Posts
IP address spoofing
"IP address spoofing" is a technique that involves replacing the IP address of an IP packet's sender with another machine's IP address.
This technique lets a pirate send packets anonymously. It is not a question of changing the IP address, but rather of impersonating the IP address when packets are sent.
Some people tend to assimilate the use of a proxy (which makes it possible to hide the IP address) with IP spoofing. Yet proxies merely transfer packets. As such, even if the address appears to be hidden, a pirate can easily be found thanks to the proxy's log file.
Spoofing attack
The IP address spoofing technique can enable a pirate to send packets on a network without having them be intercepted by the packet filtering system (firewall).
Firewall systems are usually based on filtering rules indicating the IP addresses that are authorized to communicate with the network's internal machines.
A packet spoofed with an internal machine's IP address will appear to come from the internal network and will be transferred to the target machine, whereas a packet containing an external IP address will be automatically rejected by the firewall.
However, the TCP protocol (protocol primarily guaranteeing the reliable transfer of data over the Internet) is based on authentication and trust relationships between a network's machines, which means that to accept the packet, the recipient must acknowledge receipt from the sender, and the sender has to acknowledge receipt of the acknowledgement.
TCP header modification
On the internet, information circulates thanks to the IP protocol, which ensures data encapsulation in structures called packets (or more precisely IP datagrams). Here is the structure of a datagram:
| Version | Header length | Type of service | Total length | |
| Flag | Fragment offset | |||
| Time to live | Protocol | Header checksum | ||
Spoofing an IP address comes down to modifying the source field to simulate a datagram coming from another IP address. Yet on the internet, packets are generally sent via the TCP protocol, which guarantees so-called "reliable" transmission.
Before accepting a packet, a machine must first acknowledge receipt of the packet from the sending machine, and wait for the latter to confirm receipt of the acknowledgement.
Trust relationships
The TCP protocol is one of the main protocols of the TCP/IP model's transport layer. It makes it possible, at the application level, to manage data coming from (or going to) the lower layer of the model (that is, the IP protocol).
The TCP protocol makes it possible to reliably transfer data, although it uses the IP protocol (which does not check datagram delivery) thanks to an acknowledgement (ACK) system enabling both the client and the server to make sure data have been received on both sides.
IP datagrams encapsulate TCP packets (called segments), which are structured as follows:
| 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 |
| Source port | Destination port | ||||||||||||||||||||||||||||||
offset | |||||||||||||||||||||||||||||||
| Options | Padding | ||||||||||||||||||||||||||||||
When sending a segment, a sequence number is associated with it, and an exchange of segments containing special fields (called flags) makes it possible to synchronize the client and the server.
This dialogue (called a three-way handshake) makes it possible to initiate the communication; is it broken down into three phases, as its name suggests:
This dialogue (called a three-way handshake) makes it possible to initiate the communication; is it broken down into three phases, as its name suggests:
- Firstly, the sending machine (the client) sends a segment whose SYN flag is at 1 (to show it is a synchronization segment), with a sequence number N, which is called the client's initial sequence number.
- Secondly, the receiving machine (server) receives the client's initial segment, then sends it an acknowledgement, that is, a segment whose ACK flag is non null (acknowledgment) and whose SYN is at 1 (since it is still a synchronization). This segment contains a sequence number that is equal to the client's initial sequence number. The most important field in this segment is the acknowledgement field (ACK), which contains the client's initial sequence number, incremented by 1.
- Then the client sends the server an acknowledgement, that is, a segment whose ACK flag is non null and whose SYN flag is at zero (it is no longer a synchronization segment). Its sequence number is incremented and the acknowledgement number represents the server's initial sequence number incremented by 1.
Destroying the spoofed machine
When carrying out an IP address spoofing attack, the attacker has no information in return since the target machine's responses go to another network machine (this is called a blind attack).
In addition, the "spoofed" machine deprives the hacker of any connection attempt, since it systematically sends an RST flag to the target machine. The pirate's work therefore involves invalidating the spoofed machine by making it unreachable throughout the duration of the attack.
Predicting sequence numbers
When the spoofed machine has been invalidated, the target machine waits for a packet containing the acknowledgment and the right sequence number. The pirate's work involves "guessing" the sequence number to send back to the server to establish the trusting relationship.
To do so, pirates generally use source routing, that is, they use the option field in the IP header to indicate a specific return route for the packet. As such, thanks to sniffing, the pirate will be capable of reading the content of the return packets...
By knowing the last sequence number sent, the pirate draws up statistics concerning its incrementation and sends acknowledgements until he obtains the right sequence number.
