The Spoofing of Internet Protocol Addresses - Essay Example

Masking ones identity is a technique that criminals have for a long time liked to use. This practice has spread into computer networks and systems. Thus, IP spoofing – one form of the various types of spoofing - has become a common way of online masquerade (Cole 2002). IP addresses spoofing or simply IP spoofing is a process that involves replacement of the Internet Protocol (IP) address of a computer system sending IP packets with another’s IP address to conceal its identity or to mimic the other system. Therefore, a malicious sender can gain illegal access to a computer network or system by pretending to be someone else whose is trusted at the receiving end. This paper looks at IP spoofing through its history and concept, while explaining how it is done, and for what purpose, and to how to protect networks against this form of attack. History The idea of IP spoofing remained theoretical until in the 1980’s when scholars initiated its debate. This started with Robert Morris discovery of sequence prediction – a security hole in TCP protocol - and the subsequent description of this in his paper that was published in 1985 (Bellovin 1989; Casey 2004; Gaffin 1995). Later in 1988, his son – a graduate student at Cornell University - created and launched the “first internet worm” that infected MIT systems “from his terminal in Ithaca (Casey 2004; Salomon 2006; Zittrain 2009; White, Fisch & Pooch 1995). Morris verified the security hole by use of an experiment that involved prediction of TCP sequence number to create a sequence of TCP packet without the server response (Bellovin 1989). His discovery were later elaborated further by Bellovin (1989) in his discussion titled “Security Problems in the TCP/IP Protocol Suite” that pointed to the design issues of the TCP/IP protocol. It is also noted that Kevin Mitnick’s 1994 attack on Tsutomu Shimomura's systems in San Diego employed the techniques of TCP sequence prediction and IP spoofing (Gaffin 1995). However, although the popularity of spoofing attacks has reduced owing to the decrease of services for exploitation (Tanase 2003), IP spoofing is still a threat to networks and computer systems (Mason & Newcomb 2001) and should be a concern to administrators of computer security systems. Technical Discussion The flaws inherent in the design of the “TCP/IP protocol suite” (Bellovin 1989) makes it possible for IP spoofing. It is important, therefore, to first get a glimpse of the TCP/IP structure in order to fully comprehend how spoofing attacks are perpetrated. An apparently simple concept allows networks and computers globally to share data and information through the internet. Before information or data is sent through the internet, it is first broken up into portions known as packets that are then transmitted to the intended destination where they are reassembled back into the original form that a receiving computer in the network can be able to view and utilize. This is made possible by two communication protocols namely the Internet Protocol (IP) and the Transmission Control Protocol (TCP) that are commonly referred to as the TCP/IP or the Internet Protocol suite. Internet Protocol (IP) The IP is the main protocol in the Internet Protocol suite, and has unique tasks. It is used to deliver unique protocol packets from a source to a destination by relying simply on the packets addresses. A packet has a header indicating the source and destination, and the data itself to be transmitted. So, an IP defines the addressing structures and methods for the encapsulation of packets. The Internet Protocol Version 4 or IPv4 is one of such addressing structure. IPv4 was the first design and is still the most used protocol on the internet (Gralla 1998), while the Internet Protocol Version 6 or IPv6 is an improvement of the IPv4. The IP protocol functions at the network layer (or layer 3) of the Open System Interconnection (OSI) model. Typical of “packet-switched networks” like the Internet (Gralla 1998), there is no requirement for circuit setup prior to a host conveying packets to a destination host, hence the reference to IP as a connectionless protocol. Furthermore, information on the state of transaction that allows routing of packets as well as a method to allow proper delivery of packets lacks in this model. Further examination of an IP header will indicate that the first twelve bytes hold several information about the packet, while the subsequent eight bytes hold IP addresses for the source and destination. These can be compromised by an attacker using various tools. Specifically, the sources IP address can be modified (Bellovin 1989). Note that a packet (or datagram) is transmitted independently from the other packets because IP is stateless. The IP operates together with the Transmission Control Protocol