- IP address spoofing
In
computer networking , the term IP (Internet Protocol ) address spoofing refers to the creation of IP packets with a forged (spoofed) sourceIP address with the purpose of concealing the identity of the sender or impersonating another computing system.How spoofing works
The basic protocol for sending data over the Internet and many other computer networks is the
Internet Protocol ("IP"). The header of each IP packet contains, among other things, the numerical source and destination address of the packet. The source address is normally the address that the packet was sent from. By forging the header so it contains a different address, an attacker can make it appear that the packet was sent by a different machine. The machine that receives spoofed packets will send response back to the forged source address, which means that this technique is mainly used when the attacker does not care about response or the attacker has some way of guessing the response.In certain cases, it might be possible for the attacker to see or redirect the response to his own machine. The most usual case is when the attacker is spoofing an address on the same LAN or WAN.
Uses of spoofing
IP spoofing is most frequently used in
denial-of-service attack s. In such attacks, the goal is to flood the victim with overwhelming amounts of traffic, and the attacker does not care about receiving responses to his attack packets. Packets with spoofed addresses are thus suitable for such attacks. They have additional advantages for this purpose - they are more difficult to filter since each spoofed packet appears to come from a different address, and they hide the true source of the attack. Denial of service attacks that use spoofing typically randomly choose addresses from the entire IP address space, though more sophisticated spoofing mechanisms might avoid unroutable addresses or unused portions of the IP address space. The proliferation of largebotnet s makes spoofing less important in denial of service attacks, but attackers typically have spoofing available as a tool, if they want to use it, so defenses against denial-of-service attacks that rely on the validity of the source IP address in attack packets might have trouble with spoofed packets. Backscatter, a technique used to observe denial-of-service attack activity in the Internet, relies on attackers' use of IP spoofing for its effectiveness.IP spoofing can also be a method of attack used by network intruders to defeat network security measures, such as
authentication based on IP addresses. This method of attack on a remote system can be extremely difficult, as it involves modifying thousands of packets at a time. This type of attack is most effective where trust relationships exist between machines. For example, it is common on some corporate networks to have internal systems trust each other, so that a user can log in without a username or password provided he is connecting from another machine on the internal network (and so must already be logged in). By spoofing a connection from a trusted machine, an attacker may be able to access the target machine without authenticating.ervices vulnerable to IP spoofing
Configuration and services that are vulnerable to IP spoofing :
* RPC (Remote Procedure Call services)
* Any service that uses IP address authentication
* The X Window system
* The R services suite (rlogin, rsh, etc.)Defense against spoofing
Packet filtering is one defense against IP spoofing attacks. The gateway to a network usually performs
ingress filtering , which is blocking of packets from outside the network with a source address inside the network. This prevents an outside attacker spoofing the address of an internal machine. Ideally the gateway would also performegress filtering on outgoing packets, which is blocking of packets from inside the network with a source address that is not inside. This prevents an attacker within the network performing filtering from launching IP spoofing attacks against external machines.It is also recommended to design network protocols and services so that they do not rely on the IP source address for authentication.
Upper layers
Some
upper layer protocol s provide their own defense against IP spoofing. For example,Transmission Control Protocol (TCP) uses sequence numbers negotiated with the remote machine to ensure that arriving packets are part of an established connection. Since the attacker normally can't see any reply packets, he has to guess the sequence number in order to hijack the connection. The poor implementation in many older operating systems and network devices, however, means that TCP sequence numbers can be predicted.Other definitions
The term "spoofing" is also sometimes used to refer to "header forgery", the insertion of false or misleading information in e-mail or
netnews headers. Falsified headers are used to mislead the recipient, or network applications, as to the origin of a message. This is a common technique of spammers and sporgers, who wish to conceal the origin of their messages to avoid being tracked down. Less fraudulently, some netnews users place obviously false email addresses in their headers to avoid spam or other unwanted responses.ee also
*
Router (includes a list of manufacturers)
*Network address translation
*Spoofed URL
*Reverse path forwarding
* RFC 1948, Defending Against Sequence Number Attacks, May 1996External links
* [http://www.securityfocus.com/infocus/1674 IP Spoofing: An Introduction]
* [http://spoofer.csail.mit.edu/summary.php ANA Spoofer Project: State of IP Spoofing and Client Test]
Wikimedia Foundation. 2010.
