Internet Protocol Address (
IP
Address) plays a very significant role in our day to day
lives. Whether it is Cyber Security or Cyber Forensics, IP Address
has a crucial role to play. IP Address is also the
Starting
Point for any Cyber Crime Investigation. So it is of
utmost importance that an IP Address must be correctly ascertained.
Similarly, the Crackers and Cyber Criminals are
interested in hiding their “Digital Footprints” through various
means. IP Spoofing, use of Proxies, utilising Botnet for nefarious
activities, exploiting Unsecured Wireless Access Points and
Connections, etc are some of the methods that are used by Cyber
Criminals.
IP Address is also the starting point to determine
the “Authorship Attribution” that is a must before an accused is
“Convicted” by a Court of Law. For instance, if a single Computer
of Internet connection is used by multiple users, it is absolutely
essential to ascertain who in fact used the Computer/Connection for
the “Offending Act”.
Similarly, it is absolutely essential to ensure that
the owner of a Wireless Connection is actually the person who
committed the Cyber Crime or Cyber Contravention. In the majority of
cases, such an Unsecured Wireless Connection is misused by others and
the IP Address of the owner is reflected for that activity.
Thus, Authorship Attribution is an important aspect
of “Determining the Culpability” of an Offender where the means
to commit the Offence are common and accessible to many people
simultaneously. Data Mining and Profiling of the accused to
“Attribute Culpability” to him/her alone is an emerging area of
Cyber Crime Investigation.
IP Spoofing is one of the methods used by Cyber
Criminals to deny “Authorship Attribution” to them. A Cyber Crime
Investigator would first ascertain the IP Address and then after
analysing the E-Mail Headers/Logs, She would come to a conclusion
that the IP Address reflected in the communication is a Forged or
Spoofed one. Ascertaining the true and correct IP Address is required
to proceed further in such case.
IP
Address Spoofing requires creation of IP packets with a
forged source IP Address with a purpose of concealing the real
identity of the sender or impersonating another System. The most
common Protocol for data exchange over Internet is the TCP/IP. The
header of each IP Packet contains, among other things, the numerical
source and destination address of the Packet. The source address is
normally the address that the packet was sent from. By forging the
header so it contains a different address, an attacker can make it
appear that the packet was sent by a different Computer.
However, there is a “Limitation” to such a use.
To establish a Connection, TCP uses a “
Three
Way Handshake” and IP Spoofing by its very nature fails
to satisfy this handshake. So the purposes of IP Spoofing are limited
in nature. For instance, IP Spoofing can be used for
Denial
of Service Attacks (DOS) as the attacker is least bothered
to receive a “Response”. IP Spoofing can also be a method of
attack used by network intruders to defeat network security measures,
such as authentication based on IP Addresses. IP Spoofing can also be
used for Session Hijacking or Host Impersonation.
There are some services that are vulnerable to IP
Spoofing. These include RPC (Remote Procedure Call services), any
service that uses IP address authentication, the X Window System, the
R services suite (rlogin, rsh, etc.), etc.
IP Spoofing can take
many
forms. In Non-Blind Spoofing the attacker is on the same
subnet as the victim and this enables him to perform session
hijacking. Using this technique, an attacker could effectively bypass
any authentication measures that have taken place to build a
connection.
In Blind Spoofing several packets are sent to the
target machine in order to sample sequence numbers. Computers in the
past used basic techniques for generating sequence numbers. It was
relatively easy to discover the exact formula by studying packets and
TCP sessions. Today, most Operating Systems (OSs) implement random
sequence number generation, making it difficult to predict them
accurately.
In Man in the Middle Attack (MITM) the attacker
intercepts a legitimate communication between two Computers. The
malicious host then controls the flow of communication and can
eliminate or alter the information sent by one of the original
participants without the knowledge of either the original sender or
the recipient. In this way, an attacker can fool a victim into
disclosing confidential information by “Spoofing” the identity of
the original sender, who is presumably trusted by the recipient.
There is a “General Consensus” that IP Spoofing
does not allow gaining Anonymous Internet Access, which is a common
misconception for those unfamiliar with the practice. Any sort of
Spoofing beyond simple floods is relatively advanced and used in very
specific instances such as evasion and connection hijacking.
However, some believe that if a Website is not using
syncookies and is using predictable initial sequence numbers, it is
possible to create a live TCP connection without actually revealing
the original IP Address. This may be possible as the attacker may be
least interested in getting back the “Responses”. I would deal
with this issue separately and in greater details subsequently.
IP Spoofing can be prevented and defended against
through methods like Packet Filtering, Websites using syncookies and
unpredictable initial sequence numbers, use of multiple
authentication protocols so that they do not exclusively rely on the
IP Address for authentication, use of Encryption, etc.
Some upper layer protocols provide their own defense
against IP Spoofing attacks. For example, TCP uses sequence numbers
negotiated with the remote machine to ensure that arriving packets
are part of an established connection. Since the attacker normally
cannot see any reply packets, the sequence number must be guessed in
order to hijack the connection. The poor implementation in many older
operating systems and network devices, however, means that TCP
sequence numbers can be predicted.
There is an urgent need to do more in depth research
in the field of IP Spoofing and I would try to cover this field in
great details in my subsequent posts.