in transmission of data across a packet-switched network. Transmission Control Protocol (TCP) The Transmission Control Protocol functions at the transport layer, which is at a higher-level than the layer that the IP operates, and it is used by only two endpoints systems such as a web server and web browser. This protocol employs a connection-based model so that participants in TCP sessions have to start by creating a connection through the three-way handshake - SYN-SYN/ACK-ACK – before updating each other through acknowledgements and sequences (Ivens 2003. As a result, reliability of data is ensured because the sender gets a confirmation from the recipient every time a packet is exchanged. The TCP header differs substantially from that of the Internet Protocol. The first twelve bytes of a Transmission Control Protocol packet contains information about sequencing and the port. Similar to an IP packet, a TCP datagram is vulnerable to manipulation with software tools. Furthermore, the destination and source ports usually rely on the network software (or rather application) being used. For the purpose of understanding IP spoofing, it is important to take note of the acknowledgement and sequence numbers. The data held in these header fields guarantee the delivery of packets by establishing whether a datagram should be resent or not. The sequence number is related to the data stream, while the acknowledgement number holds the value of the sequence number that is expected next in the data stream. This association verifies on both endpoints that the correct datagrams were transmitted. Unlike in IP, the state of transaction in TCP is strictly controlled. Manipulation of protocol as the basis for spoofing attacks. The above highlights on TCP/IP design indicate that it is possible to conceal a source address through manipulation of the IP header. Network attackers exploit this weakness of the TCP/IP in a number of ways. The sequence number prediction in TCP allows hijacking of session and impersonation of source host. The implications of these manipulations are shown below in the discussion of the attacks. The spoofing attacks Attacks that depend on IP spoofing vary, and although some are behind the times, there are others that should be of concern to security administrators of modern systems. These spoofing attacks include non-blind spoofing, blind spoofing, man-in-the middle attack, and denial of service attack (Casey 2004; Bellovin 1989; Tanase 2003; Linden 2007). The Non-blind spoofing attack happens when it an attacker is using the same subnet that the victim is in. Thus, the attacker can obtain the acknowledgement and sequence numbers of the victim using “packet sniffer” without performing difficult calculations (Linden 2007). In this case, a victim can suffer session hijack. This is achieved through data stream corruption of an already established connection, where after, the connection is re-established using the correct acknowledgement and sequence numbers by the attacking host. The attacker, therefore, can sidestep authentications procedures required to make a connection. A more complicated attack involves blind spoofing. In blind spoofing, the acknowledgement and sequence numbers are unknown and inaccessible. In this case, attackers send several datagrams to a target host so as to sample the sequence numbers and thus provide a starting point for calculating the sequence and acknowledgement numbers. However, this was easy in the past because computers used simple methods for sequence number generation, thereby, making it easy to guess and calculate them. Today, most operating systems use random generation of sequence numbers, making it hard for attackers to accurately make predictions. These two types of spoofing attacks are variations of the common network and computer security risk referred to as a man in the middle attack. These attacks are characterized by an attackers attempts to intercept genuine communications between other parties in a network. The attacking host gains control of the communication, whereby, he can alter or eliminate the information exchanged without the genuine sender or recipient knowing. Thus, an attacker can trick someone into disclosing classified information by spoofing the original genuine sender’s identity. Another type of IP spoofing attack is known as denial of service attack. This attack provides the greatest challenge in defense against it (Linden 2007). In denial of service attack, the attackers aims is to consume “the bandwidth and other network resources” ; therefore, there is no concern by the attacker to properly complete the transactions or the handshakes (Linden 2007). To do so, the attackers sends the recipient with so many packets and as swiftly as possible to flood his or her system. This process is lengthened by the attacker by spoofing the source IP