Back in April 1989, a Steve Bellovin of AT&T was one of the first people to identify IP spoofing as real risk to all computer networks. Robert Morris, the creator of the quite famous Internet Worm, had figured out how TCP made sequence numbers and made a fake TCP sequence packet. This packet had included the destination address of the 'victim' and using the IP spoofing attack, Morris was able to gain root access to the victims system without a password or user name.
A common misconception is that people think that using IP spoofing it can hide your IP address from everyone while you surf the net, etc. This really isn't true at all. Forging the home source of the IP address can cause the response to be misdirected, which can lead you to not being able to create a normal network connection. However, this IP spoofing is an important part in the many network attacks today and they don't need to see any responses; known as blind spoofing.
Although the popularity of these cracks, or spoofs, have been decreased due to the collapse of these services they had exploited, spoofing still can be used which, therefore, needs to be addressed by all, if possible, security administrators.
Internet Protocol Spoofing
Internet protocol (IP) is a network protocol which operates on the Network (3) Layer of the OSI model. This doesn't contain information regarding the transaction state, where you would use this to route packets on a particular network, because it is a connectionless model. In addition, there is no means in place to make certain that a packet is correctly delivered to the destination.
Investigating the IP header, it's simple to see that the first 12 contain different types of data regarding the packet. The 8 bytes after that contain the IP addresses source and destination. Where using one of numerous tools, an attacker could simply alter these addresses - particularly the source address field. It is vital to remember that each of these datagram's are sent separately of all the other ones, which is due to the IP's stateless nature.
Transmission Control Protocol Spoofing
Transmission Control Protocol (TCP) is part of the 4th Layer which is the Transport Layer in the OSI Model. Different to IP, TCP uses a connection-oriented model. This means that the users in a TCP session must first build the connection. This can be done by using the 3-way handshake (SYN-SYN/ACK-ACK), and then updating one another on progress by the use of the acknowledgements and sequences numbers. This connection ensures data reliability, given that the sender receives an OK message from the recipient after each of the packet exchanges.
As we can see above, a TCP header is rather quite different from an IP header. When seeing this, we find that in the TCP packet, the first 12 bytes contain port and sequencing information. Much like the IP datagram, TCP packets could be altered using certain software. The destination and source ports usually depend on what network application is being used (for instance, HTTP via port 80). What's significant for the awareness of spoofing are the sequence and acknowledgement numbers. The information contained in these fields ensures the packet is delivered by determining whether or not the packet would need to be sent again. In the present packet, the number of the first byte in the sequence number is the most important to the data stream. The acknowledgement number holds the number of the next likely sequence number in the stream. This connection confirms, on both ends, that the correct packets were received. Since it is a transaction state that's closely monitored, it's rather different than IP.
Types of Spoofing Attacks
Non-Blind Spoofing
This type of attack happens when the attacker is on the same IP network subdivision as the target. The sequence and acknowledgement numbers could be easily identified, eliminating the possible difficulty of calculating them accurately. The biggest risk of spoofing in this case would be session hijacking. This is capable by corrupting a data stream in an established connection, where then it would be re-established based on correct sequence and acknowledgement numbers with the machine used for the attack. Using this technique, an attacker could successfully evade any authentication methods taken place to make the connection.
Blind Spoofing
This is a more complicated type of attack, as the acknowledgement and sequence numbers are inaccessible. In order to get around this, several packets are sent to the intended machine in order to trial sequence numbers. While this isn't the case today anymore, machines in the past used pretty simple techniques to generate the sequence numbers. It was fairly easy to find out the exact formula by studying the TCP sessions and their packets. Today, most of the late Operating Systems have random sequence number generation, making it a lot more complicated to guess them accurately. On the other hand, if the sequence number was found, data could be sent to the intended machine. Quite a few years ago, many of the machines used host-based authentication services (for instance, Rlogin). A correctly designed attack could add the necessary data to a system (for example, a new user account), blindly, giving full access to the invader who was pretending to be a trusted host.
Man in the Middle Attack
Another spoofing type that is a form of a common security violation can be identified as a man in the middle attack. In these types of attacks, a malicious party can intercepts in between the communication of two friendly parties. The malicious host would then control the stream of communication and then would purge or modify the information sent by one of the friendly party members without the awareness of both the friendly sender and friendly recipient. Using this attack, the malicious party can trick the friendly parties into revealing confidential information by spoofing the identity of the original party member, who is most likely to be trusted by the recipient.
Denial of Service Attack
The IP spoofing is just about always used in probably the most complicated attack to defend against; this is Denial of Service attacks. Since crackers are concentrating mainly on using up bandwidth and resources, they don't really care about properly carrying out transactions and handshakes. Instead, they would want to swamp the victim with as many packets as possible in the shortest amount of time possible. In order to keep the attack going, they would spoof the source IP address to make tracing and stopping the Denial of Service Attack as complicated as possible. If there is several malicious hosts all participating in the attack, and all sending spoofed traffic, it is very difficult to quickly block all the traffic.
Defending Against Spoofing
There are a few safety measures that can be used to help defend against IP spoofing attacks on your network, such as:
Filtering at the Router - A good place to start the spoofing defence could be enforcing egress and ingress filtering onto your routers. Then to block private IP addresses on the downstream interface you would have to enforce an ACL, or Access Control List. In addition, a common spoofing technique would find a way around firewalls, so your interface shouldn't accept with the internal range as your source. You should restrict all source addresses outside of the set valid range, which would be on your upstream interface, and this will help prevent anyone on your network from trying to send spoofed traffic onto the Internet.
Encryption and Authentication - Another way would be enforcing authentication and encryption which would reduce spoofing threats. These features are both included in IPv6, where these would get rid of current spoofing threats. Furthermore, you then should also get rid of every host-based authentication method, which are mostly common for all machines on your same subnet. With these authentication methods you should make sure they are all in place and carried out through a secure, or encrypted, channel.
