Write-up to IP Spoofing

Write-up to IP Spoofing #

Idea behind IP spoofing #

Spoofing means manipulation, concealment and in IP spoofing it refers to the pretending of another IP address. This can be used on the internet but also on the intranet. If IP-based authentication is used, it can be bypassed in this way.

The Tool on the own PC sends different packets to see if they can successfully leave the own network and reach the servers of the servers from the tool vendor (egress spoofing). For example, you test with source addresses within (internal) the own network, but which are not assigned to the own host, as well as with source addresses that are not located in your own network at all. If the host is within an independently routed /24 prefix, it will also test addresses in an adjacent /23, /22 etc. They also test with source addresses that are intended for private networks. They also send various spoofed packets to see if they can successfully penetrate their own network and reach the client (ingress spoofing), unless the tool is used behind a NAT. Furthermore, they test with source addresses on the target network itself. As with the egress tests they also test with source addresses intended for private networks. (from 3.1 What information does the tool collect about my network?)

Questions #

Is this a realistic attack over the Internet using TCP/IP? #

Yes, you could, for example, flood a system with SYN packets. You establish a TCP connection to a random system, but forge the sender IP address to the IP address of the victim and let the connection open. This is a kind of Denial of Service (DoS). However, there are many ways to mitigate these attacks:

  • The network infrastructure knows who has which IP address and whether the sender IP is really in its own network. This way outbound packets can be filtered (e.g. by the ISP).
  • The network infrastructure knows who has which IP address and can thus determine whether the sender IP should not have been in its own network. This way inbound packets can be filtered (e.g. by the ISP).
  • TCP has sequence numbers and these should not be guessable according to the specification. Thus, it can already be determined in the firewall whether the connection exists at all and packets can be dropped.

How realistic the attack is can be determined with the tool linked in the exercise. In the Country Stats it can be seen that it is still a problem. In Germany there are 30 /24 IPv4 blocks that can be spooft. On the website in 4.1 - Is spoofing still really a significant attack vector? Don’t ISPs deploy uRPF to prevent it? they point out that it is still a relevant attack. 67% of the world’s ASes do not block external packets that contain an IP sender address from their own network.

Is this a realistic attack over the internet with UDP/IP - explain #

Yes, because e.g. the DNS system works over UDP and a DNS amplification attack could be made. An amplification attack takes advantage of the fact that a small packet from the attacker triggers a large effort on the part of the victim. In the specific case of the DNS amplification attack, a short query to an open DNS server triggers a long response which is then sent to a victim if the request had a spoofed sender IP.

What protocol is the spoofer tool trying to spoof? #

In Wireshark, DNS, TCP and UDP traffic can be seen.

Find your own results at caida.org #

Depending on whether you have agreed you find them on caida.org.

Calendar September 21, 2021