Steps:
All computers connected to the Internet are identified to accessed websites by a unique number known as an IP address. This allows websites to identify the computer connected to that website, but access can also be denied by blocking that particular IP address, or the block of IP addresses into which it falls. The IP address of a computer will change at every log on if using a dial up connection, so any attempt at blocking an IP address on dial up is frequently circumvented by logging off the Dial Up ISP and logging back on again. The situation for broadband users is slightly different, but usually requires a similar approach. The DHCP server of a broadband ISP will usually issue a new IP address every 24 hours, so placing an IP block on the Internet connection may remain in force for up to 24 hours. It is sometimes possible to force the ISP to issue a new IP address by re-booting the broadband or cable modem, but this is not always the case, and varies from ISP to ISP. IP spoofingallows people to log onto a website with a different IP address if they find an IP block has been placed on their connection, by using a Proxy Server. There are 3 types of Proxy Servers - Transparent, Anonymous and High Anonymity (High Anonymity Proxies are also known as Elite Proxies). Transparent Proxies provide little anonymity, as they forward 2 IP addresses to the website being accessed. These areX_FORWARDED_FOR, and REMOTE_ADDR.
X_FORWARDED_FOR is the true IP address of the computer being used to access a website, and REMOTE_ADDR is the IP address of the proxy server being used. As the true IP address is therefore included in the HTTP REQUEST data packet headers, Transparent proxies should not be used if possible detection is to be avoided. Anonymous and High Anonymity proxies do not relay the X_FORWARDED_FOR data (the true IP address), and it is these which are used in order to avoid detection. Data sent from the local computer to a website contains the original IP address in the data packets, but IP blocks are then rendered useless by using an anonymous or high anonymity proxy server which effectively strips out the header information containing the original IP address and replaces them with a new IP issued by the anonymous proxy server. There are numerous proxy servers in dozens of countries, and these can be used to conceal the original IP address by manual configuration, or by using software which does this automatically. There are numerous free proxy servers available, and a quick GOOGLEsearch will produce a list of useful proxies. Once the IP address of a suitable proxy server has been obtained, and its operating port, it is a simple matter to configure a browser to connect to a website via the proxy. Most proxies use port 80, but some operate on port 8080, and others on port 3128, so the correct port must be used.
For Internet Explorer,the following steps are taken.
1. Internet Explorer is opened up and TOOLS is clicked. INTERNET OPTIONS is then clicked.
2. The CONNECTIONS tab is then clicked, followed by LAN SETTINGS.
3. The box marked USE A PROXY SERVER FOR YOUR LAN is then ticked and the address and port number of the proxy server are inserted in the relevant boxes.
4. OK is clicked on the LAN tab, folowed by APPLY and OK on the INTERNET OPTIONS tab.
For the Firefox browser, the following steps apply.
1. TOOLS is clicked, then OPTIONS, then CONNECTION SETTINGS.
2. The MANUAL PROXY CONFIGURATION box is then ticked, and the address of the proxy server and its port are inserted in the HTTP PROXY boxes.
3. OK is clicked to close this tab, followed by OK to close the previous tab.
It is possible to check whether a proxy is Transparent, Anonymous, or High Anonymity, at http://tools.rosinstrument.com/cgi-bin/isanon.pl and checking whether X_FORWARDED_FOR is displayed. If it is - the proxy should not be used unless someone accessing a website is prepared for their true IP address to be forwarded to that website.
Proxies can be changed at any time, and the experienced user who has an up to date list of fast proxy servers can alter their IP address quickly enough to even avoid disconnection while logged on to many websites.
Special software which will perform the above steps automatically can also be used, including OMNIQUAD TOTAL SECURITY which can be downloaded from http://www.omniquad.com Only the ANONYMOUS SURFING module is required - the software is cheap, and allows users to try it out first. Installation is simple, and the software can be configured to automatically change the true IP address at regular intervals. The system automatically updates itself to maintain an up to date list of fast proxy servers. It should be noted that some proxy servers (mostly Middle Eastern and American) do not permit connection to Gay sites - if a connection has been blocked, users need only change to another proxy. There are numerous anonymous proxies available throughout the world, and only a small percentage will refuse the connection. Remember, however - using automatic software configuration usually gives little or no control over whether the connection will be through a Transparent, Anonymous or High Anon proxy. Users may therefore wish to spend some time learning where to find anonymous proxies, and manually configure them instead.
After performing the above steps, it is possible to disguise the original IP address, and avoid the possibility of an IP block being placed on an Internet connection.
Disclaimer.
The above information is a collation of technical data freely available on the Internet, and I am not responsible for any potential misuse.
No comments:
Post a Comment