One of the most common attacking technique is IP spoofing . It is common nowadays in the field of computer system or networking that a hacker uses different skills and tools to not only work for the security and defense of computer networking but also to attack on different servers and to harm the user in different manner . IP spoofing works a bit differently than other types of spoofing attack. This article presents the various types of IP Spoofing. Additionally, I will discuss about the mitigation measures in various ways.
Defining IP Spoofing in detail
IP Spoofing is also known as IP address forgery or host file hijack. IP spoofing is the creation of Internet protocol packets with a false source IP address, for the purpose of impersonating another computer system. Here, spoofing generally refers to fooling and packet refers to the unit of data that includes information such as source address and destination address. So, IP spoofing can be defined as the process of replacing the source IP address with a fake IP address from the IP packets to hide the real identity of the sender. In fact, the source address is the address of the computer that the packet was sent from. By changing the address of the packet, an attacker can make it appear that the packet was sent by a different computer system.
How does IP Spoofing work ?
Before starting how does the IP address forgery works we should understood about how the internet communication works.
Working of Internet Communication
Actually in internet, communication data is transferred in the form of packets i.e. the client sends web requests in the form of data packets to the server, the packet will have the IP address of the computer it is coming from. Usually a client sends a request in the form of packets as a SYN (Sychronization) signal. In return to the client request, a server gives a response in the form of SYN/ACK signal. Finally, client sends ACK (Amplitude-shift keying) signal to the server. Hence, the connection is established between the client and the server and communication between them takes place. ( as shown in the figure below).
Working of IP Address Forgery
In case of the IP address forgery, communication takes place a bit differently. As mentioned above the server only starts communicating after getting ACK Signal. No sooner SYN/ACK signal is send by the server than the attacker sends the ACK signal with the same source and destination IP address to the server. This is when the server trusts that the attacker as the same user who had send the request to the server before connection is built in.
Despite receiving ACK/SYN signal from the user, the communication goes on between server and attacker. Finally, server starts communicating with attacker instead of user. Attacker does this by changing his own source address to the source address of the user. Take as an instance, suppose a user has a source address 18.104.22.168 and destination address is 22.214.171.124 that of server. Meanwhile, attacker has his/her own source address 126.96.36.199 changed to 188.8.131.52. Before user sends the ACK signal, attacker sends the ACK signal to the server with the source address of 184.108.40.206 by hiding original source address and server trust the attacker as the legitimate user then starts communicating as shown in figure below.
Types of IP Spoofing
There are mainly four types of host file hijack .They are Non-Blind spoofing , Blind spoofing, Man in the middle attack and DOS attack.
Non-Blind Spoofing attacks work on those networks where the attackers and victim are on the same subnet. Actually in this situation, the attacker can detech the network packets to know the sequence and required credentials being sent in the packets. One of the biggest threat of spoofing is session hijacking. It can be done by corrupting the data stream of an established connection with a valid user, then re-establishing the connection based on the correct sequence and credentials with the attack machine.
In Blind Spoofing, sequence and acknowledgment numbers cannot be sniffed. So, it is a bit difficult than Non-Blind spoofing. So, attackers send several packets to target machine to get the correct sequence and acknowledgment numbers. After sending several packets, there may be the possibility of getting the right sequence and acknowledgment numbers. This attack has less chances of success.
In man-in-the-middle attack, an attacker intercepts a legitimate communication between server and user. Then, the attacker controls the flow of data. He can alter the information being exchanged by server and user without the knowledge of either the original sender or the recipient.
It is the one of the attack which is most difficult to defend against. Here attacker tries to consume the bandwidth and resources of a server. In this attack, an attacker only wishes to flood the victim’s machine with as many packets as possible in a short amount of time in order to make the victim’s machine inaccessible to valid users. The attacker uses random source IP addresses to send packets to the machine to make tracing and stopping the DOS as difficult as possible.
Mitigation Measures for IP Spoofing
The solution of this problem involves many factors like filtering, access control list, configuring router and switches, avoid trust relationships, using spoofing detection software, using cryptographic network protocols and many more.
A very common defense against IP address forgery is filtering. Filtering is a form of packet filtering usually implemented on a network edge device which incoming IP packets and looks at their source header. If the source header don’t match their origin or they otherwise look fishy, the packets are then rejected in order to ensure only those packets which have legitimate source headers to prevent someone within the network from launching an outbound malicious attack using IP address forgery.
Furthermore you can configure your router and switches is they support such configuration, to reject packets originating from outside your local network that claim to originate from within. Not only configuring but also enabling encryption sessions on your router so that trusted hosts that are outside your network can securely communicate with your local host too.
References : What is IP Spoofing?
https://www.cloudflare.com/learning/ddos/glossary/ip-spoofing/ IP Spoofing Attack and Defenses