For a long time, attackers have been masking their identities to make successful attacks. IP spoofing is one of the old, but difficult techniques that spoof the IP address of a particular machine and gain unauthorized access. IP spoofing works on the weakness of the TCP/IP network known as sequence prediction.
In this article, we will look at IP spoofing, how it works, types of IP spoofing, and its defensive steps.
IP Spoofing Attack Methodology:
The basic motto of IP spoofing is to conceal the identity or imitate the computer system. IP (Internet Protocol) is a basic protocol to send data over the network, which contains packet addresses and another numerical source. Hackers imitate as a valid user and get access to a network after that change the packet headers of a legitimate user’s IP address.
To make an IP spoofing successful, a hacker must apply a kind of technique to locate an IP address of a reliable host and then alter the packet headers seeming that the packets are coming from that real host. With a spoofed source IP address of packet data, it is hard to locate the host that really sent the packet data.
When the workstation requests for a web page from the web server, the request includes both IP source and IP destination (address of the webserver) in normal condition.
However, from the above image, we can see that when a workstation request a web page with a spoofed IP address, the webserver executes the request to the spoofed IP address at the workstation (188.8.131.52) to which the webserver believes a legitimate system.
Types of IP Spoofing:
In many cases, IP spoofing is carried out for a malicious action; sometimes IP spoofing is useful in website testing, live system checking. There are some sorts of attacks, which use IP spoofing to make the attack successful like blind spoofing, DOS attack, non-blind spoofing, and MITM (Man in the Middle Attack) attack.
Let us talk a few on each attack that can be covered in an IP spoofing attack:
In a Nonblind attack, the victim and the attacker share the same subnet (a device that uses the same prefix IP address) where acknowledgment numbers are sniffed and calculated correctly. An attacker corrupts the data stream of a network connection, and with the help of his machine; the attacker reestablish the data stream with a correct number sequence. Thus, the attacker can bypass the authentication measures.
In Blind Attack, an attacker sends multiple packets to the targeted machine to get sequence numbers, which will be used to assemble packets.
Modern operating systems use random sequence number generation, thus it is further tricky for an attacker to guess the correct sequence number.
An attacker does not know the transmission process so he urges the targeted machine to send its own requests to analyze the sequence numbers.
By getting the numbers, an attacker can inject data into packet streams by falsifying the identity. This requires no authentication during connection establishment.
In this type of attack, a cracker intercepts the communication transmitting between two parties. An attacker sniffs the packet sent without awareness of the machine and modifies them.
In this way, an attacker reveals information by spoofing the sender’s identity trusted by the receiver.
In a short amount of time, attackers try to flood the victim by sending thousands of requests to prolong the attack. They spoof the IP address of the victim machine, which makes the attack difficult to trace and stop. In the case of multiple compromised hosts, which send spoofed packets, it is hard to block them all. Spoofing makes it difficult to detect and close off the main source of the attacks.
Defend against IP Spoofing:
To defend against IP Spoofing, you can take certain measures that are described here.
- Always apply authentication while exchanging keys between the machines, it will considerably reduce the risk of spoofing, for example, IPv6. Further, get rid of host-based authentication standards that are common for machines on the same subnet.
- Make a list of authorized persons to access control that will avoid private IP addresses on your downstream interface.
- Implement ingress and egress filtering of both inbound and outbound traffic. It will authenticate the source from where the incoming packets are approaching to the network. While egress filtering monitors and restricts the flow of outgoing information from one network to another.
- Configure your routers to refuse packets coming from outside your local network that claims to originate from within.
- Encrypt the router so the trusted hosts outside of the network will have secure communication.
IP Spoofing requires an impregnable solution as it focuses on the inbuilt design of the TCP/IP suite. TCP packets can be manipulated with software and it is very easy to mask a source address by falsifying the IP header.
With the above proper defensive measures, it can be tracked and avoided.
Related Posts :