IP Spoofing - Revision history

Luongp at 03:57, 13 April 2009

2009-04-13T03:57:34Z

← Older revision		Revision as of 03:57, 13 April 2009
Line 22:		Line 22:

	[[Image:sessionhijacking.jpg]]		[[Image:sessionhijacking.jpg]]
		+
		+	==See Also==
		+	*[[Man in the Middle Attack]]
		+	*[[Phishing]]
		+	*[[Social Engineering]]
		+	*[[Kevin Mitnick]]
		+
		+	==External Links==
		+	* [http://www.tcpipguide.com/free/t_IPDatagramGeneralFormat.htm TCP/IP Guide]
		+	* [http://doc.bughunter.net/network-security/ip-spoofing.html IP-spoofing Demystified (Trust-Relationship Exploitation)]
		+	* [http://portblocking.csail.mit.edu/mantid.php State of IP Spoofing]
		+	* [http://www.linuxsecurity.com/content/view/120225/171/ Linux Security Introduction: IP Spoofing]
		+	* [http://www.apricot.net/apricot2007/presentation/conference/security_stream/anti-ip-spoofing.pdf Anti-IP-Spoofing]

	==References==		==References==
Line 29:		Line 42:
	#[http://www.securityfocus.com/infocus/1674 IP Spoofing: An Introduction]		#[http://www.securityfocus.com/infocus/1674 IP Spoofing: An Introduction]
	#[http://www.giac.org/certified_professionals/practicals/gsec/0201.php Introduction to IP Spoofing]		#[http://www.giac.org/certified_professionals/practicals/gsec/0201.php Introduction to IP Spoofing]
-	--[[User:Luongp\|Luongp]] 23:25, 12 April 2009 (EDT)	+	--[[User:Luongp\|Luongp]] 23:57, 12 April 2009 (EDT)

Luongp at 03:25, 13 April 2009

2009-04-13T03:25:19Z

← Older revision		Revision as of 03:25, 13 April 2009
Line 7:		Line 7:
	Information is transferred over the internet in the form of Internet Protocol(IP) Datagrams also known as Packets. IP Datagrams consists of the IP header and the data being transferred shown in Figure 1. It is the IP header that contains the IP Header contains the source IP address and IP destination address.		Information is transferred over the internet in the form of Internet Protocol(IP) Datagrams also known as Packets. IP Datagrams consists of the IP header and the data being transferred shown in Figure 1. It is the IP header that contains the IP Header contains the source IP address and IP destination address.

-	Normally IP Packets are created automatically behind the scenes for the user; however, a user can override this function by inserting a custom IP Header and informing the operating system that a header is not needed. This process creates spoofed IP datagrams that may be used to impersonate another source IP address or hide the true source IP address. These custom packets can created by using raw sockets in UNIX-like systems or packet drivers such as ''WinPcap'' for Windows<sup>[http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_10-4/104_ip-spoofing.html [1]]</sup>.	+	Normally IP Packets are created automatically behind the scenes for the user; however, a user can override this function by inserting a custom IP Header and informing the operating system that a header is not needed. This process creates spoofed IP datagrams that may be used to impersonate another source IP address or hide the true source IP address. These custom packets can created by using raw sockets in UNIX-like systems or packet drivers such as ''WinPcap'' for Windows.<sup>[http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_10-4/104_ip-spoofing.html [1]]</sup>
	<div style="clear:both;"></div>		<div style="clear:both;"></div>
	==Blind/Nonblind Spoofing==		==Blind/Nonblind Spoofing==
Line 16:		Line 16:

