Packet spoofing or IP spoofing is the act of faking the source of a packet. A security attack like this impedes the network security. Packet spoofing breaks the three qualities that a secure system has; confidentiality, integrity and availability. Confidentiality is keeping information access to authorised parties. Integrity ensures that a system can only be modified by authorised parties and in authorised ways. Availability is ensuring that access to a network is not prevented, authorised parties should are able to access the system at appropriate times. All attacks mentioned breach at least one of these qualities of a secure system. (Pfleeger, 2003) When a file such as a photo is sent over a network, both a home or internet network, the photo is split into small pieces and information of how to handle the files are encapsulated called protocols. The header of the packet amongst other things contains the order value or algorithm in which the packets where sent. Packets will probably arrive out of order and must the packets must be placed back together using the order sent value.
Packet spoofing is possible because of the vulnerabilities in the network protocols. A few examples of network spoofing are masquerade, a smurf and SYN flood which are denial of service attacks, and attacking confidentiality, session hijacking.
Internet Protocol (IP)
Internet protocol is a network protocol from the OSI model, on layer 3. IP has no information, contained in the header of the network packet, regarding its transactions state and whether the packet has properly reached its destination. This vulnerability enables the source and destination IP address to be altered. By forging the source and destination IP address so it contains a different address an attacker can make it appear that a packet was sent by a different machine.
Transmission Control Protocol (TCP)
TCP uses a connected design to send data; and participants build a 3-way handshake.
The TCP header is different to the IP header but can still be manipulated using software. The TCP packet header contains amongst other things the sequence and acknowledgement numbers. The data contained in these ensures packet delivery by determining whether or not a failed packet needs to be resent. This is done by the sequence number which is the number of the first byte in the current packet whereas the acknowledgement number contains the value of the next expected sequence number. This confirms for both the client and server that the proper packets were received.
Connection is established by a client who must find an open port on the server. This is done by sending a SYN (synchronise) this is a synchronisation of sequence numbers on two connecting computers. In response the server replies with a SYN-ACK and the client then sends back an ACK back to the server. This ensures there is acknowledgement of the connection.
Integrity attacks; Masquerade
Masquerade
In a masquerade a host pretends to be another. A common masquerade attacks are having alterations of domain names and websites. For example bank.org and bank.com could be two different and separate websites. Bank.org could be a legitimate bank, but bank.com could be a carbon copy of the original bank.org website and could be used to collect sensitive data and information. By using different links and passing the connection to the original site whilst collecting the victims’ data. Through this technique an attacker could have multiple avenues such as access to computer systems by obtain login names and passwords, alter change, steal money and therefore breach the integrity of the network. (Pfleeger, 2003)
Availability Denial of service attacks; Smurf attack and SYN flood
TCP ensures delivery of packets through a 3 way handshake, availability of a network can not be ensured and there are different types of Denial of service attacks. All of these attacks send a large amount of messages to the system which causes it to not function. And in both Smurf and a SYN flood the original source of the flood can not be traced as the attacker will spoof the messages making them appear from another machine.
Smurf
The smurf attack uses spoofed broadcast ping message to flood at target system. A large amount of Internet control message protocol (ICMP) or traffic ‘ping’ to IP broadcast addresses are sent. Some devices actually multiply the traffic and will send an ICMP echo request replying to the original ping message. “Smurfable” networks have greatly reduced nowadays due to network management although users using old technologies are still capable of being “smurfed’. (Smurf Attack, Wikipedia 2006)
SYN flood
Similar to a smurf attack a SYN flood is when an attacker sends a large amount of SYN requests to a target system. As discussed a TCP connection uses a three-way handshake by sending a succession of acknowledgments and acceptance messages. Sending a large amount of SYN messages the server will not receive its needed ACK acknowledgement message needed to continue the connection. The SYN message floods the network and hence makes it unavailable. (SYN Flooding, Wikipedia 2006)
Confidentiality; Session Hijacking
Session Hijacking
Session Hijacking refers to the exploitation of a valid session key to gain unauthorised access to information or service in a network. Although session keys are normally randomised and encrypted to prevent session hijacking a third party ( the attacker) will intercept traffic between two systems. The attacker then has access to the system, monitoring information and collecting data. A similar attack called man-in-middle attack is when the hijacking usually starts at the start of the session between the two systems. The attack uses the public key and decrypts the data and then encrypts it back to it original form to pass on to the receiver. (Pfleeger, 2003)
Reference
Pfleeger. C. P & Pfleeger, S.L. (2003) Security in Computing 3rd Ed, Upper Saddle River, New Jersey, Prentice Hall Professional Technical
Tanase, M. (2003) IP Spoofing: An Introduction retrieved October 15, 2006 from http://www.securityfocus.com/infocus/1674
No author, (2006) SYN flood Retrieved October 15 2006 from http://en.wikipedia.org/wiki/SYN_flood
No author, (2006) Smurf Attack Retrieved October 15 2006 from http://en.wikipedia.org/wiki/Smurf_attack
No author, (2006) Transmission Control Protocol: Connection establishment Retrieved October 15 2006 from http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment