are specific protocols within that architecture.

TCP/IP in 3 minute or less

IP is the internet layer protocol.

Does not guarantee delivery or ordering, only does its best to move packets from a source address to a destination address.

IP addresses are used to express the source and destination.

IP assumes that each address is unique within the network.
13-10-2012, 05:39 PM
Post: #18
RE: ip spoofing seminar report
[/size][/font][font=Times New Roman][size=medium]
15-10-2012, 12:39 PM
Post: #19
RE: ip spoofing seminar report
to get information about the topic "ip spoofing" full report ppt and related topic refer the link bellow

http://seminarprojects.com/Thread-ip-spo...nar-report

http://seminarprojects.com/Thread-contro...et-filters

http://seminarprojects.com/Thread-ip-spo...ort?page=4

http://seminarprojects.com/Thread-ip-spo...ort?page=6

http://seminarprojects.com/Thread-contro...ers--16299

Rating ip spoofing seminar report Options
Share ip spoofing seminar report To Your Friends :- Seminar Topics Bookmark
Post Reply 

Marked Categories : ppt on internet protocol ip spoofing, ip spoofing presentation download, ip spoffing report, ip spoofing doc, ip spoofing detail seminar report and pdf, technical seminar 0n ipspoofing, ip spoofing abstract, argue that any network using proxy arp is vulnerable to spoofing i e an arbitrary machine can impersonate any other machine, ip spoofing project code, ip spoofing paper presentation, ip spoofing report, seminar topic for ip address in ppt, web and ip spoofing advantages, download ip spoofing, seminar report of ip spoofing, seminar report on ip spoofing, ip spoofing seminar documentation, abstract for ip spoofing, abstract and introduction toip spoofing,

[-]
Quick Reply
Message
Type your reply to this message here.


Image Verification
Image Verification
(case insensitive)
Please enter the text within the image on the left in to the text box below. This process is used to prevent automated posts.

Possibly Related Threads...
Thread: Author Replies: Views: Last Post
Tongue Biometrics (Download Full Report And Abstract) computer science crazy 77 20,710,872 19-07-2016 12:51 PM
Last Post: jaseela123
  underwater wireless communication full report project topics 19 36,484 16-07-2016 04:10 PM
Last Post: dhanabhagya
Star VOIP (Download Full Report And Abstract) computer science crazy 26 7,397,132 14-07-2016 04:27 PM
Last Post: anasek
  PROJECT REPORT ON SHADOWY LEAPING LIZARD seminar projects maker 4 1,181 23-05-2016 10:16 AM
Last Post: dhanabhagya
  xMax : Seminar Report and PPT seminar projects maker 2 502 17-05-2016 09:39 AM
Last Post: dhanabhagya
  Network Security And Firewalls ( Download Full Seminar Report ) computer science crazy 11 317,283 12-05-2016 09:51 AM
Last Post: dhanabhagya
  OBJECT TRACKING AND DETECTION full report project topics 10 14,969 09-05-2016 02:35 PM
Last Post: mkaasees
  ATM WITH AN EYE FULL REPORT study tips 1 2,160 11-04-2016 11:18 AM
Last Post: mkaasees
Photo voice morphing (Download Full Report And Abstract) computer science crazy 34 11,951,457 06-04-2016 03:24 PM
Last Post: dhanabhagya
  Seminar On 3D Internet ppt seminar post 1 943 06-04-2016 12:50 PM
Last Post: mkaasees
This Page May Contain What is ip spoofing seminar report And Latest Information/News About ip spoofing seminar report,If Not ...Use Search to get more info about ip spoofing seminar report Or Ask Here

Options: