Monday, November 5, 2012

IP Address Spoofing And Its Defenses

Internet Protocol Address (IP Address) plays a very significant role in our day to day lives. Whether it is Cyber Security or Cyber Forensics, IP Address has a crucial role to play. IP Address is also the Starting Point for any Cyber Crime Investigation. So it is of utmost importance that an IP Address must be correctly ascertained.

Similarly, the Crackers and Cyber Criminals are interested in hiding their “Digital Footprints” through various means. IP Spoofing, use of Proxies, utilising Botnet for nefarious activities, exploiting Unsecured Wireless Access Points and Connections, etc are some of the methods that are used by Cyber Criminals.

IP Address is also the starting point to determine the “Authorship Attribution” that is a must before an accused is “Convicted” by a Court of Law. For instance, if a single Computer of Internet connection is used by multiple users, it is absolutely essential to ascertain who in fact used the Computer/Connection for the “Offending Act”.

Similarly, it is absolutely essential to ensure that the owner of a Wireless Connection is actually the person who committed the Cyber Crime or Cyber Contravention. In the majority of cases, such an Unsecured Wireless Connection is misused by others and the IP Address of the owner is reflected for that activity.

Thus, Authorship Attribution is an important aspect of “Determining the Culpability” of an Offender where the means to commit the Offence are common and accessible to many people simultaneously. Data Mining and Profiling of the accused to “Attribute Culpability” to him/her alone is an emerging area of Cyber Crime Investigation.

IP Spoofing is one of the methods used by Cyber Criminals to deny “Authorship Attribution” to them. A Cyber Crime Investigator would first ascertain the IP Address and then after analysing the E-Mail Headers/Logs, She would come to a conclusion that the IP Address reflected in the communication is a Forged or Spoofed one. Ascertaining the true and correct IP Address is required to proceed further in such case. 

IP Address Spoofing requires creation of IP packets with a forged source IP Address with a purpose of concealing the real identity of the sender or impersonating another System. The most common Protocol for data exchange over Internet is the TCP/IP. The header of each IP Packet contains, among other things, the numerical source and destination address of the Packet. The source address is normally the address that the packet was sent from. By forging the header so it contains a different address, an attacker can make it appear that the packet was sent by a different Computer.

However, there is a “Limitation” to such a use. To establish a Connection, TCP uses a “Three Way Handshake” and IP Spoofing by its very nature fails to satisfy this handshake. So the purposes of IP Spoofing are limited in nature. For instance, IP Spoofing can be used for Denial of Service Attacks (DOS) as the attacker is least bothered to receive a “Response”. IP Spoofing can also be a method of attack used by network intruders to defeat network security measures, such as authentication based on IP Addresses. IP Spoofing can also be used for Session Hijacking or Host Impersonation.

There are some services that are vulnerable to IP Spoofing. These include RPC (Remote Procedure Call services), any service that uses IP address authentication, the X Window System, the R services suite (rlogin, rsh, etc.), etc.

IP Spoofing can take many forms. In Non-Blind Spoofing the attacker is on the same subnet as the victim and this enables him to perform session hijacking. Using this technique, an attacker could effectively bypass any authentication measures that have taken place to build a connection.

In Blind Spoofing several packets are sent to the target machine in order to sample sequence numbers. Computers in the past used basic techniques for generating sequence numbers. It was relatively easy to discover the exact formula by studying packets and TCP sessions. Today, most Operating Systems (OSs) implement random sequence number generation, making it difficult to predict them accurately.

In Man in the Middle Attack (MITM) the attacker intercepts a legitimate communication between two Computers. The malicious host then controls the flow of communication and can eliminate or alter the information sent by one of the original participants without the knowledge of either the original sender or the recipient. In this way, an attacker can fool a victim into disclosing confidential information by “Spoofing” the identity of the original sender, who is presumably trusted by the recipient.

There is a “General Consensus” that IP Spoofing does not allow gaining Anonymous Internet Access, which is a common misconception for those unfamiliar with the practice. Any sort of Spoofing beyond simple floods is relatively advanced and used in very specific instances such as evasion and connection hijacking.

However, some believe that if a Website is not using syncookies and is using predictable initial sequence numbers, it is possible to create a live TCP connection without actually revealing the original IP Address. This may be possible as the attacker may be least interested in getting back the “Responses”. I would deal with this issue separately and in greater details subsequently.

IP Spoofing can be prevented and defended against through methods like Packet Filtering, Websites using syncookies and unpredictable initial sequence numbers, use of multiple authentication protocols so that they do not exclusively rely on the IP Address for authentication, use of Encryption, etc.

Some upper layer protocols provide their own defense against IP Spoofing attacks. For example, TCP uses sequence numbers negotiated with the remote machine to ensure that arriving packets are part of an established connection. Since the attacker normally cannot see any reply packets, the sequence number must be guessed in order to hijack the connection. The poor implementation in many older operating systems and network devices, however, means that TCP sequence numbers can be predicted.

There is an urgent need to do more in depth research in the field of IP Spoofing and I would try to cover this field in great details in my subsequent posts.