	==Denial of Service Using IP Spoofing==		==Denial of Service Using IP Spoofing==
-	TCP connections are setup using ''three-way handshake'' that involve the '''SYN''' and '''ACK''' flags in the TCP header. Connection that have been initiated but not completed are called half-open connections. The state of half-open connections are stored and take up part of a finite-sized data structure<sup>[http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_10-4/104_ip-spoofing.html [1]]</sup>. If a spoofed '''SYN''' packet is sent to initiate a ''three-way handshake'' to a victim, the victim sends a '''SYN-ACK''' packet and waits for the final '''ACK''' to complete the handshake. If the spoofed address does not belong to the attacker, then the connection is left half-open and waiting indefinitely or for a period of time. Having too many half-open connections will flood the finite-size data structure and prevent and new connections from forming.<sup>[http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_10-4/104_ip-spoofing.html [1]]</sup> This causes the victim to deny service to any legitimate connections.	+	TCP connections are setup using ''three-way handshake'' that involve the '''SYN''' and '''ACK''' flags in the TCP header. Connection that have been initiated but not completed are called half-open connections. The state of half-open connections are stored and take up part of a finite-sized data structure.<sup>[http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_10-4/104_ip-spoofing.html [1]]</sup> If a spoofed '''SYN''' packet is sent to initiate a ''three-way handshake'' to a victim, the victim sends a '''SYN-ACK''' packet and waits for the final '''ACK''' to complete the handshake. If the spoofed address does not belong to the attacker, then the connection is left half-open and waiting indefinitely or for a period of time. Having too many half-open connections will flood the finite-size data structure and prevent and new connections from forming.<sup>[http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_10-4/104_ip-spoofing.html [1]]</sup> This causes the victim to deny service to any legitimate connections.

	==Session Hijacking==		==Session Hijacking==
Line 29:		Line 29:
	#[http://www.securityfocus.com/infocus/1674 IP Spoofing: An Introduction]		#[http://www.securityfocus.com/infocus/1674 IP Spoofing: An Introduction]
	#[http://www.giac.org/certified_professionals/practicals/gsec/0201.php Introduction to IP Spoofing]		#[http://www.giac.org/certified_professionals/practicals/gsec/0201.php Introduction to IP Spoofing]
-	--[[User:Luongp\|Luongp]] 23:23, 12 April 2009 (EDT)	+	--[[User:Luongp\|Luongp]] 23:25, 12 April 2009 (EDT)

Luongp at 03:23, 13 April 2009

2009-04-13T03:23:39Z

← Older revision		Revision as of 03:23, 13 April 2009
Line 29:		Line 29:
	#[http://www.securityfocus.com/infocus/1674 IP Spoofing: An Introduction]		#[http://www.securityfocus.com/infocus/1674 IP Spoofing: An Introduction]
	#[http://www.giac.org/certified_professionals/practicals/gsec/0201.php Introduction to IP Spoofing]		#[http://www.giac.org/certified_professionals/practicals/gsec/0201.php Introduction to IP Spoofing]
		+	--[[User:Luongp\|Luongp]] 23:23, 12 April 2009 (EDT)

Luongp at 03:23, 13 April 2009

2009-04-13T03:23:07Z

← Older revision		Revision as of 03:23, 13 April 2009
Line 10:		Line 10:
	<div style="clear:both;"></div>		<div style="clear:both;"></div>
	==Blind/Nonblind Spoofing==		==Blind/Nonblind Spoofing==
-	Spoof attacks are generally considered blind attacks because the attacker will not recieve replies directly from the victim. The victim usually only replies back to the source address of the recieved packets and does not know the true source address of spoofed packets. If the attacker is on the same '''subnet''' of the host being impersonated, then the attacker can "sniff" the reply and intercept the packet. Scenarios where the attacker inspects the responses from the victim are called "nonblind spoofing" and in other cases it is called "blind spoofing" where the responses are not intercepted<sup>[http://www.securityfocus.com/infocus/1674 [4]]</sup>.	+	Spoof attacks are generally considered blind attacks because the attacker will not recieve replies directly from the victim. The victim usually only replies back to the source address of the recieved packets and does not know the true source address of spoofed packets. If the attacker is on the same '''subnet''' of the host being impersonated, then the attacker can "sniff" the reply and intercept the packet. Scenarios where the attacker inspects the responses from the victim are called "nonblind spoofing" and in other cases it is called "blind spoofing" where the responses are not intercepted.<sup>[http://www.securityfocus.com/infocus/1674 [4]]</sup>

	==Sequence Number Prediction==		==Sequence Number Prediction==