IP Spoofing
A IP Spoofing Attack involves forging one's source address. It is the act of using one machine to impersonate another. Most of the applications and tools in UNIX rely on the source IP address authentication. Many developers have used the host based access controls to secure their networks. Source IP address is a unique identifier but not a reliable one. It can easily be spoofed.
The client system begins by sending a SYN message to the server. The server then acknowledges the SYN message by sending SYN-ACK message to the client. The client then finishes establishing the connection by responding with an ACK message. The connection between the client and the server is then open, and the service-specific data can be exchanged between the client and the server. Client and server can now send service-specific data.
TCP uses sequence numbers. When a virtual circuit establishes between two hosts , then TCP assigns each packet a number as an identifying index. Both hosts use this number for error checking and reporting.
The sequence number is used to acknowledge receipt of data. At the beginning of a TCP connection, the client sends a TCP packet with an initial sequence number, but no acknowledgment. If there is a server application running at the other end of the connection, the server sends back a TCP packet with its own initial sequence number, and an acknowledgment; the initial number from the client's packet plus one. When the client system receives this packet, it must send back its own acknowledgment; the server's initial sequence number plus one.
An attacker has two problems. The attacker must forge the source address. Ansd the attacker must maintain a sequence number with the target. The second task is the most complicated task because when target sets the initial sequence number, the attacker must response with the correct response. Once the attacker correctly guesses the sequence number, he can then synchronize with the target and establish a valid session.
Configuration and services that are vulnerable to IP spoofing :
-RPC (Remote Procedure Call services)
-Any service that uses IP address authentication
-The X Window system
-The R services suite (rlogin, rsh, etc.)
Measures to prevent IP Spoofing Attacks:
Avoid using the source address authentication. Implement cryptographic authentication
systemwide.
Configuring your network to reject packets from the Net that claim to originate from a local address. This is most commonly done with a router.
If you allow outside connections from trusted hosts, enable encryption sessions at the router.
Dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic. http://www.monkey.org/~dugsong/dsniff/
The following shell script tries to prevent this kind of attack:
#!/bin/bash
INT_IF="eth1" # connected to internet
SERVER_IP="202.54.10.20" # server IP
LAN_RANGE="192.168.1.0/24" # your LAN IP range
# Add your IP range/IPs here,
SPOOF_IPS="0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 224.0.0.0/3"
IPT="/sbin/iptables" # path to iptables
# default action, can be DROP or REJECT
ACTION="DROP"
# Drop packet that claiming from our own server
$IPT -A INPUT -i $INT_IF -s $SERVER_IP -j $ACTION
$IPT -A OUTPUT -o $INT_IF -s $SERVER_IP -j $ACTION
# Drop packet that claiming from our own internal LAN
$IPT -A INPUT -i $INT_IF -s $LAN_RANGE -j $ACTION
$IPT -A OUTPUT -o $INT_IF -s $LAN_RANGE -j $ACTION
for ip in $SPOOF_IPS
do
$IPT -A INPUT -i $INT_IF -s $ip -j $ACTION
$IPT -A OUTPUT -o $INT_IF -s $ip -j $ACTION
done
Save and close the file. Call above script from your own iptables script. Add following line to your /etc/sysctl.conf
net.ipv4.conf.all.rp_filter = 1
This entry enables source address verification which is inbuilt into Linux kernel itself.
The client system begins by sending a SYN message to the server. The server then acknowledges the SYN message by sending SYN-ACK message to the client. The client then finishes establishing the connection by responding with an ACK message. The connection between the client and the server is then open, and the service-specific data can be exchanged between the client and the server. Client and server can now send service-specific data.
TCP uses sequence numbers. When a virtual circuit establishes between two hosts , then TCP assigns each packet a number as an identifying index. Both hosts use this number for error checking and reporting.
The sequence number is used to acknowledge receipt of data. At the beginning of a TCP connection, the client sends a TCP packet with an initial sequence number, but no acknowledgment. If there is a server application running at the other end of the connection, the server sends back a TCP packet with its own initial sequence number, and an acknowledgment; the initial number from the client's packet plus one. When the client system receives this packet, it must send back its own acknowledgment; the server's initial sequence number plus one.
An attacker has two problems. The attacker must forge the source address. Ansd the attacker must maintain a sequence number with the target. The second task is the most complicated task because when target sets the initial sequence number, the attacker must response with the correct response. Once the attacker correctly guesses the sequence number, he can then synchronize with the target and establish a valid session.
Configuration and services that are vulnerable to IP spoofing :
-RPC (Remote Procedure Call services)
-Any service that uses IP address authentication
-The X Window system
-The R services suite (rlogin, rsh, etc.)
Measures to prevent IP Spoofing Attacks:
Avoid using the source address authentication. Implement cryptographic authentication
systemwide.
Configuring your network to reject packets from the Net that claim to originate from a local address. This is most commonly done with a router.
If you allow outside connections from trusted hosts, enable encryption sessions at the router.
Dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic. http://www.monkey.org/~dugsong/dsniff/
The following shell script tries to prevent this kind of attack:
#!/bin/bash
INT_IF="eth1" # connected to internet
SERVER_IP="202.54.10.20" # server IP
LAN_RANGE="192.168.1.0/24" # your LAN IP range
# Add your IP range/IPs here,
SPOOF_IPS="0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 224.0.0.0/3"
IPT="/sbin/iptables" # path to iptables
# default action, can be DROP or REJECT
ACTION="DROP"
# Drop packet that claiming from our own server
$IPT -A INPUT -i $INT_IF -s $SERVER_IP -j $ACTION
$IPT -A OUTPUT -o $INT_IF -s $SERVER_IP -j $ACTION
# Drop packet that claiming from our own internal LAN
$IPT -A INPUT -i $INT_IF -s $LAN_RANGE -j $ACTION
$IPT -A OUTPUT -o $INT_IF -s $LAN_RANGE -j $ACTION
for ip in $SPOOF_IPS
do
$IPT -A INPUT -i $INT_IF -s $ip -j $ACTION
$IPT -A OUTPUT -o $INT_IF -s $ip -j $ACTION
done
Save and close the file. Call above script from your own iptables script. Add following line to your /etc/sysctl.conf
net.ipv4.conf.all.rp_filter = 1
This entry enables source address verification which is inbuilt into Linux kernel itself.
Posting Komentar