such that tracking and halting the attack becomes difficult. In fact, if several hosts are participating and sending spoofed traffic, it is very difficult to quickly block the traffic (Linden 2007). All these attacks, nonetheless, can be minimized in a network through various measures. Protecting networks against spoofing attacks Protecting networks against IP address spoofing attacks is difficult, but some measures might help in mitigation. These include filtering on the router and authentication and encryption measures. Employing egress and ingress filtering on the routers located at the network borders can be a good means of defence against spoofing. This method of defence involves use of access control list (ACL) for blocking anonymous IP addresses on the output interface. Moreover, the interface ought to reject incoming addresses resembling those of the internal network because this provides an opportunity for spoofing attackers to get round a firewall. On the other hand, if a source address on the upstream interface is outside the network’s legitimate range, then it ought to be restricted to prevents transmission of spoofed packets to the internet from the internal network. Authentication and encryption approach can also help in minimizing spoofing attacks. It is worth to tote that Internet Protocol Version 6 (IPv6) has incorporated these features. Avoiding the use of host-based IP address authentication would be helpful, and instead should be replaced with cryptographic authentications. Moreover, encryption sessions should be activated at the border routers. Some confusion about IP spoofing There are misconceptions about the occurrence of IP spoofing in modern systems. It is true that some IP spoofing attacks like hijacking sessions in systems based on host IP address authentication are behind the times. Nonetheless, perpetrators still use IP spoofing to scan and probe networks, and that denial of services attacks are still common (Linden 2007). Fortunately, but as misconceived by many, IP spoofing cannot “be used to hide IP addresses when using the Internet, chatting online, sending e-mail, and so forth (Marcella & Menendezv (2007). Falsifying the sources IP address results in the responses being misdirected such that a normal network connection cannot be established (Marcella & Menendezv (2007). So IP spoofing attackers do not have much expectation on responses. Conclusion This paper has explored IP spoofing and how it is used to in network attacks. History shows that academic engagement in studying IP spoofing started with Robert Morris when he discovered sequence prediction and published a paper about it in 1985. Later Bellovin pointed to the same TCP/IP weaknesses. Thus, TCP/IP or the Internet protocols suite have weaknesses that allow their manipulation. For instance, the header information in IP can be modified, while sequence prediction in TCP is possible. Therefore, malicious network users have used these weaknesses to launch attacks such as blind spoofing, non-blind spoofing, and denial of service attacks. These, however, can be mitigated through the use of filters at the routers as well as employing authentication and encryption measures in a network. The paper also clarifies that IP spoofing is not used in hiding IP addresses while using internet, but rather falsifies it and results to connections that are not normal. References Bellovin, S. M. (1989): Security Problems in the TCP/IP Protocol Suite, Computer Communication Review, vol. 19, no. 2, pp. . Casey, E. (2004): Digital evidence and computer crime: forensic science, computers and the Internet, Academic Press, New York. Cole, E. (2002): Hackers beware, Sams Publishing, New York. Gaffin, A. (1995): Punish the real culprit, Network World, Vol. 12, No. 9, p. 38. Gralla, P. (1998): How the Internet works, Que Publishing, United States. Ivens, K. (2003): Windows Server 2003: the complete reference, McGraw-Hill Professional, New York. Linden, M. A. (2007): Testing Code Security, CRC Press, United Kingdom. Marcella, A. J. & Menendezv D. (2007): Cyber forensics: a field manual for collecting, examining, and preserving evidence of computer crimes, CRC Press, United Kingdom. Mason, A.G. & Newcomb, M.J. (2001): Cisco secure Internet security solutions, Cisco Press, United States. Salomon, D. (2006): Foundations of computer security, Birkhäuser, Switzerland. Shimomura, T. & Markoff, J. (1996): Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaw-By the Man Who Did It, Hyperion, United States. Tanase, M. (2003): IP Spoofing: An Introduction, retrieved on 15 October 2009 from http://www.securityfocus.com/infocus/1674 White, G. B., Fisch, E. A. & Pooch, U. (1995): Computer system and network security, CRC Press, United Kingdom. Zittrain, J. (2009): The Future of the Internet--And How to Stop It, Jonathan Zittrain, United States. Read More