How to prevent IP Spoofing Attacks

[invader]

Here's a great link that i found related to IP spoofing.
In my opinion, it doesnt point to negative things, it's written from a security point of view.
I hope this information will be of help for other members.

http://www.linuxgazette.com/issue63/sharma.html

Measures to prevent IP Spoofing Attacks:
* Avoid using the source address authentication. Implement cryptographic authentication systemwide.
* Configuring your network to reject packets from the Net that claim to originate from a local address. This is most commonly done with a router.
* If you allow outside connections from trusted hosts, enable encryption sessions at the router.

[Networker]

I've seen some very good tutorial on that site about IP spoofing attacks.

I think it's enough info to guess how hard such an attack is achievable.
I do not think that admins use source address auth anymore (maybe back in the 90s)!
My point is that I believe that IP spoofing is no more a real danger!

ISP should have anti-spoofing policy even if ISP often don't give a **** of their customer security.
But it is the only way to prevent syn DDoS originated from unaware windaube familly computers 24h connected through DSL.

I hope that some of you guys are working for ISPs and may convince your co to invest on Firewall!!!

[phaza7]

Thanks for in insight!!
=============|
info /
sea.. rching \
/
=============|
can't stop! won't stop! knowledge is tha fruit of Life!

[invader]

Networker

Im truly surprised at how you can be in the belief that IP spoofing is not a real danger, when in fact, the root of hackers begins with it. Tell me how did you begin to learn security, you'll know the answer. IP spoofing, is, in fact, the reason why people begin to download softwares that will provide access to a node through IP's. Take Netbus for example.

[Networker]

Hey invader,
we are talking aboute THE ip spoofing attack (the blind one!), if you do not know what it is you should have a look on thread threadid=106034 posted by Jparker:

You can't do it anymore.
The problemw as fixed with later releases of the name server software. You also had to have root (super user) access to exec run the exploit code, and with all that, you ALSO had to be using a name server that had authoritative access AND control over the reverse resolution of thier domain names.
The second most reliable method that people used to use was that of TCP Sequence number prediction. Every TCP connection makes a 3 way handshake when making the connection.
First, a SYN(synchronous) packet is sent from your machine to the destination, requesting a connection. Second, a SYN/ACK(acknowledgment) packet is sent from that system to yours requesting a connection, and acknowledging your attempt at a connection. Last, your machine returns an ACK packet to complete the conneciton between the machines.
The way this was exploited, was when a user, prior to attempting the connection, would scan the system and by the results of the scan, would know the sequence numbers that are used during a TCP connection. With this knowledge, a "spoofer" would then forge the source IP of the TCP SYN packet, and send it to the destination. Upon receipt of this forged packet, the destination would send it to the "fake" address. Thus you would think that the connection couldn't be established because it didn't receive that SYN/ACK packet, but, because of the prior scan, we could "guess" or predict what that packet's information was going to be, and thus, complete the connection on our own witht the "fake" address, even though we didn't get that SYN/ACK packet back and it's lost in space somewhere.
So, basically, both of those methods are non-practiced because either they are no longer vulnerable, or measures have been taken to make them more difficult to obtain.
So, hopefully that clears up a little of the misconception of *most people* CANNOT IP spoof anymore.

[invader]

Originally posted here by Networker
both of those methods are non-practiced because either they are no longer vulnerable, or measures have been taken to make them more difficult to obtain.

In any case, i believe, that IP's are still being spoofed and can be spoofed, no big deal about that.
Secondly, the last thing i want to do here is, get into a brawl if it's possible or not.
I have seen people do it, yes, even now. Anyway, It's a difference of opinion, to say the least.

[Tiger Shark]

I think you'll find IP spoofing to be a nice little tool for a cracker - especially one who doesn't want to be found. Take the following scenario:-

PC A: Win2k Server, IIS - shitty admin

PC's B & C: Numbnuts DSL Users - No firewall

PC D: Crackers PC

So cracker is sat at PC D..... He already owns PC's B & C 'cos there was nothing to stop him. He want's PC A badly but he doesn't want to be caught. PC's B & C are Win95 and he has made sure no logging of anything is taking place. So.... Here he goes.....

1: Install a packet sniffer on PC C.
2: Send a web IIS dir request for C:\winnt\system32\cmd.exe from B to A with a source address of C.
3: look at the result being returned to C - Bingo - read access - probably to the whole drive.
4: Send a copy cmd.exe from B to the wwwroot dir of A with a source address of C.
5: Check results on C - Bingo - write access.
6: Move rootkit from D to C directly.
7: Use B to Initiate FTP of Rootkit from C to A with a source address of C.
8: Use B to install rootkit on A with a source address of C.
9: Check C for results..... Positive - good - A is owned.....
10: If you wanna be really paranoid - format B & C.

All a little simplified but you get the gist......<s>

So what would the forensic investigation turn up?

Well, the IIS logs on A will show that C dir'ed for cmd.exe with a positive result, (200 code). Followed shortly after by a copy cmd from C giving another 200..... In short, every action logged came from C..... C was the source right? No.... C never made a single request of A. If we go to C.... We get the computer, unformatted.... No evidence of D's access to this PC at any time during the attack 'cos nothing is logged. There is no evidence that B or D actually exist.

All done by spoofing the source address - The probability is high that he will never be caught.

[invader]

You got it, Tiger Shark, that's another way.
I think that proves that spoofing is still a technique that is used, it not that widely.
This is one method. There is another advanced method being used, my friend does it.
HE doesnt tell me though.

[don]

Asides from total user ignorance the ip spoof has gone the way of the dinosaur. It is still
usefull however to do the "Idle Host Scan". More and more users are starting to use f/w's
and a/v software. The day of the easy hack are by and large over.

[Tiger Shark]

Don: I couldn't disagree more.......

The advent of the high speed, always online services and the automated viruses and malware have increased the number of "easy hacks" considerably. It used to be that people had to dial, and when they dialed they paid..... That was a strong incentive to only be on when necessary and as a side benefit each time they connected they got a different IP address. This was security by anonymity in many ways but it did work quite heavily against many kiddies because they weren't talented enough to keep track of a machine they cracked. Now it's easy - the tools can be automated and are more sophisticated and the targets are stationary to all intent and purpose.

I run a network of 650 users and allow some outside access to certain users, (50 or so), and the policy, (put in place by me), is that the users who want to connect through a high speed, always on connection _must_ purchase a hardware firewall/router and bring it to me to be configured before I will allow any access. People connecting by dial up I recommend, (and tell them lots of scarey stories), Zonealarm. I also offer the high speed people the opportunity to bring their PC to me if they have been "always on" for some time before they request outside access to be completely reloaded...... I have yet to meet a single user that has even considered a firewall of any kind..... Not one!!!

I guarantee you there are 25 "easy hacks" in those 50 users had I not forced them to purchase a firewall. From there look at my previous post - these "older" techniques are still equally as valid today as they were in the past - maybe not for DOS and such things - but they are still quite viable techniques in the crackers "toolkit".