What is spoofing?
Spoofing is the act of fooling and presenting false data to appear credible especially its source. Before a spoof can be successful, the spoofer first determines the IP address of a trusted host. Once this is determined, the attacker then goes ahead and changes the packet headers to make it seem like the transmission is from the trusted source effectively spoofing the target. What sorts of attacks though can be launched with IP spoofing?
Types of IP Spoofing
While it is difficult to predict the correct sequence number of packets transmitted, blind spoofing is achieved by a cracker who injects data into a packet stream without having to authenticate him or herself. Blind spoofing requires a cracker to first send requests to a network and then be able to analyze the transmission sequence in order to successfully implement a blind spoof.
This involves a cracker who resides on the inside of a network and is therefore capable of determining the sequence cycle of packet transmission. Having this knowledge will allow an attacker to hijack sessions, bypass authentication mechanisms in place. Further, the attacker can sniff and inject packets at will.
The denial-of-service attack involves sending multiple hosts a constant stream of packets in what is referred to as a large-scale attack. This eventually results in all streams being spoofed thereby making it very difficult to track down the source of the packet storm.
This usually involves an eavesdropping mechanism where a malicious machine intercepts packets, alters the packets and sends them along to the intended destination. This is where the spoofing element enters the equation. Since both the originating and the receiving machines are unaware that the communication has been compromised.
How to Prevent IP Spoofing
IP spoofing is especially critical since it allows unauthorized users to access the root of the targeted system effectively bypassing one-time passwords and allowing the intruder to access the system using login connections from any user residing in the system.
Use Access Control Lists (ACL)
Since all private networks follow the RFC 1918 standards, identifying the IP addresses of an internal network is not a complex undertaking. After taking a listing of all the IP addresses of authenticated hosts on the internal network, any other IP address coming into the network should be denied access. Any host that accesses the internal network should have an outside IP address since there would be no valid reason for it to have an IP address falling within the internal network range.
Network traffic can be controlled by implementing IPSec filtering rules which control what protocols, ports and IP addresses are allowed or denied access. The Microsoft Management Console (MMC) is used to implement the policy and assign it to individual host computers. The IPSec policy is flexible enough to allow different filter rules to be implemented such as controlling what sites and applications can access hosts. For data privacy, integrity and authenticity, the IPSec protocol is preferred.
Routers can also be configured so that they reject any packets that purport to originate from within the network but are coming from the outside. Alternatively, encryption sessions can be enabled within the router so that only trusted hosts residing outside the network can securely communicate with local hosts from within.
In most cases, IP spoofing can be detected and stopped by implementing the already existing security measures that come with router hardware and current operating systems.