IP Spoofing and TCP Sequence Number Attacks

While various forms of spoofing attacks have multiple objectives; which an attacker(s) wishes to accomplish, the vast majority of spoofing attacks tend to be directed toward the attacker(s) successfully gaining access to network/system assets, resources and services to which they are not legitimately entitled.

Impersonation - More often than not this will be manifest by the attacker impersonating a duly authenticated network/system entity with the appropriate privileges and access rights necessary for the attacker to launch additional processes (including scripts and malware) intended to deliver to the attacker that which they are after.

Subversion From Within - One major issue here is that the attacker is not solely an “outsider”. Subversion from within has long been high up on the list of those risk/threat sources most likely to create maximum damage. In most cases involving and “insider” the “insider” is usually partnered with an “outsider”. In these cases the “insider’s” role is generally to provide the outsider” with information which the “outsider” can use to implement the attack(s).

Network/System Entities - One common theme with spoofing attacks is that they are not solely directed against subverting and assuming the identity of legitimate authenticated humans. Both network/system devices and network/system software also face direct threat from some spoofing attacks. One reason for this is that most computers and computer systems have a considerable number of accounts which are used to run system tasks and perform system/network functions

Non-Human Accounts – Some of the non-human accounts to be found with Windows include: NETWORK SERVICE, SYSTEM and LOCAL SERVICE. Most of these accounts also have greater privileges and rights associated with them than “normal;” user accounts which is why they are such popular targets for attack.

Internet Protocol (IP) Spoofing Attacks

IP spoofing involves packet modification at the TCP level. This modified packet is then used to attack Internet-connected systems that provide various TCP/IP services. Unlike a Smurf attack; where spoofing is used in conjunction with ICMP flooding to create a Denial of Service (DoS) attack, IP spoofing is used to convince a system that it is communicating with a known authenticated entity thereby allowing an intruder to gain access to the network and its resources.

IP Spoofing Process - IP spoofing attacks generally follow the following process:

1. First of all the attacker identifies and discovers the IP addresses of various devices on the target network. For “outsider” only attacks this is most often done using “packet sniffing” utilities such as Wire Shark and Snort etc to capture all traffic passed across the network.
2. The next step involves the attacker using the packet sniffing utility to learn the IP address(s), host name(s) and MAC Address(s) of a trusted host(s). If you don’t fully encrypt all network traffic by default then you are an easy victim for this type of attack.
3. Now the attacker(s) uses this information to modify the source IP address field; of the packets that they wish to send, to contain the IP address of the known trusted network host.
4. The attacker is now ready to send these packets with the spoofed source IP address(s) to the target host. The target may or may not accept the packet and act upon it.

Internet Protocol (IP) Spoofing Attacks Countermeasures

Encryption - Using strong encryption for all traffic placed onto transmission media regardless of the type of media and its location is the best way to counteract this type of attack. Faced with a whole bunch of encrypted packets most attackers will simply move on to easier targets and there are millions of them.

Vengeance and Espionage - If however: the attacker’s motivation is vengeance for some perceived wrong or simply industrial espionage then the attacker is most likely prepared to spend considerable time and resources in their efforts. Your job just got a whole lot harder.

Smurf Attacks – Spoofing and Flooding

Smurf attacks employ a combination of IP Address Spoofing and ICMP flooding to saturate a target network with traffic to such an extent that all normal traffic is effectively “drowned out” thereby causing a Denial of Service (DoS) attack. Smurf attacks consist of three separate elements; the source site, the bounce site and the target site. The source site is that site from which the attacker sends the spoofed ICMP Ping packets to the bounce site.

In a Smurf attack standard ICMP Ping packets are modified so that the intended target’s IP address is placed into the source IP address field. The ICMP Ping packet also has its destination IP address spoofed to contain the bounce site’s broadcast IP address.

TCP Sequence Number Attacks

TCP sequence number attacks exploit the communications session, which was established between the target and the trusted host that initiated the session. The intruder tricks the target into believing it is connected to a trusted host and then hijacks the session by predicting the target’s choice of an initial TCP sequence number. This session is then often used to launch various attacks on other hosts.

TCP Sequence Number Attacks Countermeasures

Encrypting all communications is very effective in countering TCP Sequence Number Attacks. The stronger your encryption keys the more effective a strategy this becomes. As a result using VPN technologies and protocols configured to encrypt all traffic by default are other mechanisms that dramatically reduce your exposure and susceptibility to TCP Sequence Number attacks.