IP Spoofing Attack and Defenses

IP Address: On the Internet, each computer system is identified by its IP address. The work we do on the Internet is associated with the IP address of the system we are using. We know that every request or response process on the Internet is done on packets. The basic protocol for information exchange over the Internet is TCP/IP.


TCP stands for Transmission Control Protocol and IP stands for Internet Protocol (IP). When we request a webpage or other resource from a server the request is sent in the form of a TCP/IP packet. This packet contains some information about the request, source and destination, along with the data being sent. The source and destination keeps the IP address of the sender and receiver.


What is IP spoofing: IP spoofing is the process of replacing the source IP address with a fake IP address from the IP packets to hide the real identity of the sender. The source address is the address of the computer that the packet was sent from. By changing the address in the packet an attacker can make it appear that the packet was sent by a different computer system.


See the above figure. Two computers, victim and partner, were communicating with each other. In the meantime, a sender (the attacker) also tries to communicate with the victim by forging the IP address and tries to fool the victim with the fake IP address of the partner. So the victim computer thinks that the packets came from the partner computer while we can see the original sender is the sender system which in this case is the attacker.

The term spoofing is also sometimes used to refer to header forgery because attacker forges the header of the packets with fake information.

This process is used to send fake mail, requests or other information with a fake IP address to mislead others about the information being sent. Hackers often use IP spoofing for sending spam mail and denial of service attacks. This protects the real identity of the hacker because the IP address sent with the packet belongs to someone else. When a machine replies to a spoofed packet, the response is sent back to the forged source address. So IP spoofing is used in an attack when the attacker does not care about the response.

How it works ?

Internet Protocol (IP) Packets

Internet Protocol is a network protocol operating at Layer 3 (network layer) of the OSI model. Each IP packet sent contains a header with the data. The header contains some information about the sender, receiver, and other things.

Fig. 2 IP Packets 

The header part contains additional information including the IP address of sender and receiver. The data part contains the data being sent.

  Figure 3: IP Header

We can see the structure of the IP header in Figure 2. It contains much useful information about the packet. We can see the fields for SOURCE IP ADDRESS and DESTINATION IP ADDRESS. Here the source IP address, the IP address of the sender’s machine, and the destination IP address is the IP address of the receiver’s machine.

Transmission Control Protocol (TCP):

TCP stands for the connection-oriented, reliable transport protocol in the TCP/IP suite. It uses 3-way handshaking (SYN-SYN/ACK-ACK) to establish the connection. In this protocol, reliability is provided by sequence numbers and acknowledgement. See the second and third row for sequence numbers and acknowledge number fields. TCP assigns sequence numbers to every segment and acknowledges all data segments received from the other end.
Figure 4: TCP Header

By forging the header of the packet, we can make a fake IP address appear in the source IP address part. 

Some tools used in IP spoofing


How to spoof IP address:

Here I am going to show IP spoofing with the help of NMap. Nmap is also known as Network Mapper. This tool is a free and open source (license) utility for network exploration or security auditing.


First of all you need to select the interfaces to spoof from. To do this, run the command

Nmap –iflist


Use the “–e” argument in the interface you have selected. The “–S” parameter can be used to specify the IP address that nmap will use as the source address. It can be our real IP address or we can spoof the IP address.

nmap -e eth0 -S 192.168.1.100 192.168.1.109
 

 In the above command, I have used the eth0 interface and spoofed a source IP of 192.168.1.10, while scanning 192.168.1.32.

Application of the attack: This attack is widely used in Denial of Service attacks. In denial of service attacks an attacker floods the victim with large amounts of traffic. In this example, an attacker does not care to receive the responses from sent packets. Using packets with spoofed addresses is an advantage for the attack as the attacker can send packets with many different spoofed addresses. This makes it hard to filter the packets, as they seem to come from different sources. Attackers use random sequences of IP addresses to send spoofed packets in the Denial of Service attack. This attack is impossible to filter on the systems which rely on the validity of the source IP address in attack packets.

IP spoofing is also an effective way to defeat the networks which use IP address-based authentication. This attack is easy to inflict on corporations which have internal systems that trust each others systems based on the IP address. By spoofing a connection from a trusted machine, an attacker may be able to access the target machine without authentication.

Attacks that are launched through IP spoofing


There are a few variations on the types of attacks that successfully employ IP spoofing. Although some are relatively dated, others are very pertinent to current security concerns.


Non-Blind Spoofing

Non-Blind Spoofing attacks work on those networks where the attacker and victim are on the same subnet. In this situation, the attacker can sniff the network packets to know the sequence and acknowledgement numbers being sent in the packets. The biggest threat of spoofing in this type of attack would be session hijacking. This can be done by corrupting the data stream of an established connection with a valid user, then re-establishing the connection based on the correct sequence and acknowledgement numbers with the attack machine. Here the attacker can easily bypass the authentication mechanisms because he has the correct sequence and acknowledgement numbers – and guessing these is the hardest part.


