-: IP Spoofing :-
The term IP (Internet Protocol) address spoofing
refers to the creation of IP packets with a forged (spoofed) source
IP address with the purpose of concealing the identity of the sender
or impersonating another computing system.
Why it works ?
IP-Spoofing works because trusted services only rely on network address
based authentication. Since IP is easily duped, address forgery is
The main reason is security weakness in the TCP protocol known as
sequence number prediction.
How it works ?
To completely understand how ip spoofing can take place, one must
examine the structure of the TCP/IP protocol suite. A basic understanding
of these headers and network exchanges is crucial to the process.
Internet Protocol (IP) :
It is a network protocol operating at layer 3 (network) of the OSI
model. It is a connectionless model, meaning there is no information
regarding transaction state, which is used to route packets on a network.
Additionally, there is no method in place to ensure that a packet
is properly delivered to the destination.
Examining the IP header, we can see that the
first 12 bytes (or the top 3 rows of the header) contain various information
about the packet. The next 8 bytes (the next 2 rows), however, contains
the source and destination IP addresses. Using one of several tools,
an attacker can easily modify these addresses – specifically
the “source address” field.
Transmission Control Protocol (TCP) :
It is the connection-oriented, reliable transport protocol in the
TCP/IP suite. Connection-oriented simply means that the two hosts
participating in a discussion must first establish a connection via
the 3-way handshake (SYN-SYN/ACK-ACK). Reliability is provided by
data sequencing and acknowledgement. TCP assigns sequence numbers
to every segment and acknowledges any and all data segments recieved
from the other end.
As you can see above, the first 12 bytes of the
TCP packet, which contain port and sequencing information.
TCP sequence numbers can simply be thought of as 32-bit counters.
They range from 0 to 4,294,967,295. Every byte of data exchanged across
a TCP connection (along with certain flags) is sequenced. The sequence
number field in the TCP header will contain the sequence number of
the *first* byte of data in the TCP segment. The acknowledgement number
field in the TCP header holds the value of next *expected* sequence
number, and also acknowledges *all* data up through this ACK number
TCP packets can be manipulated using several packet crafting softwares
available on the internet.
IP-spoofing consists of several steps. First, the target host is choosen.
Next, a pattern of trust is discovered, along with a trusted host.
The trusted host is then disabled, and the target's TCP sequence numbers
are sampled. The trusted host is impersonated, the sequence numbers
guessed, and a connection attempt is made to a service that only requires
address-based authentication. If successful, the attacker executes
a simple command to leave a backdoor.
Spoofing can be implemented by different ways as given below -
Non-Blind Spoofing :- This type of attack takes place
when the attacker is on the same subnet as the victim. The sequence
and acknowledgement numbers can be sniffed, eliminating the potential
difficulty of calculating them accurately.
Blind Spoofing :- Here the sequence and acknowledgement
numbers are unreachable. In order to circumvent this, several packets
are sent to the target machine in order to sample sequence numbers.
Both types of spoofing are forms of a common security violation known
as a Man In The Middle Attack. In these attacks, a malicious party
intercepts a legitimate communication between two friendly parties.
The malicious host then controls the flow of communication and can
eliminate or alter the information sent by one of the original participants
without the knowledge of either the original sender or the recipient.
In this way, an attacker can fool a victim into disclosing confidential
information by “spoofing” the identity of the original
sender, who is presumably trusted by the recipient.
IP spoofing is almost always used in what is currently one of the
most difficult attacks to defend against – Denial of Service
attacks, or DoS.
1) Filtering at the Router :-
Implementing ingress and egress filtering on your border routers is
a great place to start your spoofing defense. You will need to implement
an ACL (access control list)
2) Encryption and Authentication :- Implementing
encryption and authentication will also reduce spoofing threats. Both
of these features are included in Ipv6, which will eliminate current
3) Initial Sequence Number Randomizing.