Post on 31-Dec-2015
1
Tao WanDigital Security Group
School of Computer ScienceCarleton University
Oct 30, 2003
IP Spoofing Attacks & Defenses
2
Outline
IntroductionIP Spoofing AttacksIP Spoofing Defenses Concluding Remarks
3
Introduction
4
Protocol Stacks
Physical Layer
Data Link Layer
Network Layer
Transport Layer
Session Layer
Presentation Layer
Application Layer
OSI Model
802.3 802.11others
IP
TCP UDP
HTTP SNMP
5
Protocol Stacks
802.3 802.11others
IP
TCP UDP
HTTP SNMP
IP
6
Data Transmissions
Data link/physical
IP
TCP UDP
Application
IP
TCP UDP
dataTCP
headerIP
header
data
dataTCP
header
dataTCP
headerIP
header
dataTCP
header
data
A B
routing
Data link/physical
Application
7
IP Header
8
TCP Header
9
Security Services
Entity AuthenticationWhat do you knowWhat do you haveWhat do you inherit
IntegrityMessage authentication
Confidentiality Encryption
…
10
IP Spoofing Attacks
11
IP Spoofing Attacks
IP SpoofingDoS by PingTCP Sync FloodingSession Hijacking
12
IP Spoofing
A10.10.10.1
www.carleton.ca134.117.1.60
http://www.carleton.ca
10.10.10.1
Src_IP
134.117.1.60
dst_IP
Any (>1024)
Src_port
80
dst_port
11.11.11.1
Src_IP
134.117.1.60
dst_IP
Any (>1024)
Src_port
80
dst_port
spoofing
13
IP Spoofing Attacks Smurf IP DoS
A T1
T2
T3
Tn
192.168.1.0
ICMP Echo Request
Dest: 192.168.1.255
Source: V
V
ICMP Ech
o Rep
ly
Source: T
1; Dest
V
14
Mail Address Spoofing Attacks
Mail-bombs
ASears
Canadian Tire
Bell Canada
Catalog Request
Return Addr: V
VBoston Pizza
Phonebook Request
Return Addr: V
Pizza orders
Return Addr: V
15
IP Spoofing Attacks TCP 3 Way Handshake
A B
TCP SYN
TCP SYN+ACK
TCP ACK
Half-open buffer
Open buffer
A
A
Half-open buffer has limited size
Half-open connection has a timer associated with
16
IP Spoofing Attacks TCP Sync Flooding (DDos)
A
V
B C
D
E
FGH
J
I
TCP SYNTCP SYN/ACK
A
B
C
D
E
Half-open buffer is full
17
IP Spoofing Defenses
18
IP Spoofing Defenses
It is a VERY hard problemIngress/Egress FilteringIP Authentication (IPsec AH)Cryptographic Generated Address (CGA)
19
IP Spoofing Defenses Ingress/Egress Filtering
Internet
B
IDS
Router Firewall 10.10.10.0
10.10.0.0
if src_addr is from 10.10.10.0then forwardelse drop
if src_addr is from 10.10.0.0then forwardelse drop
if src_addr is from 10.10.0.0then dropelse forward
20
IP Spoofing Defenses IPSec (???)
Two ProtocolsAuthentication Header (AH)Encapsulating Security Payload
Two ModesTransport ModeTunnel Mode
21
IP Spoofing Defenses IP Authentication Header (AH)
IP Header Payload
IP Header Payload
AH Header
Original IP Packet
New IP Packet
AH in Transport Mode
22
IP Spoofing Defenses IP Authentication Header (AH)
IP Header Payload
New IP Header
AH Header
IP Header Payload
New Payload
Original IP Packet
New IP Packet
AH in Tunnel Mode
23
IP Spoofing Defenses IPSec (???)
Data Origin AuthenticationIP address is not modified en routeIs it a real or spoofed IP ??
Message IntegrityReplay Prevention
24
IP Spoofing Defenses Cryptographic Generated Address
(CGA)IPv6
MD564-bit 64-bit
Routing prefix Routing prefix Public Key Nonce Digital Signature128-bit IPv6 addr
Sent within IPv6 hdr
25
IP Spoofing Defenses Cryptographic Generated Address
(CGA)IPv6
How about IPv4Does everyone have a pair of private/public keys (authenticated)?DoS by engaging a recipient into a endless process of verifying CGAs
26
Concluding Remarks
IP spoofing is a common technique for attacks
There is not too much we can do about it
27
Thanks !