Blind Spoofing

This attack is complicated and difficult in comparison to the Non-Blind attack because the sequence and acknowledgement numbers cannot be sniffed. In order to get the correct sequence number and acknowledgement, the attacker will send several packets to the target machine, guessing sequence and acknowledgement numbers in order to sample sequence numbers. A few years back machines used formula based sequence number generators, so it was easy to generate the formula by analyzing just a few packets and TCP sessions. But nowadays these sequence numbers are generated randomly to make it unpredictable. After sending several packets there may be a possibility to guess the right sequence number. This attack takes a great deal of time and has a lesser probability of success.


Man-in-the-Middle Attack

The man-in-the-middle attack (MITM) is a common security violation that is formed by both types of spoofing we have discussed above. In this attack, an attacker intercepts a legitimate communication between two machines (server and client).Then, the attacker controls the flow of data. He can alter the information being exchanged by two machines without the knowledge of either the original sender or the recipient.


Denial of Service Attack

Denial of service is the main attack which uses IP spoofing and are the most difficult to defend against. In this attack the attacker only tries to consume the bandwidth and resource of a server. The attacker does not care about the response, so they need not worry about properly completing handshakes and transactions. In this attack an attacker only wishes to flood the victim’s machine with as many packets as possible in a short amount of time in order to make the victim’s machine inaccessible to valid users. The attacker uses random-source IP addresses to send packets to the target machine to make tracing and stopping the DoS as difficult as possible. Most of the servers use IP block mechanisms to prevent this type of flooding. Using random spoofed IP easily bypasses those security mechanisms.


Services vulnerable to IP spoofing

Configurations and services that are vulnerable to IP spoofing:

  • RPC (Remote Procedure Call services)
  • Any service that uses IP address authentication
  • The X Window System
  • The R services suite

Most popular tools used to modify packet headers:

Tools – For Windows

  • Engage Packet Builder – Scriptable packet builder for Windows
  • HPing – Command-line oriented TCP/IP packet assembler/analyzer
  • Nemesis – Command-line portable IP stack
  • PacketExcalibur – Graphical and scriptable network packet engine
  • Scapy – Interactive packet manipulation tool
  • Spoofer – IP Spoofing Tester
  • Colasoft Packet Builder – Tool for creating custom network packets
  • Colasoft Packet Player – Packet replay tool
  • NMap – Utility for network exploration and security auditing

Tools – For Linux

  • LSRscan – Loose Source Route Scanning Tool
  • Scapy – Interactive packet manipulation tool
  • Spoofer – IP Spoofing Tester
  • Yersina – Tool to exploit weaknesses’ in different network protocols
  • Sendip – Send completely arbitrary packets out over the network
  • HPing – Command-line TCP/IP packet assembler/analyzer
  • IRPAS – Internet-work Routing Protocol Attack Suite (File2Cable etc.)
  • LSRtunnel – Loose Source Route Tunneling Tool
  • Nemesis – Command-line portable IP stack
  • NMap – Utility for network exploration and security auditing
  • PacketExcalibur – Graphical and scrip table network packet engine

Defenses against IP Spoofing


There are a few precautions that can be taken to prevent IP Spoofing attacks on the network:


Filtering packets at the Router - Implementing ingress and egress filtering on your routers is the best defense against the IP spoofing attack. Ingress filtering is the process of blocking packets from outside the network with a source address inside the network. Egress filtering is the blocking of packets from inside the network with a source address that is not inside. You will also need to implement an ACL (access control list) that blocks private IP addresses on your downstream interface. On the upstream interface you should restrict source addresses outside of your valid range, which will prevent someone on your network from sending spoofed traffic to the Internet.


Encryption and Authentication - Implementing encryption and authentication will also reduce spoofing threats. Both of these features are included in IPv6, which will eliminate current spoofing threats. Host IP based authentication must not be used based on the IP address. It is recommended to design network protocols and services so that they do not rely on the IP source address for authentication.


Conclusion: IP spoofing is really easy because there are many tools available which allow users to edit packets and send packets from the IP. So performing IP spoofing is really simple, which leads to some big hacking operations. Although many servers have secure mechanisms to prevent spoofed packets, all those mechanisms are limited. Most of the networks still does not consider this attack. So their authentication based on IP address fails.
If we take a look at recent DOS attacks, most of the attackers are still untraceable because they have used IP spoofing to perform the attack and to prevent their real identity. So server administrators and network administrators must consider this attack while designing the security rules for their servers and networks. By considering some points, it’s easy to identify the forged packet with fake IP addresses.