The Revoluti0n
last article table of contents next article

IP Spoofing by assassin007

IP Spoofing: IP spoofing is a complex technique.
Not many people know how to deal with this one. Before studying about this technique
let me first explain some of the fundamentals you must know.

IP is connectionless and unreliable. IP is responsible for routing the IP datagrams
around the networks. If an IP packet has not reached its destination,
then IP may send back an ICMP error message to the source. But since ICMP is also unreliable,
there is no guarantee that these error message will arrive back at the source.

On the other hand, TCP provides a connection-oriented, reliable transport system.
A TCP connection is established after a three-way handshake.
The source sends a SYN packet to the destination with the
client's Initial Sequence Number (ISN). The destination host receiving the
SYN packet replies back with a SYN/ACK with the Server's Initial Sequence Number (ISN)
and the acknowledge number will be a sequence number (client's ISN+1).
The source on receiving the SYN/ACK responds back with an ACK with acknowledge number
equal to a sequence number (Server's ISN+1). The figure below explains this in a better way.

               +-+-+-+-+-+                +-+-+-+-+-+-+-+
               |         |  SYN (C ISN)   |             |
               |         |--------------->|             |
               |         |                |             |
               |         |  SYN (S ISN)   |             |
               | SOURCE  |<---------------| DESTINATION |
               |         |  ACK (C ISN+1) |             |
               |         |                |             |  
               |         |  ACK (S ISN+1) |             |
               |         |--------------->|             |
               +-+-+-+-+-+                +-+-+-+-+-+-+-+

Thus after the completion of the above processes a TCP connection will be established
between the client and the server. TCP sequence numbers are 32-bit numbers and their
values range from 0 to 4,294,967,295. We have already said about ISN.
But how are these values given???

At the time of bootstrapping of the host the Initial Sequence Number (ISN)
will be initialized with a value equal to 1. The ISN value of the host automatically
gets incremented with the passage of time and number of connections established.
For every second the ISN value gets incremented by 128,000 and with every connection
its value gets incremented by 64,000.

Now let's get back to the initial subject. Most of the applications in UNIX based systems
rely on IP address based authentication system, mostly on port 513.
IP spoofing involves forging of one's address and let out target system think that
it is receiving packets from its trusted source. So, IP spoofing involves forging
of the trusted host's address and maintaining the same sequence number of the packets
with the target server. The later is comparatively complicated task than the former.
It involves a lot of calculations and wild guesses of the sequence numbers to establish
a connection with the target host.

IP spoofing is definitely a complicated one. It is a kind of blind.
We send out the packets to the target host in the name of trusted host,
the target host thinks that it is receiving packets from the trusted host
and replies back there. We are no way there to know the kind of response
that target gives to the trusted host or the status of connection etc...
So the attacker must be in a position to guess the kind of packets the trusted
host may receive and the kind of responses the target is expecting from the trusted host.

But one more problem here is that if the trusted host is in a position to attend
the packets from the target it issue a RST to terminate the connection as it is not
in receipt of SYN packets that we have sent in its name. So, the trusted host must
be disabled from attending the packets from the target. This is where SYN flooding comes in.

SYN Flooding: In spoofed attacks the trusted host should never respond to the packets
from the target (If it responds the connection will be terminated).
For that the attacker sends several SYN packets to the trusted host.
Remember the source IP address of these packets should also be spoofed to some address.
The trusted host replies to that address in response of the SYN packets we've sent.
Also the spoofed host must be unreachable so that it may not respond with RST packets
which terminate the connection.

This leads to a lot of half-open connections on the trusted host and the trusted host
cannot attend any requests. But the attacker should not stop sending SYN packets
as after sometime the trusted host closes all the half-open connections with
request timed out error messages. So, the attacker should be sending SYN packets
to the trusted host till he establishes a connection with the target.

Sequence number sampling: In order to ACK back to the target system we should know
the sequence number series used by the target host. To find this sequence number,
the attacker first directly connects to any TCP port on the target and takes samples
of the sequence numbers on the target. After taking a number of samples of the
sequence numbers used by target the average RTT (Round-Trip Time) is calculated.
RTT is the time taken by a packet to reach its destination from the source and then back.
This RTT is very essential in calculating the next ISN number of the target.

The ATTACK: Once we have taken the samples of the sequence numbers used by the
target host and disabled the trusted host, a SYN packet will be sent to the target
with spoofed trusted host address. The target receiving the SYN responds back to the trusted
host with SYN/ACK. Since the trusted host is already disabled by the attacker, it will not
respond with RST packets. The attacker should be able to predict sequence numbers
(remember sequence numbers will be incremented 128,000/second and 64,000/connection
and +1 since we are ACKING) and ACK back the target host with trusted host IP address.
Thus a valid session is established between the target and the attacker.
The following figure shows this process.

               +-+-+-+-+-+                +-+-+-+-+-+-+-+
               |         |     SYN        |             |
               |ATTACKER |--------------->|             |
               |         |                |             |
               +-+-+-+-+-+                |             |
               |         |    SYN/ACK     |             |
               | TRUSTED |<---------------| DESTINATION |
               |         |                |             |
               +-+-+-+-+-+                |             |
               |         |                |             |  
               |ATTACKER |     ACK        |             |
               |         |--------------->|             |
               +-+-+-+-+-+                +-+-+-+-+-+-+-+

The attack looks pretty!!! Spoofing the IP addresses is very easy
(there are a lot of tools available for that) but predicting the sequence numbers
is a hard task. There are even some tools available (like Mendax for Linux) to predict
the sequence numbers. But still it is a hard task for newbies to start with such an attack. 

Note: Not many Windows systems use the address based authentication system,
mostly the R service suites such as (rlogin, rsh etc...) on X-Windows system are
vulnerable to IP spoofing. There are lot of tools available on the net for UNIX based systems.

Protecting your systems from spoofed attacks: 
* One way is to avoid using source address authentication systems.

* Normally routers receiving the packets on a network only look at the
destination address for the packet and send the packet to the destination.
So packets from outside your network which claim to originate from your LAN
will also be sent to their destination. Routers should be configured to reject such packets.

* Encryption methods should be employed for the network traffic.

* Random sequence numbers should be initiated at the servers which make the task
to predict the ISN a lot harder.

Tools available for IP spoofing:

Neworder maintains an excellent archive of IP Spoofing software.
The archive includes various tools for generating custom IP, TCP, UDP packets.
You can find their archive at: