The purpose of this attack is spoofing the IP address of a machine. Provides this to the attacker to hide the source of his attack (used in Denial of Service) or enjoy a relationship of trust between two machines. We will explain here this second use of IP Spoofing.
The basic principle of this attack is to forge its own IP packets (with programs like hping2 or nemesis) in which the attacker change, among others, the source IP address. IP Spoofing is often described as indiscriminate (or Blind Spoofing). Indeed, the answers to the packets can not reach the attacker machine because the source is spoofed. So, they go to the spoofed machine. There are two methods to get the answers:
- Source Routing: IP protocol has a feature called Source Routing which allows to define the route to be followed by IP packets. This route is a sequence of router IP addresses that the packets will have to follow. Just the cracker to provide a route for the packets to a router it controls. Today, most implementations of TCP / IP stacks drop packets with this option.
- Re-routing: router tables using the RIP routing protocol can be modified by sending RIP packets with new routing information. This in order to reroute the packets to a router that the attacker control.
These techniques are more (or difficulty) usable: the attack is carried out without knowing the packets coming from the target server.
Blind Spoofing used against services such as rlogin or rsh. Indeed, their authentication mechanism based solely on the source IP address of the client device. This relatively well known attack involves several steps:
- determining the IP address of the trusted machine eg using showmount-e shows where exported file systems or rpcinfo which provides additional information;
- decommissioning of the trusted host using a SYN Flooding, for instance (on Denial of Service later in this article). This is necessary so that the machine can not respond to packets sent by the target server. Otherwise it would send TCP RST packets which would break the connection establishment;
- predicting TCP sequence numbers: each TCP packet is associated with an initial sequence number. The TCP / IP operating system generates a linear, time-dependent, pseudo-random or random depending on the system. The attacker only can attack systems generating predictable sequence numbers (linear generation or time-dependent);
- attack is to open a TCP connection to the desired port (eg rsh). For better understanding, we will recall the opening mechanism of TCP. It involves three phases:
- the initiator sends a packet containing the TCP SYN flag and a sequence number x, is sent to the target machine;
- answers with a packet whose TCP flag SYN and ACK (with an acknowledgment number of x 1) are activated. Its sequence number is y;
- the initiator sends a packet containing the TCP ACK flag (with an acknowledgment number of y +1) to the target machine.
Bookmarks