Originally Published: Saturday, 10 June 2000 Author: Kapil Sharma
Published to: enchance_articles_security/Advanced Security Articles Page: 1/1 - [Printable]

An Overview of TCP and IP Spoofing

TCP and IP spoofing attacks can be very dangerous! In this article, Kapil Sharma introduces TCP and IP spoofing and lists measures to prevent your network from these attacks.

   Page 1 of 1  

The opinions expressed by contributors to Linux.com are their own. Linux.com bears no responsibility for its contributors' opinions.

A spoofing attack involves forging one's source IP address. It is the act of using one machine to impersonate another. Most of the applications and tools in Unix systems, including Linux, rely on source IP address authentication, and many developers have used host-based access controls to secure their networks. The source IP address is a unique identifier, but it is not a reliable one. It can easily be spoofed.

To understand the spoofing process, I will begin by explaining the TCP and IP authentication process. Then I will discuss how an attacker can spoof your network.

TCP uses sequence numbers. When a virtual circuit establishes between two hosts, TCP assigns each packet a number as an identifying index. Both hosts use this number for error-checking and reporting.

Rik Farrow, in his article "Sequence Number Attacks," explains the sequence number system as follows:

The sequence number is used to acknowledge receipt of data. At the beginning of a TCP connection, the client sends a TCP packet with an initial sequence number, but no acknowledgement (there can't be one yet). If there is a server application running at the other end of the connection, the server sends back a TCP packet with its own initial sequence number, and an acknowledgement: the initial sequence number from the client's packet plus one. When the client system receives this packet, it must send back its own acknowledgement: the server's initial sequence number plus one."
Thus an attacker is faced with two challenges:
  1. He must forge the source address.
  2. He must maintain a sequence number with the target.
The second task is the most complicated one, because when target sets the initial sequence number, the attacker must respond with the correct response. Once the attacker correctly guesses the sequence number, he can synchronize with the target and establish a valid session.

Services Vulnerable to IP Spoofing

Configuration and services that are vulnerable to IP spoofing attacks include:

  • RPC (Remote Procedure Call services)
  • The X Window system
  • The R services suite
  • Any service that uses IP address authentication
TCP and IP Spoofing Tools
  1. Mendax for Linux: Mendax is an easy-to-use tool for TCP sequence number prediction and rshd spoofing.
  2. spoofit.h: spoofit.h is a well-commented library for including IP spoofing functionality into applications.
  3. ipspoof: ipspoof is a TCP and IP spoofing utility.
  4. hunt: hunt is a sniffer which also offers many spoofing functions.
Measures to Prevent IP Spoofing Attacks

So how does a system administrator prevent IP spoofing attacks. Some good measures are:

  • Avoid using source address authentication. Implement cryptographic authentication system-wide.
  • Configure your network to reject packets from the Internet which claim to originate from a local address. This is most commonly done with a router.
  • If you allow outside connections from trusted hosts, enable encryption sessions at the router.

Spoofing attacks are very dangerous and difficult to detect. As they become increasingly popular, the only way to prevent these attacks are to implement security measures such as encrypted authentication to secure your network.

Kapil Sharma is a Linux and Internet security consultant. He has been working on various Linux systems for more than 2 years. He has a web site, http://www.linux4biz.net, if you are interested in learning more about him.

   Page 1 of 1