When most analysts think of spoofing, they think of IP spoofing, where an attacker changes his IP address so that he appears to be someone else. The key to remember is that because an attacker is spoofing someone’s IP address, when the victim replies back to the address, it goes back to the spoofed address, not the attacker’s real address.
Figure 4.1 is an example of an attacker sending a packet with a spoofed IP address to John. John receives the packet but then replies to the IP
address listed as the recipient and not the attacker’s address. Therefore, the attacker can send packets to a machine with a spoofed address but does not receive any packets back. This is referred to as a flying blind attack, or a one-way attack, because you only can send packets to the victim. You cannot receive any packets back.
Figure 4.1. Attacker sending a spoofed packet.
The attacker does not see any replies from the victim. Depending on
where the attacker is located, if he inserts himself in the path between the victim’s machine and the machine whose address he is spoofing, he might be able to pull off the replies shown in Figure 4.2.
Figure 4.2. Attacker injecting himself in the path so that he can observe all traffic.
There are three basic flavors of IP spoofing attacks, as follows:
• Basic address change
• Use of source routing to intercept packets
• Exploitation of a trust relationship on UNIX machines
More active attacks, where you take over an existing session by spoofing an address, are covered in Chapter 5, “Session Hijacking.” Session
hijacking is similar to IP spoofing but requires taking over an active session by knocking a machine offline. Therefore, it is covered in a separate chapter.
Basic Address Change
Because IP address spoofing involves changing one machine’s IP address to look like someone else’s, the most basic form of IP spoofing is to go into a network configuration and change the IP address. By doing that, all packets that are sent out have an IP address of the address the attacker wants to spoof. This is very low tech, because all replies go back to the address he is spoofing and not his machine. Also, because TCP requires a three-way handshake to get initialized, this cannot be completed, because the replies go back to a machine that knows nothing about the session, because its IP address was spoofed.
This has several limitations, but in terms of certain types of denial of service attacks, it only takes one packet to crash the machine. And
spoofing the address makes it much harder to trace back to the attacker. With certain attacks, if a system receives an unexpected packet, it could still crash the system. Also, because UDP is connectionless, a single UDP packet could be sent to a victim system. For additional details on how TCP and the three-way handshake work, see Chapter 5.
To change the IP address on a Windows machine, an attacker would perform the following steps:
1. From the Start menu, select Settings, Control Panel. 2. Double-click the Network icon (see Figure 4.3).
Figure 4.3. Network information for a Windows 98 machine.
3. Select the TCP/IP protocol for the network card you are using, and the IP Address screen appears (see Figure 4.4).
Figure 4.4. TCP/IP properties for a Windows 98 machine.
The attacker enters the IP address he wants to spoof and reboots the machine. Now, any packets that are sent will have a spoofed source address.
On UNIX machines, an attacker uses the ifconfig command from a terminal window or runs Control Panel from X-Windows to change the IP
information. By typing ifconfig, the following results appear, which display information on the network interfaces for the system:
eth0 Link encap:Ethernet HWaddr 00:50:8B:9A:4C:1B inet addr:10.10.50.60 Bcast:10.10.50.60
Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4129755 errors:0 dropped:0 overruns:0 frame:1
TX packets:25087 errors:0 dropped:0 overruns:0 carrier:0
collisions:1185 txqueuelen:100 Interrupt:17 Base address:0x8000 lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:6588 errors:0 dropped:0 overruns:0 frame:0
TX packets:6588 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0 The following command changes the address: ifconfig <interface> x.x.x.x
where <interface> is the name of the interface—for example, eth0. If the
attacker uses Control Panel under X-windows, he gets similar screens to those that are shown for Windows.
