Criminals have long employed the tactic of masking their true identity, from disguises to aliases to caller-id blocking. It should come as no surprise then, that criminals who conduct their nefarious activities on networks and computers should employ such techniques. IP spoofing is one of the most common forms of on-line camouflage. In IP spoofing, an attacker gains unauthorized access to a computer or a network by making it appear that a malicious message has come from a trusted machine by “spoofing” the IP address of that machine. In this article, we will examine the concepts of IP spoofing: why it is possible, how it works, what it is used for and how to defend against it.

History

The concept of IP spoofing, was initially discussed in academic circles in the 1980's. While known about for sometime, it was primarily theoretical until Robert Morris, whose son wrote the first Internet Worm, discovered a security weakness in the TCP protocol known as sequence prediction. Stephen Bellovin discussed the problem in-depth in Security Problems in the TCP/IP Protocol Suite, a paper that addressed design problems with the TCP/IP protocol suite. Another infamous attack, Kevin Mitnick's Christmas Day crack of Tsutomu Shimomura's machine, employed the IP spoofing and TCP sequence prediction techniques. While the popularity of such cracks has decreased due to the demise of the services they exploited, spoofing can still be used and needs to be addressed by all security administrators.

Technical Discussion

To completely understand how these attacks can take place, one must examine the structure of the TCP/IP protocol suite. A basic understanding of these headers and network exchanges is crucial to the process.

Internet Protocol – IP

Internet protocol (IP) is a network protocol operating at layer 3 (network) of the OSI model. It is a connectionless model, meaning there is no information regarding transaction state, which is used to route packets on a network. Additionally, there is no method in place to ensure that a packet is properly delivered to the destination.

Examining the IP header, we can see that the first 12 bytes (or the top 3 rows of the header) contain various information about the packet. The next 8 bytes (the next 2 rows), however, contains the source and destination IP addresses. Using one of several tools, an attacker can easily modify these addresses – specifically the “source address” field. It's important to note that each datagram is sent independent of all others due to the stateless nature of IP. Keep this fact in mind as we examine TCP in the next section.

Transmission Control Protocol – TCP

IP can be thought of as a routing wrapper for layer 4 (transport), which contains the Transmission Control Protocol (TCP). Unlike IP, TCP uses a connection-oriented design. This means that the participants in a TCP session must first build a connection - via the 3-way handshake (SYN-SYN/ACK-ACK) - then update one another on progress - via sequences and acknowledgements. This “conversation”, ensures data reliability, since the sender receives an OK from the recipient after each packet exchange.

As you can see above, a TCP header is very different from an IP header. We are concerned with the first 12 bytes of the TCP packet, which contain port and sequencing information. Much like an IP datagram, TCP packets can be manipulated using software. The source and destination ports normally depend on the network application in use (for example, HTTP via port 80). What's important for our understanding of spoofing are the sequence and acknowledgement numbers. The data contained in these fields ensures packet delivery by determining whether or not a packet needs to be resent. The sequence number is the number of the first byte in the current packet, which is relevant to the data stream. The acknowledgement number, in turn, contains the value of the next expected sequence number in the stream. This relationship confirms, on both ends, that the proper packets were received. It’s quite different than IP, since transaction state is closely monitored.

Consequences of the TCP/IP Design

Now that we have an overview of the TCP/IP formats, let's examine the consequences. Obviously, it's very easy to mask a source address by manipulating an IP header. This technique is used for obvious reasons and is employed in several of the attacks discussed below. Another consequence, specific to TCP, is sequence number prediction, which can lead to session hijacking or host impersonating. This method builds on IP spoofing, since a session, albeit a false one, is built. We will examine the ramifications of this in the attacks discussed below.

Spoofing Attacks

There are a few variations on the types of attacks that successfully employ IP spoofing. Although some are relatively dated, others are very pertinent to current security concerns.

Non-Blind Spoofing

This type of attack takes place when the attacker is on the same subnet as the victim. The sequence and acknowledgement numbers can be sniffed, eliminating the potential difficulty of calculating them accurately. The biggest threat of spoofing in this instance would be session hijacking. This is accomplished by corrupting the datastream of an established connection, then re-establishing it based on correct sequence and acknowledgement numbers with the attack machine. Using this technique, an attacker could effectively bypass any authentication measures taken place to build the connection.

Blind Spoofing

This is a more sophisticated attack, because the sequence and acknowledgement numbers are unreachable. In order to circumvent this, several packets are sent to the target machine in order to sample sequence numbers. While not the case today, machines in the past used basic techniques for generating sequence numbers. It was relatively easy to discover the exact formula by studying packets and TCP sessions. Today, most OSs implement random sequence number generation, making it difficult to predict them accurately. If, however, the sequence number was compromised, data could be sent to the target. Several years ago, many machines used host-based authentication services (i.e. Rlogin). A properly crafted attack could add the requisite data to a system (i.e. a new user account), blindly, enabling full access for the attacker who was impersonating a trusted host.

Man In the Middle Attack

Both types of spoofing are forms of a common security violation known as a man in the middle (MITM) attack. In these attacks, a malicious party intercepts a legitimate communication between two friendly parties. The malicious host then controls the flow of communication and can eliminate or alter the information sent by one of the original participants without the knowledge of either the original sender or the recipient. In this way, an attacker can fool a victim into disclosing confidential information by “spoofing” the identity of the original sender, who is presumably trusted by the recipient.

Denial of Service Attack

IP spoofing is almost always used in what is currently one of the most difficult attacks to defend against – denial of service attacks, or DoS. Since crackers are concerned only with consuming bandwidth and resources, they need not worry about properly completing handshakes and transactions. Rather, they wish to flood the victim with as many packets as possible in a short amount of time. In order to prolong the effectiveness of the attack, they spoof source IP addresses to make tracing and stopping the DoS as difficult as possible. When multiple compromised hosts are participating in the attack, all sending spoofed traffic, it is very challenging to quickly block traffic.

Misconceptions of IP Spoofing

While some of the attacks described above are a bit outdated, such as session hijacking for host-based authentication services, IP spoofing is still prevalent in network scanning and probes, as well as denial of service floods. However, the technique does not allow for anonymous Internet access, which is a common misconception for those unfamiliar with the practice. Any sort of spoofing beyond simple floods is relatively advanced and used in very specific instances such as evasion and connection hijacking.

Defending Against Spoofing

There are a few precautions that can be taken to limit IP spoofing risks on your network, such as:

Filtering at the Router - Implementing ingress and egress filtering on your border routers is a great place to start your spoofing defense. You will need to implement an ACL (access control list) that blocks private IP addresses on your downstream interface. Additionally, this interface should not accept addresses with your internal range as the source, as this is a common spoofing technique used to circumvent firewalls. On the upstream interface, you should restrict source addresses outside of your valid range, which will prevent someone on your network from sending spoofed traffic to the Internet.

Encryption and Authentication - Implementing encryption and authentication will also reduce spoofing threats. Both of these features are included in Ipv6, which will eliminate current spoofing threats. Additionally, you should eliminate all host-based authentication measures, which are sometimes common for machines on the same subnet. Ensure that the proper authentication measures are in place and carried out over a secure (encrypted) channel.

Conclusion

IP Spoofing is a problem without an easy solution, since it’s inherent to the design of the TCP/IP suite. Understanding how and why spoofing attacks are used, combined with a few simple prevention methods, can help protect your network from these malicious cloaking and cracking techniques.

INTRODUCTION OF IP SPOOFING



(ī-pē spoof´ing) (n.) A technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host. To engage in IP spoofing, a hacker must first use a variety of techniques to find an IP address of a trusted host and then modify the packet headers so that it appears that the packets are coming from that host.

INTRODUCTION AND IMPORTANCE OF IP SECURITY

In 1994, the Internet Architecture Board (IAB) issued a report entitled "Security in the Internet Architecture" (RFC 1636). The report stated the general consensus that the Internet needs more and better security, and it identified key areas for security mechanisms. Among these were the need to secure the network infrastructure from unauthorized monitoring and control of network traffic and the need to secure end-user-to-end-user traffic using authentication and encryption mechanisms.

These concerns are fully justified. As confirmation, the 1998 annual report from the Computer Emergency Response Team (CERT) lists over 1,300 reported security incidents affecting nearly 20,000 sites. The most serious types of attacks included IP spoofing, in which intruders create packets with false IP addresses and exploit applications that use authentication based on IP address; and various forms of eavesdropping and packet sniffing, in which attackers read transmitted information, including logon information and database contents.

In response to these issues, the IAB included authentication and encryption as necessary security features in the next-generation IP, which has been issued as IPv6. Fortunately, these security capabilities were designed to be usable both with the current IP (IPv4) and IPv6, meaning that vendors can begin offering these features now, and many vendors do now have some IP Security Protocol (IPSec) capability in their products.

Applications of IPSec

The Internet community has developed application-specific security mechanisms in numerous application areas, including electronic mail (Privacy Enhanced Mail, Pretty Good Privacy [PGP]), network management (Simple Network Management Protocol Version 3 [SNMPv3]), Web access (Secure HTTP, Secure Sockets Layer [SSL]), and others. However, users have some security concerns that cut across protocol layers. For example, an enterprise can run a secure, private TCP/IP network by disallowing links to untrusted sites, encrypting packets that leave the premises, and authenticating packets that enter the premises. By implementing security at the IP level, an organization can ensure secure networking not only for applications that have security mech-anisms but also for the many security-ignorant applications.

IPSec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet. Examples of its use include:

    * Secure branch office connectivity over the Internet: A company can build a secure virtual private network over the Internet or over a public WAN. This enables a business to rely heavily on the Internet and reduce its need for private networks, saving costs and network management overhead.
    * Secure remote access over the Internet: An end user whose system is equipped with IP security protocols can make a local call to an Internet Service Provider (ISP) and gain secure access to a company network. This reduces the cost of toll charges for traveling employees and telecommuters.
    * Establishment of extranet and intranet connectivity with partners: IPSec can be used to secure communication with other organizations, ensuring authentication and confidentiality and providing a key exchange mechanism.
    * Enhancement of electronic commerce security: Most efforts to date to secure electronic commerce on the Internet have relied upon securing Web traffic with SSL since that is commonly found in Web browsers and is easy to set up and run. There are new proposals that may utilize IPSec for electronic commerce.

The principal feature of IPSec that enables it to support these varied applications is that it can encrypt or authenticate all traffic at the IP level. Thus, all distributed applications, including remote logon, client/server, e-mail, file transfer, Web access, and so on, can be secured. Figure 1 shows a typical scenario of IPSec usage. An organization maintains LANs at dispersed locations. Traffic on each LAN does not need any special protection, but the devices on the LAN can be protected from the untrusted network with firewalls. Since we live in a distributed and mobile world, the people who need to access the services on each of the LANs may be at sites across the Internet. These people can use IPSec protocols to protect their access. These protocols can operate in networking devices, such as a router or firewall that connects each LAN to the outside world, or they may operate directly on the workstation or server. In the diagram, the user workstation can establish an IPSec tunnel with the network devices to protect all the subsequent sessions. After this tunnel is established, the workstation can have many different sessions with the devices behind these IPSec gateways. The packets going across the Internet will be protected by IPSec but will be delivered onto each LAN as a normal IP packet.
Benefits of IPSec

The benefits of IPSec include:

    * When IPSec is implemented in a firewall or router, it provides strong security that can be applied to all traffic crossing the perimeter. Traffic within a company or workgroup does not incur the overhead of security-related processing.
    * IPSec is below the transport layer (TCP, UDP), so is transparent to applications. There is no need to change software on a user or server system when IPSec is implemented in the firewall or router. Even if IPSec is implemented in end systems, upper layer software, including applications, is not affected.
    * IPSec can be transparent to end users. There is no need to train users on security mechanisms, issue keying material on a per-user basis, or revoke keying material when users leave the organization.
    * IPSec can provide security for individual users if needed. This feature is useful for offsite workers and also for setting up a secure virtual subnetwork within an organization for sensitive applications.

Is IPSec the Right Choice?

There are already numerous products that implement IPSec, but it is not necessarily the security solution of choice for a network administrator. Christian Huitema, who at the time of the development of the initial IP-Sec documents was the head of the IAB, reports that the debates over how to provide Internet-based security were among the most heated that he ever observed. One issue concerns whether security is being provided at the right protocol layer. To provide security at the IP level, it is necessary for IPSec to be a part of the network code deployed on all participating platforms, including Windows NT, UNIX, and Macintosh systems. Unless a desired feature is available on all the deployed platforms, a given application may not be able to use that feature.

On the other hand, if the application, such as a Web browser/server combination, incorporates the function, the developer can guarantee that the features are available on all platforms for which the application is available. A related point is that many Internet applications are now being released with embedded security features. For example, Netscape and Internet Explorer support SSL, which protects Web traffic. Also, many vendors are planning to support Secure Electronic Transaction (SET), which protects credit-card transactions over the Internet. How-ever, for a virtual private network, a network-level facility is needed, and this is what IPSec provides.

The Scope of IPSec

IPSec provides three main facilities: an authentication-only function, referred to as Authentication Header (AH), a combined authentication/ encryption function called Encapsulating Security Payload (ESP), and a key exchange function. For virtual private networks, both authentication and encryption are generally desired, because it is important both to (1) assure that unauthorized users do not penetrate the virtual private network and (2) assure that eavesdroppers on the Internet cannot read messages sent over the virtual private network. Because both features are generally desirable, most implementations are likely to use ESP rather than AH. The key exchange function allows for manual exchange of keys as well as an automated scheme.

The IPSec specification is quite complex and covers numerous documents. The most important of these, issued in November 1998, are RFCs 2401, 2402, 2406, and 2408.

Security Associations

A key concept that appears in both the authentication and confidentiality mechanisms for IP is the Security Association (SA). An association is a one-way relationship between a sender and a receiver that affords security services to the traffic carried on it. If a peer relationship is needed, for two-way secure exchange, then two security associations are required. Security services are afforded to an SA for the use of AH or ESP, but not both. A security association is uniquely identified by three parameters:

    * Security Parameters Index (SPI): The SPI assigns a bit string to this SA that has local significance only. The SPI is carried in AH and ESP headers to enable the receiving system to select the SA under which a received packet will be processed.
    * IP destination address : Currently, only unicast addresses are allowed; this is the address of the destination endpoint of the SA, which may be an end-user system or a network system such as a firewall or router.
    * Security protocol identifier : This indicates whether the association is an AH or ESP security association.

This article is about technical vulnerabilities.Aa request of my blog reader(sumit sinha).

A zero-day (or zero-hour) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others, undisclosed to the software developer, or for which no security fix is available. Zero-day exploits (actual code that can use a security hole to carry out an attack) are used or shared by attackers before the software developer knows about the vulnerability.

The term derives from the age of the exploit. When a developer becomes aware of a security hole, there is a race to close it before attackers discover it or the vulnerability becomes public. A "zero day" attack occurs on or before the first or "zeroth" day of developer awareness, meaning the developer has not had any opportunity to distribute a security fix to users of the software

Protection

Zero-day protection is the ability to provide protection against zero-day exploits. Zero-day attacks can also remain undetected after they are launched.
Many techniques exist to limit the effectiveness of zero-day memory corruption vulnerabilities, such as buffer overflows. These protection mechanisms exist in contemporary operating systems such as Apple's Mac OS X, Microsoft Windows Vista [1], Sun Microsystems Solaris, Linux, Unix, and Unix-like environments; Microsoft Windows XP Service Pack 2 includes limited protection against generic memory corruption vulnerabilities. Desktop and server protection software also exists to mitigate zero day buffer overflow vulnerabilities.
"Multiple layers" provides service-agnostic protection and is the first line of defense should an exploit in any one layer be discovered. An example of this for a particular service is implementing access control lists in the service itself, restricting network access to it via local server firewalling (i.e. iptables), and then protecting the entire network with a hardware firewall. All 3 layers provide redundant protection in case a compromise in any one of them is discovered.
The use of port knocking or Single Packet Authorization daemons may provide effective protection against zero-day exploits in network services. However these techniques are not suitable for environments with a large number of users.
Whitelisting technology effectively protects against zero day threats. Whitelisting will only allow known good applications to access a system and so any new or unknown exploits are not allowed access. Although whitelisting is effective against zero-day attack, unless it is combined with other methods of protection such as HIPS or a blacklist of virus definitions it can sometimes be quite restrictive to the user.
Engineers and vendors such as Gama-Sec in Israel and DataClone Labs in Reno, Nevada are attempting to provide support with the Zeroday Project, which purports to provide information on upcoming attacks and provide support to vulnerable systems.
Another method to avoid zero day attacks is to wait for a reasonable period of time before upgrading to a new major version. Exploits which are discovered in new software are often addressed in a timely manner by the software developer and fixed by later minor updates. Minor updates to older software that contain security fixes should obviously always be installed to maximize security. While this method avoids "zero day" vulnerabilities that are discovered by the zeroth day of the software release cycle, security holes can be discovered at any time. If they are announced to the public before the software vendor, exploits can made on the "zeroth day" of the vulnerability window...THANK YOU SUMIT SINHA

FIND IP ADDRESS OF SENDERS

Find IP Address in GMail

1. Log into your Gmail account and open the mail.

2. To display the headers,
Click on More options corresponding to that thread. You should get a bunch of links.
Click on Show original

3. You should get headers like this:
Gmail headers : Varun
Look for Received: from followed by a few hostnames and an IP address between squarebrackets. That is be the IP address of the sender!

