How to prevent IP Spoofing Attacks
Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: How to prevent IP Spoofing Attacks

  1. #1
    Senior Member
    Join Date
    Nov 2002
    Posts
    393

    Thumbs up How to prevent IP Spoofing Attacks

    Here's a great link that i found related to IP spoofing.
    In my opinion, it doesnt point to negative things, it's written from a security point of view.
    I hope this information will be of help for other members.

    http://www.linuxgazette.com/issue63/sharma.html

    Measures to prevent IP Spoofing Attacks:
    * Avoid using the source address authentication. Implement cryptographic authentication systemwide.
    * Configuring your network to reject packets from the Net that claim to originate from a local address. This is most commonly done with a router.
    * If you allow outside connections from trusted hosts, enable encryption sessions at the router.
    \"I have a 386 Pentium.\"

  2. #2
    Senior Member
    Join Date
    Nov 2002
    Posts
    382
    I've seen some very good tutorial on that site about IP spoofing attacks.

    I think it's enough info to guess how hard such an attack is achievable.
    I do not think that admins use source address auth anymore (maybe back in the 90s)!
    My point is that I believe that IP spoofing is no more a real danger!

    ISP should have anti-spoofing policy even if ISP often don't give a **** of their customer security.
    But it is the only way to prevent syn DDoS originated from unaware windaube familly computers 24h connected through DSL.

    I hope that some of you guys are working for ISPs and may convince your co to invest on Firewall!!!
    [shadow] SHARING KNOWLEDGE[/shadow]

  3. #3
    Banned
    Join Date
    Dec 2002
    Posts
    394
    Thanks for in insight!!
    =============|
    info /
    sea.. rching \
    /
    =============|
    can't stop! won't stop! knowledge is tha fruit of Life!

  4. #4
    Senior Member
    Join Date
    Nov 2002
    Posts
    393
    Networker

    Im truly surprised at how you can be in the belief that IP spoofing is not a real danger, when in fact, the root of hackers begins with it. Tell me how did you begin to learn security, you'll know the answer. IP spoofing, is, in fact, the reason why people begin to download softwares that will provide access to a node through IP's. Take Netbus for example.
    \"I have a 386 Pentium.\"

  5. #5
    Senior Member
    Join Date
    Nov 2002
    Posts
    382
    Hey invader,
    we are talking aboute THE ip spoofing attack (the blind one!), if you do not know what it is you should have a look on thread threadid=106034 posted by Jparker:

    You can't do it anymore.
    The problemw as fixed with later releases of the name server software. You also had to have root (super user) access to exec run the exploit code, and with all that, you ALSO had to be using a name server that had authoritative access AND control over the reverse resolution of thier domain names.
    The second most reliable method that people used to use was that of TCP Sequence number prediction. Every TCP connection makes a 3 way handshake when making the connection.
    First, a SYN(synchronous) packet is sent from your machine to the destination, requesting a connection. Second, a SYN/ACK(acknowledgment) packet is sent from that system to yours requesting a connection, and acknowledging your attempt at a connection. Last, your machine returns an ACK packet to complete the conneciton between the machines.
    The way this was exploited, was when a user, prior to attempting the connection, would scan the system and by the results of the scan, would know the sequence numbers that are used during a TCP connection. With this knowledge, a "spoofer" would then forge the source IP of the TCP SYN packet, and send it to the destination. Upon receipt of this forged packet, the destination would send it to the "fake" address. Thus you would think that the connection couldn't be established because it didn't receive that SYN/ACK packet, but, because of the prior scan, we could "guess" or predict what that packet's information was going to be, and thus, complete the connection on our own witht the "fake" address, even though we didn't get that SYN/ACK packet back and it's lost in space somewhere.
    So, basically, both of those methods are non-practiced because either they are no longer vulnerable, or measures have been taken to make them more difficult to obtain.
    So, hopefully that clears up a little of the misconception of *most people* CANNOT IP spoof anymore.
    [shadow] SHARING KNOWLEDGE[/shadow]

  6. #6
    Senior Member
    Join Date
    Nov 2002
    Posts
    393
    Originally posted here by Networker
    both of those methods are non-practiced because either they are no longer vulnerable, or measures have been taken to make them more difficult to obtain.
    In any case, i believe, that IP's are still being spoofed and can be spoofed, no big deal about that.
    Secondly, the last thing i want to do here is, get into a brawl if it's possible or not.
    I have seen people do it, yes, even now. Anyway, It's a difference of opinion, to say the least.
    \"I have a 386 Pentium.\"

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I think you'll find IP spoofing to be a nice little tool for a cracker - especially one who doesn't want to be found. Take the following scenario:-

    PC A: Win2k Server, IIS - shitty admin

    PC's B & C: Numbnuts DSL Users - No firewall

    PC D: Crackers PC

    So cracker is sat at PC D..... He already owns PC's B & C 'cos there was nothing to stop him. He want's PC A badly but he doesn't want to be caught. PC's B & C are Win95 and he has made sure no logging of anything is taking place. So.... Here he goes.....

    1: Install a packet sniffer on PC C.
    2: Send a web IIS dir request for C:\winnt\system32\cmd.exe from B to A with a source address of C.
    3: look at the result being returned to C - Bingo - read access - probably to the whole drive.
    4: Send a copy cmd.exe from B to the wwwroot dir of A with a source address of C.
    5: Check results on C - Bingo - write access.
    6: Move rootkit from D to C directly.
    7: Use B to Initiate FTP of Rootkit from C to A with a source address of C.
    8: Use B to install rootkit on A with a source address of C.
    9: Check C for results..... Positive - good - A is owned.....
    10: If you wanna be really paranoid - format B & C.

    All a little simplified but you get the gist......<s>

    So what would the forensic investigation turn up?

    Well, the IIS logs on A will show that C dir'ed for cmd.exe with a positive result, (200 code). Followed shortly after by a copy cmd from C giving another 200..... In short, every action logged came from C..... C was the source right? No.... C never made a single request of A. If we go to C.... We get the computer, unformatted.... No evidence of D's access to this PC at any time during the attack 'cos nothing is logged. There is no evidence that B or D actually exist.

    All done by spoofing the source address - The probability is high that he will never be caught.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Senior Member
    Join Date
    Nov 2002
    Posts
    393
    You got it, Tiger Shark, that's another way.
    I think that proves that spoofing is still a technique that is used, it not that widely.
    This is one method. There is another advanced method being used, my friend does it.
    HE doesnt tell me though.
    \"I have a 386 Pentium.\"

  9. #9
    Senior Member
    Join Date
    Dec 2002
    Posts
    110
    Asides from total user ignorance the ip spoof has gone the way of the dinosaur. It is still
    usefull however to do the "Idle Host Scan". More and more users are starting to use f/w's
    and a/v software. The day of the easy hack are by and large over.

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Don: I couldn't disagree more.......

    The advent of the high speed, always online services and the automated viruses and malware have increased the number of "easy hacks" considerably. It used to be that people had to dial, and when they dialed they paid..... That was a strong incentive to only be on when necessary and as a side benefit each time they connected they got a different IP address. This was security by anonymity in many ways but it did work quite heavily against many kiddies because they weren't talented enough to keep track of a machine they cracked. Now it's easy - the tools can be automated and are more sophisticated and the targets are stationary to all intent and purpose.

    I run a network of 650 users and allow some outside access to certain users, (50 or so), and the policy, (put in place by me), is that the users who want to connect through a high speed, always on connection _must_ purchase a hardware firewall/router and bring it to me to be configured before I will allow any access. People connecting by dial up I recommend, (and tell them lots of scarey stories), Zonealarm. I also offer the high speed people the opportunity to bring their PC to me if they have been "always on" for some time before they request outside access to be completely reloaded...... I have yet to meet a single user that has even considered a firewall of any kind..... Not one!!!

    I guarantee you there are 25 "easy hacks" in those 50 users had I not forced them to purchase a firewall. From there look at my previous post - these "older" techniques are still equally as valid today as they were in the past - maybe not for DOS and such things - but they are still quite viable techniques in the crackers "toolkit".
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •