On Tue, 27 Nov 2001, Dee Harrod wrote: > How does spoofing work?
First, you need to understand how the two IP transport layer protocols, TCP and UDP, operate. I'll defer to Stevens' excellent book TCP/IP Illustrated, Vol. 1. Everyone involved in TCP/IP networking and programming should own this book. This explanation will be a high level overview. Refer to Stevens for any lower level detail. UPD is trivial to spoof because it is connectionless. You simply craft a packet with any source address you like and send it out. Depending on what filters your crafted packet encounters along the way, it may or may not get to it's desitnation. TCP spoofing is a bit more difficult since there has to be a connection established before TCP communication between hosts can begin. A TCP connection is initiated with what's known as a "three-way handshake," where the initiating hosts sends a TCP packet with the SYN bit set. The remote host responds with a TCP packet with the SYN/ACK bits set and then the initiating hosts returns a TCP packet with the ACK bit set. After this handshake, the TCP connection is established and data is transferred. During this connection phase, sequence numbers are exchanged with the SYN, SYN/ACK and ACK packets, and continue to be exchanged during the rest of the TCP connection which act as sort of an authentication mechanism. See Stevens for an explanation of the specifics of sequence numbers and how they are exchanged. For this example there are three hosts: 1) Attack host - The wily hacker. 2) Spoofed host - The host packets will appear to be spoofed from. 3) Victim host = The victim host recieving the spoofed packets. 4) Bogus host - a host with a valid IP address but doesn't exist. First, we need to determine how the TCP sequence numbers are generated on the victim host. This is done by sending thousands of connection attempts, and examining the Initial Sequence Numbers (ISN) looking for a pattern. If we find one then we can effectively spoof the connection, guessing what the victim host would return as far as data and sequence numbers. If we do not get this information, then it would be hard, if not impossible to spoof a TCP connection to the victim. As a side note, TCP spoofing now is not as easy as it once was. Most hosts use pseudo random numbers for their TCP ISN's, making it hard to spoof. I believe it was Tim Newsham who discovered a flaw in most current stacks psuedo random ISN generation recently, but I never got a chance to discover exactly what he found. The next part of TCP spoofing is forging the SYN portion of the handshake quickly and in enough volume to disable a host. This is known as SYN Flooding. Attack host basically craft and send as many SYN packets as possible from bogus host to the Spoofed host in hopes to clog it's connection queues up. This keeps the Spoofed host from terminating your spoofed connection, because if the spoofed host saw the return traffic from victim host, it would simply send a TCP RST because there was no connection established between it and the vicim. We must keep that from happening in order to be successful. SYN flood applications have been popular since 1996 and easily found. Once the spoof host is effectively clogged, we then use what we know about the victim's ISN generation to attempt to talk to it from the spoofed hosts. Using custom software, we initiate the TCP three-way handshake and guess what the data returned would be. If we are successful, then we will effectively spoof the Spoofed Host, allowing us to do what we want with the victim host. A cracker would most likely try and abuse some trust relationship between Spoofed Host and Victim Host to get him interactive access to the victim machine, since this spoofed connection only allows for one way communication. > If I change the source address of my outbound packet, > how do I get the response? How does it get back to me? For the most part, you wouldn't see any return traffic. Spoofing is a blind attack, meaning that you only know what you're sending out and guessing what you'd be getting back in order to establish the connection. It's possible that you could place a packet capturing host somewhere along the return path to the Spoofed Host and relay it back to the attack host. That would give you two-way spoofed communication, and even do away with need to guess the ISN's, provided you could still keep the Spoofed Host from responding. But if you have a box along the path to the Spoofed Host it would be possible to keep any return traffic from the Spoofed host. Hopefully this was lucid. I haven't had caffeine yet, and I'll be quite content to blame any errors of spelling or logic on that. -- Joseph W. Shaw II Network Security Specialist/CCNA Unemployed. Will hack for food in the Houston area. God Bless. Apparently I'm overqualified yet undereducated to be employed.
