Spoofing Techniques
-- Naiden M Markachev
Most of us have already heard a lot about spoofing methods used by crackers to
compromise systems and my intention in this paper is not to advertise the issue further
but to explain how these techniques are performed and to give some advises how to protect
yourself against them. As the majority of our readers are computer science students and
taking into consideration the fact that subject like spoofing is not included in the
universities educational programs I decided to jump on the question and write an article
on it. The reader is assumed to have a little more than a user level knowledge of UNIX as
well as some understanding of TCP, IP and ARP protocols. Regarding the latter the reader
might want to have a look at my
article from the February issue of "Hello, World!" on TCP/IP structure and
implementation (ARP is explained
there as well). Although this paper is focused on the IP spoofing, other similar
techniques are briefly discussed too (DNS spoofing and ARP spoofing) and some guidelines
on how they can be prevented are given.
IP Spoofing
Despite the fact that many people consider IP spoofing as THE ATTACK this is not
actually the case. Spoofing is only a step in the whole process, while the attack indeed
is trust relationship exploitation between hosts. On UNIX machines the
"/etc/hosts.equiv" file contains a list of hosts local machine trusts. If a
host's name is present in this file and a user has accounts on both, the local machine and
the trusted host, this user being logged on the trusted host can use r* services of the
local machine without supplying a password. R* commands permit a user to start a job,
execute a shell command or do a remote login on the trusting machine. A user can also set
up trust relationship between hosts by creating .rhosts
file in her home directory, for instance typing:
echo server_name user_name > ~/.rhosts
will get the job done.
In normal TCP connection, IP provides no mechanisms for accountability and reliability;
these methods are performed by higher level protocols. TCP being connection oriented
protocol - connection oriented means that hosts exchange some information before the
connection is established - is one of those higher level protocols that guarantee a
reliable connection. Reliability is guaranteed in a number of ways - data acknowledgement,
data sequencing and checksum field present in the header of each datagram, but in our case
we are concerned only with acknowledgement and sequencing. The way TCP implements this is
by assigning numbers to all datagrams sent and once these datagrams are received by the
destination host packets acknowledging them are sent back to the source host. The fields
of the sequence number and acknowledge number in the TCP header are 32 bits wide which
means that the maximum value each of them can take is (2^32 - 1) or 4,294,967,295(in
decimal). The sequence number field in the TCP header contains the number of the first
byte of data in the TCP segment and the acknowledge number field holds the value of the
next expected sequence number. The acknowledge number also confirms all data
received up to this moment so that other machine knows when data is properly delivered and
when lost. These numbers are not arbitrarily assigned though - when a machine is booted
the initial sequence number (ISN) is set to 1 and since then its value is incremented by
128,000 per second. The value of ISN is also incremented by 64,000 each time a connect()
function call is executed. Assuming no connect() call is issued the 32 bit wide field of
the sequence number in the TCP header tells us that overflow will occur every 9 hours and
19 minutes. TCP is implemented in this way because if two machines exchange data and one
of them crashes and after some time attempts to reestablish the connection the first
machine needs to distinguish between signals belonging to the old dropped connection and
signals attempting to establish a new connection. It's important for one to understand the
procedure of ISN generation because it is highly cohesive with the sequence/acknowledge
number prediction when a cracker is forging TCP/IP packets and pretending her machine to
be the one the victim trusts.
The Attack
In this kind of attack there are in general 8 steps:
- A target machine is chosen
- Trust relationship is discovered
- The Round-Trip-Time (RTT) is measured
- The trusted host is disabled
- Info about the TCP sequence number generator is gathered
- Sequence/Acknowledge numbers are predicted
- The trusted host IP address is spoofed and target machine is fooled
- Data to target machine is transferred
but most of them don't need to be in the listed order.
