Cover V05, I11
Article
Figure 1
Figure 2
Listing 1
Listing 2
Listing 3
Sidebar 1

nov96.tar


Sidebar: IP spoofing

A frequently exploited trick for breaking into a system is called IP spoofing. It is based on the fact that a system with an IP address of 1.x.y.z pretends to be a system with the address 2.a.b.c. In this case, the first address denotes an untrusted host, whereas the second address denotes a trusted host (very often the local host address 127.0.0.1). Because the IP layer normally adds these IP addresses to a data packet, a spoofer has to circumvent the IP layer and talk directly to the raw network device. The spoofer builds an IP packet by hand and puts it on the wire. This may sound more complicated than it really is.

Faking a UDP packet is relatively simple. The header of a UDP packet is very simple due to its connectionless nature. So, you can fill in any IP address you like and pretend to be somebody else. There is one problem however. If a server needs to send a reply, it will send it to the "real" 2.a.b.c instead of to the machine faking it. So, IP spoofing is normally used to deposit another exploit on the target machine.

Faking a TCP connection is much harder, but not impossible. The difficulty lies in the fact that a TCP connection is established, both the server and the client generate a sequence number from which they will start counting the packets transmitted. This sequence number is generated at random (or at least it should be), and should be hard to predict. However, some implementations of the TCP/IP protocol make it rather easy to predict this sequence number. Once the spoofer has managed to predict the sequence number, he or she can send packets to the target machine just as if the connection were established. This is also often used to deposit another exploit on the target machine. Figure 2 shows what happens when a client and a server make a TCP connection. You can see the sequence numbers that are exchanged between server and client. Each time one of the parties acknowledges a message, it increments the sequence number by 1.

The TCP protocol uses a handshake between the two parties. Thus, whenever the spoofer sends a packet to the server, the server will send an acknowledgement back to the "real" client. This real client does not know what to do with this ack, and sends a message back to the server. So, the spoofer may try to flood the real client with dummy packets at such a rate that its buffers will overflow, and the ack from the server will be lost.

Under some circumstances, a spoofing attack can be detected. If the machine has two network interfaces, one for a trusted network and one for an untrusted network, a spoofing attack can be detected as follows. For each connection request arriving on the machine, the receiving application must check the sender address. If this address does not match with the interface on which it was received (e.g., a message from a trusted host on the untrusted interface), the connection request should be refused, and the event should be logged. If needed, the administrator can be warned that such an event has occurred.