home   about us   solutions   support   writing   link land   discussion forum   feedback   contact us
TCP and IP Spoofing

A spoofing attack involves forging one's source address. It is the act of using one machine to impersonate another. Most of the applications and tools in UNIX rely on the source IP address authentication. Many developers have used the host based access controls to secure their networks. Source IP address is a unique identifier but not a reliable one. It can easily be spoofed.
To understand the spoofing process, First I will explain about the TCP and IP authentication process and then how an attacker can spoof you network.

TCP uses sequence numbers. When a virtual circuit establishes between two hosts , then TCP assigns each packet a number as an identifying index. Both hosts use this number for error checking and reporting.
Rik Farrow, in his article "Sequence Number Attacks", explains the sequence number system as follows:
"The sequence number is used to acknowledge receipt of data. at the beginning of a TCP connection, the client sends a TCP packet with an initial sequence number, but no acknowledgment. If there is a server application running at the other end of the connection, the server sends back a TCP packet with its own initial sequence number, and an acknowledgment; the initial number from the client's packet plus one. When the client system receives this packet, it must send back its own acknowledgment; the server's initial sequence number plus one."

Thus an attacker has two problems:
1) He must forge the source address.
2) He must maintain a sequence number with the target.

The second task is the most complicated task because when target sets the initial sequence number, the attacker must response with the correct response Once the attacker correctly guesses the sequence number, then he can synchronize with the target and establish a valid session.

Services vulnerable to IP Spoofing:
Configuration and services that are vulnerable to IP spoofing :

  • RPC(Remote Procedure Call services)
  • Any service that uses IP address authentication
  • The X Window system
  • The R services suite

TCP and IP spoofing Tools:
1) Mendax for Linux
Mendax is an easy-to-use tool for TCP sequence number prediction and rshd spoofing.

2) spoofit.h
spoofit.h is a nicely commented library for including IP spoofing functionality into your programs.

3) ipspoof
ipspoof is a TCP and IP spoofing utility.

4) hunt
hunt is a sniffer which also offers many spoofing functions.


Measures to prevent IP Spoofing Attacks:

  • Avoid using the source address authentication. Implement cryptographic authentication systemwide.
  • Configuring your network to reject packets from the Net that claim to originate from a local address. This is most commonly done with a router.
  • If you allow outside connections from trusted hosts, enable encryption sessions at the router.

Conclusion:
Spoofing attacks are very dangerous and difficult to detect. They are becoming more an more popular now. The only way to prevent these attacks are to implement security measures like, encrypted authentication to secure your network.

 

This article is Copyright (c) 2000 by Kapil Sharma. This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/).

Written by: Kapil Sharma
Email:
Website: http://www.linux4biz.net
[Kapil Sharma is a Linux and Internet security consultant. He has been working on various Linux/Unix systems and Internet Security for more than 4 years. He is maintaining a web site http://www.linux4biz.net for providing free as well as commercial support for web, Linux and Unix solutions.]

[Back]

Web site maintained & supported by Copyright © Linux4biz.net, 2002-2003