The IP Spoofing - Essay Example

The Internet, while being a very crucial part of everybody’s life in this day and age as it interconnects people from across the globe, also poses a lot of danger to its users. While being an indispensable tool of today, it suffers from problems that could dampen or compromise its performance. In this paper, we discuss IP spoofing, a topic briefly discussed by Carley, Chen, and Longstaff as a hurdle in solving distributed denial-of-service (DDOS) attacks because it hides the source of the attacks (108). DDOS and all other internet-based attacks are of primary concern especially to governments and businesses which use the internet in their services. Online banking, marketing, retailing, registration, voting, conferencing and all internet-based transactions actually will be greatly affected if these attacks are not solved or prevented. Businesses would suffer from losses financially and governments would all the more suffer from criticisms as to integrity. It is therefore seriously desired to have a secure connection by all means possible. One way of achieving this is to limit spoofing risks on our networks. We must first understand what spoofing is and how it is achieved before we can discuss its prevention. A spoof as we know it is a parody. We see lots of movies that spoof other movies. What these movie spoofs do is act like or copy the real thing but with twists. In the same vein, spoofing in the Web attempts to gain access to a system by posing as a legitimate user. The only difference is that the results of spoofing the Web is far from funny, it is dangerous. Web spoofing has actually been likened to a con game in which “the attacker sets up a false but convincing world around the victim… that could endanger the privacy of World Wide Web users and the integrity of their data” (Felten et al.). There are several classes of spoofing such as TCP spoofing, where “packets are sent with forged return addresses” (Felten et al.); DNS spoofing, where “the attacker forges information about which machine names correspond to which network addresses” (Felten et al.); and IP spoofing where the attacker changes the source address in the IP datagram header for “some kind of malicious intention and [anonymity]” (Ali). Carley, Chen and Longstaff mentioned only this last class of spoofing and for good reason since it is considered as “one of the most common forms of online camouflage” (Tanase). IP spoofing is spoofing done in the IP Layer of the TCP/IP suite. This layer “provides connectionless service for end systems to communicate across one or more networks” (Stallings 456). In the IP layer, a header of control information is appended to the TCP segment (the original message appended with TCP header) to form the IP datagram. This IP header includes 32-bit source and destination addresses, checksum field, Protocol field, ID, Flags, and Fragment Offset fields. Despite the presence of the checksum field which detects errors to avoid wrong delivery, “IP makes no effort to validate whether the source address in the packet generated by a node is actually the source address of the node… [Attackers can therefore] spoof the source address and the receiver will think the packet is coming from that spoofed address” (Ali). As already mentioned, IP spoofing is used in one of the most difficult attacks to combat – DDOS. Attackers are concerned with making available online sources scarce so they do not worry about completing handshakes and connection setup but rather “wish to flood the victim with as many packets as possible in a short amount of time” (Tanase). Where does IP spoofing come in making it difficult to prevent DDOS? To make the effectiveness of the attack longer, attackers spoof source IP addresses thereby making the tracing and stopping of the DDOS as difficult and slow as possible. What do these attackers get from spoofing that they need to stall it as long as they can? During whatever amount of time that the attack remains unknown and during the time that it is being traced, a number of damage could have been caused. During this time, all data is being exchanged through an unsecure connection. Naturally, surveillance and data tampering could have been performed by the attackers. While the victim is unaware, “the attacker can passively watch the traffic, recording which pages the victim visits and the contents of those pages. When the victim fills out a form, the entered data is transmitted to a Web server, so the attacker can record that too, along with the response sent back by the server” (Felten et al.). This poses a very big threat to businesses employing e-commerce such as Ebay and Paypal as transactions are performed by filling out forms online. While the attacker watches, he can fetch the important account details an unknowing victim enters. Thus, the numerous incidents of online theft which can even include identity theft. As if surveillance is not creepy enough; attackers are also free to alter any of the data exchanged among users of the Web and the Web. Felten et al. cites these examples: … If the victim is ordering a product on-line, the attacker can change the product number, the quantity, or the ship-to address. The attacker can also modify the data