After the target is chosen a trust relationship has to be determined. (for the attack
to be possible the target machine must trust some other machine). This relationship can be
discovered by running "showmount -e target from
the UNIX shell which shows target export list and rpcinfo -p
target which prints a list of registered RPC programs on target host. The attacker can
also get some useful information weather someone is logged on the target machine and
trusted host by using the finger service. When the trusted host is discovered it must be
disabled so that it would not respond to requests initiated from the victim machine. There
are many ways how this can be done but one possible solutions is by SYN flooding. In SYN
flooding the attacker sends the trusted host a great amount of TCP packets with SYN flag
turned ON (the destination port being the port the cracker wants disabled - in our case
port 513 - rlogin) forging the packets so that they have the IP address of a nonexistent
or unreachable host (the reason behind this is that the cracker doesn't want the trusted
machine to send SYN/ACK packets to a host that exists because the latter would respond
with RST packets and spoil the attack). Trusted machine responds with SYN/ACK datagrams to
the nonexistent host and waits for acknowledgement. During this period of time all
requests to the flooded port are ignored. They are ignored, because in TCP implementations
a limit(known as backlog)
exist for the number of connections allowed to a particular port. Backlog size depends on
the different operating systems TCP implementation (in BSD it has a value of 5 while in
Linux its value is 6). Next thing the attacker has to do is to fool the target machine
into thinking that her machine is the trusted host. This is done by sequence/acknowledge
number prediction and IP spoofing, the first being actually the hardest part because the
cracker doesn't get any feedback from the victim. The sequence number can be guessed by
estimating the average time it takes for a packet to reach the target machine. This is
done by numerous connections to some of the target ports during which the response time is
recorded. After the round-trip time is known and the cracker is familiar with target TCP
sequence number generator she can proceed with the attack. This has to be done fast
because if a TCP connection between the target machine and some other machine is initiated
during this gap of seconds the cracker would be unable to predict the exact sequence
numbers, and the attack would fail. Forging her IP address to be the one of the trusted
host the cracker sends a request to port 513 of the target machine(three way handshake is
initiated with the first TCP segment having SYN flag turned ON). "Victim"
responds with TCP datagram (SYN/ACK) to the trusted host which is unreachable at this
moment (if reachable the trusted host would consider this an error and would answer with
RST). Then the attacker sends the target a TCP ACK packet containing the predicted
sequence number and spoofed IP address and if the round-trip-time was correctly estimated,
and victim did not initiate other TCP connection during this time the trusted relationship
is exploited and the cracker can send data to "target". Usually the data sent is
something like:
echo + + >> ~/.rhosts
This add-on to the ".rhosts" file allows rlogin from any machine; a back-door
for the cracker if she wants to have an access to the machine in the future. In the end
the cracker sends RST packets to the trusted host(this time masking her machine's IP
address to be the one of the same nonexistent/unreachable host from whom the trusted host
still expects ACK segments).
How IP Spoofing Can Be Prevented
One way to prevent IP spoofing is to disable all r* commands, delete all
".rhosts" files and empty "/etc/hosts.equiv" file. Doing so the
machine no longer relies on address based authentication. This will also force users to
choose other(more secure) methods of accessing remote machines (telnet, ssh). The use of
terminal session protocol implementation (telnet, rlogin) that inserts extra terminal
protocol data, or even better, the use of encryption-based terminal protocol can also help
preventing IP spoofing. Spoofing attack can also be suppressed by configuring routers in
such a way that they filter the incoming packets and reject the ones that claim to be from
a machine internal to the network. This cannot help when someone is using a local machine
to launch the attack though. Another way to secure your network is by using IPv6 or IPsec instead
of IPv4 . "RFC 1825: Security
Architecture of the Internet Protocol" specifies two new characteristics of IPv6
- authentication header and encapsulation security payload.
The first prevents IP address faking while the second introduces encryption for IP packet
and TCP header.
Other existing methods of spoofing are DNS and ARP spoofing. I will not explain them in
detail here but I would like to give the reader an idea why they are possible and what
protection mechanisms exist against them. A weak part of a system in which machines
communicate using ARP is that authentication is based on hardware address only. To
establish a connection with another machine a host must have the machine hardware address.
If the host doesn't have an entry of the hardware address of that machine in its ARP cache
it sends a broadcast message (containing the IP address of the machine) to all hosts in
the subnetwork. The message is captured by the network interfaces and interrupt request to
the operating systems is issued. The only host that answers the request is the one with
the corresponding IP number.A cracker can exploit this hardware address authentication by
disabling a trusted host and spoofing its hardware address. Doing this the trusting
machine is deceived that the cracker's machine is the trusted host. One can prevent ARP
spoofing attacks by either stopping the usage of ARP for obtaining the hardware address of
a trusted host or by keeping a permanent entry of the hardware address of the trusted host
in the ARP caches of the trusting machines. Another way of doing this is by using an ARP
Server which responds to ARP requests on behalf of another host regarding the permanent
entries in its ARP cache. The main disadvantage using ARP server is that if it is
compromised the cracker will have control over the trusting host(s).
In other environments trust is based entirely on Domain Name Service. In order to
acquire the IP number of a machine a host sends request holding the machine's name to a
DNS server and the server responds with the corresponding IP. Weak part in the system is
when a nameserver is compromised by a cracker and the cracker modifies server's records so
that a name of a trusted host corresponds to cracker's machine IP address. Fortunately
there are methods of detecting DNS spoofing and one of them is by performing reverse
lookup - with key being the IP address instead the name of the host. Because lookup and
reverse lookup tables are kept in separate files the intruder might have acted clumsy and
changed the records only in one of them. But because of the nature of the DNS system these
files may not be on the same server at all. In order to deceive the reverse lookup
cross-checking the cracker has to take control over the DNS server holding the other files
which is possible but not very likely to happen. A lot of problems also arise because old
DNS software is used. The simplest step a system administrator can take to prevent DNS
spoofing is to upgrade to the most recent version.
|
