Sidebar: IP spoofing
A frequently exploited trick for breaking into a system
is called IP
spoofing. It is based on the fact that a system with
an IP address of
1.x.y.z pretends to be a system with the address 2.a.b.c.
In this case,
the first address denotes an untrusted host, whereas
the second address
denotes a trusted host (very often the local host address
127.0.0.1).
Because the IP layer normally adds these IP addresses
to a data packet,
a spoofer has to circumvent the IP layer and talk directly
to the raw
network device. The spoofer builds an IP packet by hand
and puts it on
the wire. This may sound more complicated than it really
is.
Faking a UDP packet is relatively simple. The header
of a UDP packet is
very simple due to its connectionless nature. So, you
can fill in any IP
address you like and pretend to be somebody else. There
is one problem
however. If a server needs to send a reply, it will
send it to the
"real" 2.a.b.c instead of to the machine faking
it. So, IP spoofing is
normally used to deposit another exploit on the target
machine.
Faking a TCP connection is much harder, but not impossible.
The
difficulty lies in the fact that a TCP connection is
established, both
the server and the client generate a sequence number
from which they
will start counting the packets transmitted. This sequence
number is
generated at random (or at least it should be), and
should be hard to
predict. However, some implementations of the TCP/IP
protocol make it
rather easy to predict this sequence number. Once the
spoofer has
managed to predict the sequence number, he or she can
send packets to
the target machine just as if the connection were established.
This is
also often used to deposit another exploit on the target
machine. Figure
2 shows what happens when a client and a server make
a TCP connection.
You can see the sequence numbers that are exchanged
between server and
client. Each time one of the parties acknowledges a
message, it
increments the sequence number by 1.
The TCP protocol uses a handshake between the two parties.
Thus,
whenever the spoofer sends a packet to the server, the
server will send
an acknowledgement back to the "real" client.
This real client does not
know what to do with this ack, and sends a message back
to the server.
So, the spoofer may try to flood the real client with
dummy packets at
such a rate that its buffers will overflow, and the
ack from the server
will be lost.
Under some circumstances, a spoofing attack can be detected.
If the
machine has two network interfaces, one for a trusted
network and one
for an untrusted network, a spoofing attack can be detected
as follows.
For each connection request arriving on the machine,
the receiving
application must check the sender address. If this address
does not
match with the interface on which it was received (e.g.,
a message from
a trusted host on the untrusted interface), the connection
request
should be refused, and the event should be logged. If
needed, the
administrator can be warned that such an event has occurred.
|