DQ Top20
Google   Web dqindia.com
   Home > DQTop20 2007 > SAS & BPO 07

Security: IP Spoofing
Attackers can manipulate an innocent host into attacking a victim
Friday, August 17, 2007
Print Comment Email DiggDigg DeliciousDel.icio.us RedittReddit TwitterTwitter

The IP basically works with small portions of data called datagrams that contain a small header used for address information. This header contains two addresses: the destinations IP address and the sources IP address.

The destinations IP address determines where the datagram should go. The sources IP address tells the destination where the datagram originated. There is a problem in the handling of the sources IP address. One of the merits of the IP protocol is that it is connection-less, and so, routers make routing actions based on the destination address without any influence by the source address. In processing a packet or message, information about the source essentially remains unused until the item reaches its destination. For this reason, attackers can forge a packets source address by setting it to that of another computer or even a nonexistent computer but the packet will still reach its destination. Thus, one way of concealing identity on the Internet is to simply forge source addresses.

IP Spoofing Techniques Simple Forging
Forging or spoofing an address is a one-way communication which is as simple as putting any desired address in the source address field.

Using a Reflector Host
Attackers can use IP address forging to manipulate an innocent host into attacking a victim. The attacker host sends a packet designed to elicit a response to a reflector host. If the attacker spoofs the victims source as the packets source, then the reflector will innocently direct its response toward the victim. At the reflector, initiating packets appear to come from the victim while the attacker is seemingly uninvolved.

Laundering Attack Packets
Attackers use stolen or phantom accounts to launder packets before they reach a victim. When laundering takes place, the laundering host actually receives and processes the attacking hosts packets, transmitting other packets toward the victim as shown in the figure below. This process changes the source address to that of the laundering host, and can also give the laundered packets different content and/or time from that of the attackers original packets. In these ways, attackers can use laundering hosts to disguise their identity.

Detection of IP Spoofing Attacks
One can monitor packets using network-monitoring software such as netlog. To do this, look for a packet on your external interface that has both its source and destination IP addresses in his local domain. If you find such a packet, the network is currently under attack.

Prevention of IP Spoofing
The best method of preventing the IP spoofing problem is to install a filtering router that restricts the input to your external interface (known as an input filter) by not allowing a packet through if it has a source address from your internal network.

Page(s)   1  
Print Comment Email DiggDigg DeliciousDel.icio.us RedittReddit TwitterTwitter
  Other CyberMedia web sites
[Voice&Data]  [CIOL]  [PCQuest]  [Living Digital]  [IDC India]
[CIOL Shop]  [DQ Channels]  [DQweek]  [Cybermedia Dice]
[CyberMedia Events]  [Cybermedia Digital]  [CyberMedia India]
[Cyber Astro]  [Global Services Media ]  [BioSpectrum]  [BioSpectrum Asia]