Internet protocol address spoofing

From Free net encyclopedia

In computer networking, the term internet protocol address spoofing is the creation of IP packets with a forged (spoofed) source IP address. Since "IP address" is sometimes just referred to as an IP, IP spoofing is another name for this term.

Contents 1 How spoofing is done 2 How to stop spoofing 2.1 Upper layers 3 Data compression 4 Satellite internet access 5 Other definitions 6 See also 7 External links

How spoofing is done

The header of every IP packet contains its source address. This is normally the address that the packet was sent from. By forging the header, so it contains a different address, an attacker can make it appear that the packet was sent by a different machine. This can be a method of attack used by network intruders to defeat network security measures, such as authentication based on IP addresses.

This method of attack on a remote system can be extremely difficult, as it involves modifying thousands of packets at a time and cannot usually be done using a Windows box. IP spoofing involves modifying the packet header, which lists, among other things, the source IP, destination IP, a checksum value, and most importantly, the order value in which it was sent. As when a box sends packets into the Internet, packets sent may, and probably will arrive out of order, and must be put back together using the order sent value. IP spoofing involves solving the algorithm that is used to select the order sent values, and to modify them correctly. This poses a major problem because if one evaluates the algorithm in the wrong fashion, the IP spoof will be unsuccessful.

This type of attack is most effective where trust relationships exist between machines. For example, it is common on some corporate networks to have internal systems trust each other, so that a user can log in without a username or password provided they are connecting from another machine on the internal network (and so must already be logged in). By spoofing a connection from a trusted machine, an attacker may be able to access the target machine without authenticating.

How to stop spoofing

Packet filtering is one defence against IP spoofing attacks. The gateway to a network should perform ingress filtering; blocking of packets from outside the network with a source address inside the network. This prevents an outside attacker spoofing the address of an internal machine. Ideally outgoing packets should also be filtered, dropping packets from inside the network with a source address that is not inside (egress filtering); this prevents an attacker within the network performing filtering from launching IP spoofing attacks against external machines.

Upper layers

Some upper layer protocols provide their own defence against IP spoofing. For example, Transmission Control Protocol (TCP) uses sequence numbers negotiated with the remote machine to ensure that arriving packets are part of an established connection. The poor implementation of TCP sequence numbers in many older operating systems and network devices, however, means that spoofing is often still possible.

The attacker is limited by the fact that any reply packets that the destination may send are sent to the spoofed source address. However, an attacker can utilize this property of IP spoofing in techniques such as smurf attacks and SYN floods.

Data compression

Protocol spoofing is also used as a data compression technique, and was used as early as 1985 when the Hayes Smartmodem incorporated spoofing of portions of the UUCP protocol to improve throughput. In this context, protocol headers and trailers are trimmed down or removed entirely, and then reconstructed at the far end.

Satellite internet access

Today, protocol spoofing is particularly important for satellite internet access. Satellite internet access has a relatively long latency when packets must travel between the ground and a satellite in geosynchronous orbit, and many network protocols do not handle this latency very well. Therefore, satellite broadband providers may spoof the protocol so that each end of a packet flow gets acknowledgements with a short latency. Some satellite internet providers now also offer special VPN software that incorporates protocol spoofing, because VPN applications are particularly prone to problems with latency.

Other definitions

The term spoofing is also sometimes used to refer to header forgery, the insertion of false or misleading information in email or netnews headers. Falsified headers are used to mislead the recipient, or network applications, as to the origin of a message. This is a common technique of spammers and sporgers, who wish to conceal the origin of their messages to avoid being tracked down. Less fraudulently, some netnews users place obviously false email addresses in their headers to avoid spam or other unwanted responses.

See also

• Router (includes a list of manufacturers)
• Network address translation
• Spoofed URL

External links

• IP Spoofing: An Introductionde:IP-Spoofing

fr:IP spoofing it:IP spoofing nl:Internet Protocol Spoofing pl:IP spoofing pt:IP spoofing