4. Track the IP address of the sender

When you receive an email, you receive more than just the message. The email comes withheaders that carry important information that can tell where the email was sent from andpossibly who sent it. For that, you would need to find the IP address of the sender. Thetutorial below can help you find the IP address of the sender. Note that this will not workif the sender uses anonymous proxy servers.

Finding IP address in Yahoo! Mail :-

                 1. Log into your Yahoo! mail with your username and password.

                 2. Click on Inbox or whichever folder you have stored your mail.

                 3. Open the mail.
                 4. If you do not see the headers above the mail message, your headers are not displayed. Todisplay the headers,Click on  Options on the top-right corner In the Mail Options page, click on General Preferences  Scroll down to Messages where  you have the Headers option Make sure that Show all headers on incoming messages is selected  Click on the Save  button Go back to the mails and open that mail.

5. You should see similar headers like this:Yahoo! headers : nameLook for Received: from followed by the IP address between square brackets [ ]. Here, it is 202.65.138.109.That isbe the IP address of the sender!


6. Track the IP address of the sender

Some rule/tricks for Security at Cyber Cafes

AS we know every good thing comes with some bad thing,same case with internet it helped to make life easy but as well as it helped some criminal to do crime by using internet
Computer and communications costs and casual use of Internet makes the growth of Cyber cafes in India and become are very popular.Due to increased Cyber attacks, the Cyber Cafe Users should follow some rules to become safe Internet user:-
---------------------------><------------------------------------------<>-----------------------------------
Rule1: Never pass or tell the Cyber Cafe Owner or anyone else in Cyber Cafe about your email and password to check your mail. This may sound little bit odd but the surveys saying that small kids or many old aged persons have no idea about the risks of information theft. Username and passwords always be entered by their owners and at most you may request for guidelines to reach login page.

Rule 2: Most of the job seekers practices by bringing USB drive for uploading resumes and the same USB drives may transfer the viruses of Cyber cafe machines to home computer or any third party computer. Always you have to scan with latest updated Antivirus Software.  Some Cyber cafes may not allow any external devices like USB drives, CDROMs so that the users may download their resume in to Cyber Cafe Computer for editing. But they may forget to delete the same which might be exposed the personal privacy to other users. So please delete personal documents after r work at Internet Centre.   

Rule 3: When surfing the Internet, Users always should take about the browser security to avoid risks of exposing personal information such as disabling the option “Remember my ID on this computer”. User ID or Username also should be secured along with password to avoid trail passwords by next user.

Rule 4: Always use virtual key boards for financial transactions to avoid key loggers. A keylogger is basically spyware and logs or records your keystrokes so that your username and password are made available to Cyber cafe owner or any Attacker. These records may types into directly into Hacker’s machine or collected afterwards through a file transfer. Some of Cyber Cafes may use Hardware key loggers so that you check that there is an intermediate device between your keyboard and CPU.

Rule 5: Avoid face-to-face meetings with online friends, because people in real life can be very different from how they are online. But in case if you feel it is required, you should bring it to the notice of your parents. Let your parents join you or let meeting be arranged in public place.

Rule 6: Restrict chatting for limited requirements and necessary things with known persons. Never entertain uncomfortable messages and inform the concern authorities like family members or Cyber crime investigation members. Also never download any files through Instant Message software from known or unknown persons.

Rule 7: Publish limited information in Social Networking sites to avoid risks towards your family and take care about usernames and passwords of social networking sites. If you think that your social networking account details have been compromised or stolen, report your suspicions to the site's support team immediately. Change your password frequently, and avoid clicking links that purport to send you back to the social network site. Instead, type the site's address directly into your browser (or follow a bookmark you've previously saved) to get back to your account. Do not post anything which harm to your family credibility.
Most of the Social Networking web sites enabling users to set privacy controls for who has the ability to view the information. So try to use such facilities and also never post photographs and any other sensitive information to unknown persons in Social network site.

Rule 8: Cyber Cafe computers are public computers and shared computers. Your data or communication may be exposed to all users at the same time. So be aware that sensitive information like personal details like credit card information, passwords etc. should be posted through secured web sites

Rule 9: Whenever you go to Cyber Cafe, you ensure that it has most up to date Anti Virus and Anti spam software. These may help to stop some of the key loggers, Trojans and other malware.

Rule 10: Finally, Always make sure to logout properly when you leave Cyber cafe