CS406: Information Security

IP spoofing is used to gain unauthorized access to a computer. The attacker forwards packets to a computer with a source address indicating that the packet is coming from a trusted port or system. Attackers must go through some complicated steps to accomplish the task. They must:

• Obtain a target.
• Obtain an IP address of a trusted machine.
• Disable communication of the trusted machine (e.g. SYN flooding).
• Sample a communication between the target and trusted hosts Guess the sequence numbers of the trusted machine.
• Modify the packet headers so that it appears that the packets are coming from the trusted host.
• Attempt connection to an address authenticated service or port.
• If successful, the attacker will plant some kind of backdoor access for future reference

System A impersonates system B by sending B's address instead of its own. The reason for doing this is that systems tend to function within groups of other "trusted" systems. This trust is implemented in a one-to-one fashion; system A trusts system B. IP spoofing occurs in the following manner: if system A trusts system B and system C spoofs system B, then system C can gain otherwise denied access to system A. This is all made possible by means of IP address authentication, and if the packets are coming from external sources-poorly configured routers.

One of the major drawbacks with IP spoofing is that C never "sees" the responses from A. This is completely blind attack, much experience and knowledge of what to expect from the target’s responses is needed to successfully carry out his attack. Some of the most common ways to avoid this type of attack are to disable source-routed packets and to disable all external incoming packets with the same source address as a local host.