|[Home] [Credit Search] [Category Browser] [Staff Roll Call]||The LINUX.COM Article Archive|
|Originally Published: Saturday, 10 June 2000||Author: Kapil Sharma|
|Published to: enchance_articles_security/Advanced Security Articles||Page: 1/1 - [Std View]|
An Overview of TCP and IP Spoofing
TCP and IP spoofing attacks can be very dangerous! In this article, Kapil Sharma introduces TCP and IP spoofing and lists measures to prevent your network from these attacks.
A spoofing attack involves forging one's source IP address. It is the act of using one machine to impersonate another. Most of the applications and tools in Unix systems, including Linux, rely on source IP address authentication, and many developers have used host-based access controls to secure their networks. The source IP address is a unique identifier, but it is not a reliable one. It can easily be spoofed.
To understand the spoofing process, I will begin by explaining the TCP and IP authentication process. Then I will discuss how an attacker can spoof your network.
TCP uses sequence numbers. When a virtual circuit establishes between two hosts, TCP assigns each packet a number as an identifying index. Both hosts use this number for error-checking and reporting.
Rik Farrow, in his article "Sequence Number Attacks," explains the sequence number system as follows:
The sequence number is used to acknowledge receipt of data. At the beginning of a TCP connection, the client sends a TCP packet with an initial sequence number, but no acknowledgement (there can't be one yet). If there is a server application running at the other end of the connection, the server sends back a TCP packet with its own initial sequence number, and an acknowledgement: the initial sequence number from the client's packet plus one. When the client system receives this packet, it must send back its own acknowledgement: the server's initial sequence number plus one."Thus an attacker is faced with two challenges:
Services Vulnerable to IP Spoofing
Configuration and services that are vulnerable to IP spoofing attacks include:
So how does a system administrator prevent IP spoofing attacks. Some good measures are:
Spoofing attacks are very dangerous and difficult to detect. As they become increasingly popular, the only way to prevent these attacks are to implement security measures such as encrypted authentication to secure your network.
Kapil Sharma is a Linux and Internet security consultant. He has been working on various Linux systems for more than 2 years. He has a web site, http://www.linux4biz.net, if you are interested in learning more about him.