To illustrate how basic IP spoofing works, let’s look at some sample sniffer data from a machine 208.246.68.46 attempting a connection:
11:17:09.145118 eth0 < 208.246.68.46.2231 > 208.246.68.48.ftp: R 1850475754:1850475754(0) win 0 (DF) 11:17:10.915599 eth0 < 208.246.68.46.2232 > 208.246.68.48.ftp: S 1850495970:1850495970(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) 11:17:10.915633 eth0 > 208.246.68.48.ftp > 208.246.68.46.2232: S 352591502:352591502(0) ack 1850495971 win 32120 <mss 1460,nop,nop,sackOK> (DF) 11:17:10.915771 eth0 < 208.246.68.46.2232 > 208.246.68.48.ftp:
8760 (DF) 11:17:13.952415 eth0 > 208.246.68.48.ftp > 208.246.68.46.2232: P 1:97(96) ack 1 win 32120 (DF) [tos 0x10] 11:17:14.125905 eth0 < 208.246.68.46.2232 > 208.246.68.48.ftp: . 1:1(0) ack 97 win 8664 (DF) 11:17:14.530384 eth0 < 208.246.68.46.2232 > 208.246.68.48.ftp: R 1850495971:1850495971(0) win 0 (DF)
As you can see, the machine could perform a three-way handshake with the machine it is connecting to. The attacker then changes his address to spoof the connection. The new address is 218.246.68.46, and the
following is the data he receives:
11:17:10.915599 eth0 < 218.246.68.46.2232 > 208.246.68.48.ftp: S 1850495970:1850495970(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) 11:17:10.915633 eth0 > 208.246.68.48.ftp > 218.246.68.46.2232: S 352591502:352591502(0) ack 1850495971 win 32120 <mss 1460,nop,nop,sackOK> (DF)
Notice that, because the address is spoofed, when the target machine replies, the packet goes back to the IP address of the machine the
attacker is spoofing. Because the machine is not expecting the packet, the connection is dropped. Just by changing the IP address, a machine cannot complete the three-way handshake and open a TCP connection.
Protection Against Address Changes
There are some steps a company can take to protect against this basic form of spoofing. It is important to note that you can protect your
machines from being used to launch a spoofing attack, but there is little you can do to prevent an attacker from spoofing your address. Think about it this way: Is there any way for you to protect against an attacker spoofing your address on a letter he sends out? There is nothing you can do to prevent someone from mailing a letter to another party and writing in your return address instead of his. This is the same problem that occurs with spoofing.
To prevent an attacker from using a machine to launch a spoofing attack, first, limit who has access to configuration information on a machine. By doing this, you can stop an employee from performing spoofing. For example, with NT workstation, you can limit access so that a normal user is not allowed to make any changes to the network configuration.
To protect your company from being the victim of a basic IP spoofing attack, you can apply basic filters at your routers. Most routers have built- in spoofing filters. The most basic form of filter is to not allow any packets that are entering your network from the outside to have a source address from your internal network. For example, a packet that originates from inside your network and is going to an internal host never has to go
outside your company’s network. Therefore, if a packet is coming from the Internet, claiming to originate from your internal network, you can have a high level of confidence that it is a spoofed packet and can be dropped. This type of filtering is referred to as ingress filtering and protects a company’s network from being the victim of a spoofing attack.
Egress filtering prevents someone from using a company’s computers to launch an attack against another site. To perform egress filtering, your router examines any packet leaving your network and makes sure that the source address is an address from your local network. If it is not, the
packet should be dropped because this indicates that someone is using a spoofed address to launch an attack against another network. Any
legitimate packet that is leaving your company’s network must have a source address, where the network portion matches your internal network.
There are also packages like arpwatch that keep track of Ethernet/IP address pairings to reduce the likelihood of a spoofing attack. For additional information on arpwatch, go to http://www.appwatch.com/.
Source Routing
Remember that one of the big problems with spoofing is that the return traffic goes back to the spoofed address and the attacker never gets to see it. Flying blind is effective if you are really good or are launching a small attack. But for more advanced attacks, the attacker would like to see both sides of the conversation.
