What is IP Spoofing ?

[EDRIC]

The purpose of this attack is spoofing the IP address of a machine. Provides this to the attacker to hide the source of his attack (used in Denial of Service) or enjoy a relationship of trust between two machines. We will explain here this second use of IP Spoofing.

The basic principle of this attack is to forge its own IP packets (with programs like hping2 or nemesis) in which the attacker change, among others, the source IP address. IP Spoofing is often described as indiscriminate (or Blind Spoofing). Indeed, the answers to the packets can not reach the attacker machine because the source is spoofed. So, they go to the spoofed machine. There are two methods to get the answers:

• Source Routing: IP protocol has a feature called Source Routing which allows to define the route to be followed by IP packets. This route is a sequence of router IP addresses that the packets will have to follow. Just the cracker to provide a route for the packets to a router it controls. Today, most implementations of TCP / IP stacks drop packets with this option.
  
• Re-routing: router tables using the RIP routing protocol can be modified by sending RIP packets with new routing information. This in order to reroute the packets to a router that the attacker control.

These techniques are more (or difficulty) usable: the attack is carried out without knowing the packets coming from the target server.


Blind Spoofing used against services such as rlogin or rsh. Indeed, their authentication mechanism based solely on the source IP address of the client device. This relatively well known attack involves several steps:

• determining the IP address of the trusted machine eg using showmount-e shows where exported file systems or rpcinfo which provides additional information;
  
• decommissioning of the trusted host using a SYN Flooding, for instance (on Denial of Service later in this article). This is necessary so that the machine can not respond to packets sent by the target server. Otherwise it would send TCP RST packets which would break the connection establishment;
  
• predicting TCP sequence numbers: each TCP packet is associated with an initial sequence number. The TCP / IP operating system generates a linear, time-dependent, pseudo-random or random depending on the system. The attacker only can attack systems generating predictable sequence numbers (linear generation or time-dependent);
  
• attack is to open a TCP connection to the desired port (eg rsh). For better understanding, we will recall the opening mechanism of TCP. It involves three phases:

1. the initiator sends a packet containing the TCP SYN flag and a sequence number x, is sent to the target machine;
   
2. answers with a packet whose TCP flag SYN and ACK (with an acknowledgment number of x 1) are activated. Its sequence number is y;
   
3. the initiator sends a packet containing the TCP ACK flag (with an acknowledgment number of y +1) to the target machine.

[EDRIC]

During the attack, the attacker does not receive the SYN-ACK sent by the target. For the connection to establish, he predicts the y sequence number to send a packet with the correct number of ACK (y +1). The connection is then established through authentication by IP address. The attacker can send a command to use rsh to obtain rights, such as echo + +>> /. Rhosts. For this, he forges a packet with the TCP PSH flag (Push): The received data is immediately transmitted to the upper layer, here the rsh service that it treat them. It is then possible to connect to the machine through a service such as rlogin or rsh without IP Spoofing.

[Caden]

There are several types of IP Spoofing. The first is called Blind Spoofing is an attack on a blind. "Packets being forged with a spoofed IP address, packets will answers to this address. It will be impossible for the attacker to retrieve the packets. He will be forced to "guess". However, there is another technique the Blind Spoofing. It involves using the IP Source Routing option that allows to impose a list of IP addresses that routers must borrow the IP packet. Just as forward the route reply packet to a router it controls to retrieve it. However, most routers today do not consider that IP option and throw all IP packets using it.

[Fanchon]

IP spoofing is used when two hosts are trusted relationship with their IP addresses, that is to say that the only authentication done at the server consists in checking the client IP address. IP spoofing has often held against services rlogin and rsh as their authentication mechanism is based on IP address. The principle is simple: once a customer has an established connection to the server with a user authenfication based on IP address, the attacker will try to impersonate the client to the server. For this, it will prevent the client to communicate with the server and respond to his place. IP-Spoofing is an attack on a limited number of machines.