returned by a Web server, for example by inserting misleading or offensive material in order to trick the victim or to cause antagonism between the victim and the server. (Felten et al.) And thus the cases of extra or lost purchases which both translate to money loss, one an unplanned expenditure, and the other just plain lost without compensation. Exactly how does this changing the IP source address work? One trick, for these attackers really have a lot of tricks up their sleeves, is URL rewriting. From the term itself, the real URL of a certain website is rewritten such that instead being directed to the real server, the victim will be directed to the attacker’s server. This could go unnoticed by the victim because everything on this false website is the same as that of the real one. To borrow Felten et al.’s example, take the attacker’s server to be on the machine www.attacker.org. To rewrite a website’s URL, the attacker will append http://www.attacker.org at the beginning of the real URL. When visiting Ebay for example, http://www.ebay.com becomes http://www.attacker.org/http://www.ebay.com. Felten et al. explains what happens during a Web Spoofing attack that used URL rewriting after the victim enters his desired Website on the browser’s address bar: (1) The victim’s browser requests the page from the attacker’s server; (2) the attacker’s server requests the page from the real server; (3) the real server provides the page to the attacker’s server; (4) the attacker’s server rewrites the page; (5) the attacker’s server provides the rewritten version to the victim. Once the attacker’s server has fetched the real document needed to satisfy the request, the attacker rewrites all of the URLs in the document into the same special form by splicing http://www.attacker.org/ onto the front. Then the attacker’s server provides the rewritten page to the victim’s browser. Since all of the URLs in the rewritten page now point to www.attacker.org, if the victim follows a link on the new page, the page will again be fetched through the attacker’s server. The victim remains trapped in the attacker’s false Web, and can follow links forever without leaving it. (Felten et al.) Now that we have established how dangerous spoofing is, we turn our attention on how to prevent it. Some short term measures should be taken: 1. Disable JavaScript in your browser so the attacker will be unable to hide the evidence of the attack; 2. make sure your browser’s location line is always visible; [and] 3. pay attention to the URLs displayed on your browser’s location line, making sure they always point to the server you think you’re connected to. (Felten et al.) All of these solutions basically require the users to be vigilant when having transactions over the Internet, which is just about right. However, long term solutions must also be considered like router filtering and encryption and authentication: … ingress and egress filtering on border routers is a great place to start spoofing defense… implement an ACL (access control list) that blocks private IP addresses on downstream interface [which] should not accept addresses with your internal range as the source, as this is a common spoofing technique used to circumvent firewalls. On the upstream interface, restrict source addresses outside of your valid range, which will prevent someone on your network from sending spoofed traffic to the Internet. [Encryption and authentication] will eliminate current spoofing threats. Additionally, eliminate all host-based authentication measures, which are sometimes common for machines on the same subnet. Ensure that the proper authentication measures are in place and carried out over a secure (encrypted) channel. (Tanase) More than prevention, we also want to actually trace the origin of the spoofed packets. “Hop-by-hop traceback and logging of suspicious packets in routers are the two main methods for tracing the spoofed IP packets back to their source” (Ali). Once flood attack is detected at a node, it can inform the Internet Service Provider (ISP) so that the ISP can determine the source of the flood attacks by examining router to router until the actual source is reached or “the end of its administrative domain; for this case it can ask the ISP for the next domain to do the same thing” (Ali). Since routers can determine the IP addresses that should pass through it, at this level, it can determine suspicious packets already. It is apparent that the perfect solution against IP spoofing is still in the works. We know however how dangerous it is and the damage it can do. This understanding, paired with some simple preventive measures, and the use of routers to detect and trace spoofed packets can protect networks against unauthorized access, not letting those attackers win the “con game”. Works Cited Ali, Farha. Cisco. Cisco Systems. Web. 15 November 2009. Carley, Kathleen M., Li-Chiou Chen, and Thomas A. Longstaff. “The Provision of Defenses Against Internet-Based Attacks.” Class Reading. Felten, Edward W., et al. “Web Spoofing: An Internet Con Game.” PDF file. Stallings, William. Data and Computer Communications. New York: Macmillan Publishing Company, 1995. Print. Tanase, Matthew. SecurityFocus. Web. 15 November 2009. Read More