One way is for an attacker to inject himself into the path that the traffic would normally take, to get from the destination machine back to the source. This is very difficult because an attacker has to compromise a machine on the victim’s network, and there is no guarantee that the traffic will continue to go through the attacker’s machine. The Internet is
dynamic in terms of how it routes. There are a lot of cases where traffic takes the same route through the Internet, but it is not guaranteed. It could change every day, every hour, or even every minute. There is a way to guarantee that a packet takes a set path through the Internet, and as a spoof, to make sure it goes through the attacker’s machine. You do this with source routing, which is built into the TCP/IP protocol suite. Source routing lets you specify the path a packet will take through the Internet. There are two types of source routing, as follows:
• Loose source routing (LSR). The sender specifies a list of IP
addresses that the traffic or packet must go through, but it could also go through any other addresses that it needs to. In other words, you do not care about the exact path the packet takes through the network, as long as it goes through these addresses.
• Strict source routing (SRS). The sender specifies the exact path
that the packet must take. If the exact path cannot be taken, the packet is dropped and an ICMP message is returned to the sender. In other words, you care about the exact path the packet must take, and if it cannot take this path for any reason, the packet is not sent. You might wonder why source routing was put into the TCP specification in the first place. In the early days of the Internet, it was helpful from a
troubleshooting standpoint, because you could specify which path a packet took through the network. Also, when new links are set up on a network, it is helpful to force certain packets through those links to make sure they are working properly before all traffic is sent across the link. This way, if there is a problem, it can be fixed without causing a disruption of service. Also, it can be helpful if you want to send traffic to make sure it does not go through a competitor’s router or a hostile router. For example, if one of your competitors owns an ISP, you might want to specify the exact route your proposals take through the network to make sure that your
competitors cannot get a copy.
Some companies use source routing to test the redundancy of their networks. For some companies, high availability is very important. This means that if a device or connection on a network goes down, there are alternate ways for the traffic to get routed. The simplest way to do this is to have backup routers. A company has a primary router and a backup router, and the backup router only is used if the primary router goes down.
But how does a company know if the backup router is working properly? Ideally, there should be some way to test it beforehand, because waiting for the primary router to go down to see if the backup is working can be very risky. By utilizing source routing, the company can send test packets where it specifies that it wants the packet to go through the backup
router. This way, the company can see if the backup system is configured correctly without taking down the primary system.
Source routing works by using a 39-byte source route option field in the IP header. Because source routing is put in the IP header, there is a limit to how many IP addresses can be specified. Because the option field for source routing is 39 bytes, and 3 bytes of that are overhead information, 36 bytes are left for the addresses. Each address uses 4 bytes. If you divide 36 by 4, you have room for 9 addresses—but it’s not that simple. Because the last address must be the destination address, it only leaves
room for 8 addresses. As you can imagine, with the growth of the Internet, there are cases where the number of hops or IP addresses a packet goes through is more than 8. In these cases, only loose source routing can be used, because strict source routing would drop the packet if the exact path were not found. For an in-depth description of the IP and TCP protocols, please see TCP/IP Illustrated, Volume 1, by Richard
Stevens and Gary Wright, published by Addison Wesley Longman. Basically, source routing works by taking the first address from the list and making that the destination address. If strict source routing is
specified, it must be the next hop; if it is not, it is dropped. Depending on how your firewall is configured, this can result in an ICMP Destination Unreachable message being generated. In most cases, if your firewall filter is set to Reject Only, an ICMP Destination Unreachable message is generated. If the firewall is configured to Deny, no message is generated and the packet is just dropped.
With loose source routing, it does not matter how many other hops a packet goes through before it gets to the address specified in the list. After it gets to the destination, it pulls the next address off the list and that becomes the destination. It then continues in that fashion until either the destination is found or the packet cannot be routed. It is important to note that if the sender specifies source routing to get to the destination, the destination machine automatically uses the same source routing to get back to the sender. This is why it is so dangerous: you might not know it is being used. You might reply to a packet, and if the sender used source routing, you will automatically be using source routing without knowing it. To illustrate how source routing is used, we will look at the traceroute program that comes with both UNIX and Windows. Traceroute has the option to specify source routing when you use the program. On a UNIX machine, you use the -g option for loose source routing. The following is an example:
Traceroute -g 10.10.10.5 10.35.50.10
On a Windows machine, you would use the -j option for loose source routing, as follows:
Tracert -j 10.10.10.5 10.35.50.10
To show you how source routing modifies the route, the following is the traceroute output from doing an ordinary traceroute to
Tracing route to scone.donet.com [205.133.113.87] over a maximum of 30 hops:
1 5 ms 4 ms 2 ms 10.4.0.1 2 5 ms 5 ms 4 ms 208.246.68.97 3 7 ms 7 ms 7 ms 208.246.68.130 4 9 ms 11 ms 7 ms Loopback0.GW2.DCA1.ALTER.NET [137.39.2.154] 5 7 ms 7 ms 15 ms 105.ATM2-0.XR1.DCA1.ALTER.NET [146.188.161.34] 6 79 ms 14 ms 14 ms 195.ATM9-0- 0.GW1.PIT1.ALTER.NET [146.188.162.73] 7 67 ms 270 ms 234 ms oarnet-gw.customer.ALTER.NET [157.130.39.10] 8 45 ms 54 ms 45 ms dlp1-atm2-0.dayton.oar.net [199.18.202.101] 9 47 ms 50 ms 46 ms donet2-atm3-0s1.dayton.oar.net [199.18.109.226] 10 49 ms 50 ms 50 ms scone.donet.com [205.133.113.87] Trace complete.
Next, I perform a traceroute using loose source routing with an IP address of 205.171.24.5, which means that I do not care what route the
traceroute program uses as long as it goes through the specified IP
address. The following is the command that is issued on a UNIX machine: Traceroute -g www.newriders.com 205.171.24.5
The following is the output generated from running this command: Tracing route to scone.donet.com [205.133.113.87]
over a maximum of 30 hops:
1 2 ms 4 ms 3 ms 10.4.0.1 2 7 ms 7 ms 9 ms 208.246.68.97 3 11 ms 10 ms 11 ms 208.246.68.130 4 27 ms 145 ms 64 ms Loopback0.GW2.DCA1.ALTER.NET [137.39.2.154] 5 728 ms 21 ms 25 ms 105.ATM2-0.XR1.DCA1.ALTER.NET [146.188.161.34] 6 74 ms 106 ms 82 ms 295.ATM7-0.XR1.DCA8.ALTER.NET [146.188.163.14] 7 33 ms 54 ms 43 ms 189.ATM7-0.BR1.DCA8.ALTER.NET [146.188.162.209]
8 136 ms 60 ms 150 ms wdc-brdr-03.inet.qwest.net [205.171.4.69] 9 768 ms 14 ms 32 ms wdc-core-03.inet.qwest.net [205.171.24.69] 10 69 ms 126 ms 81 ms wdc-core-02.inet.qwest.net [205.171.24.5] 11 101 ms 47 ms 110 ms wdc-core-01.inet.qwest.net [205.171.24.1] 12 93 ms 53 ms 131 ms chi-core-02.inet.qwest.net [205.171.5.227] 13 202 ms 61 ms 119 ms chi-core-01.inet.qwest.net [205.171.20.1] 14 104 ms 136 ms 156 ms chi-edge-01.inet.qwest.net [205.171.20.10]
15 * * * Request timed out. 16 * * * Request timed out. 17 * * * equest timed out. 18 * * * Request timed out.
19 208.46.62.50 reports: Invalid source route specified. Trace complete.
You can see that the input I provided altered the path that the program used. At step 8, the packet took a different path. I did this to make sure the packet went through the gateway that I specified. Also, notice that as dynamic as the Internet is, every path does not work. In this case, based on the IP address that I told it to go through, the packet could not find a path to the route. This is something to keep in mind with source routing: make sure that your packets can still find a valid path to their destination. As you can see, source routing has tremendous benefits for spoofing.An attacker sends a packet to the destination with a spoofed address but specifies loose source routing and puts his IP address in the list. Then, when the recipient responds, the packet goes back to the spoofed address, but not before it goes through the attacker’s machine. The attacker is not flying blind because he can see both sides of the conversation.
A couple of points are worth noting. First, you might want to specify