Module_4

MODULE 4



Masking Your Identity



IP ADDRESSING

An Internet Protocol address (IP address) is a numerical label assigned to each device
connected to a computer network that uses the Internet Protocol for communication. An IP
address has two main functions: host or network interface identification and
location addressing.

Internet Protocol version 4 (IPv4) defines an IP address as a 32-bit number. Due to the growth
of the Internet and the depletion of available IPv4 addresses, a new version of IP (IPv6), using
128 bits for the IP address was developed in 1995 and standardized in December 1998. In July
2017, a final definition of the protocol was published. IPv6 deployment has been going on since
the mid-2000s.

IP addresses are usually written and displayed in human-readable notations, such
as 172.16.254.1 in IPv4, and 2001:db8:0:1234:0:567:8:1 in IPv6. The size of the routing prefix of
the address is designated in CIDR notation by suffixing the address with the number of
significant bits, e.g., 192.168.1.15/24, which is equivalent to the historically used subnet
mask 255.255.255.0.

The IP address space is managed globally by the Internet Assigned Numbers Authority (IANA),
and by five regional Internet registries (RIRs) responsible in their designated territories for
assignment to end users and local Internet registries, such as Internet service providers. IPv4
addresses have been distributed by IANA to the RIRs in blocks of approximately 16.8 million
addresses each. Each ISP or private network administrator assigns an IP address to each device
connected to its network. Depending on its software and practices, such assignments may be
on a static or dynamic basis.

Function

An IP address serves two principal functions. It identifies the host, or more specifically its
network interface, and it provides the location of the host in the network. Thus, it has the
capability of establishing a path to that host. Its role has been characterized as follows: "A name

indicates what we seek. An address indicates where it is. A route indicates how to get

there.” The header of each IP packet contains the IP address of the sending host as well as that

of the destination host.

IPv4 addresses

Decomposition of an IPv4 address from dot-decimal notation to its binary value.



An IPv4 address has a size of 32 bits, which limits the address space to 4294967296 (232)
addresses. Out of this, some addresses are reserved for special purposes such as private
networks (~18 million addresses) and multicast addressing (~270 million addresses).

IPv4 addresses are usually represented in dot-decimal notation, consisting of four decimal
numbers, each ranging from 0 to 255, separated by dots. Eg: 172.16.254.1. Each part represents
a group of 8 bits (an octet) of the address. In some cases of technical writing, IPv4 addresses
may be presented in various hexadecimal, octal, or binary representations.



IPv6 addresses

Decomposition of an IPv6 address from hexadecimal representation to its binary value.

All modern desktop and enterprise server operating systems include native support for the IPv6
protocol. However, it is not yet widely deployed in other devices such as residential networking
routers, voice over IP (VoIP) and multimedia equipment, and some networking hardware.

Assignment of IP addresses

IP addresses are assigned to a host either persistently by configuration of the host hardware or
software, or dynamically as they join the network. Persistent configuration is also known as
using a static IP address. In contrast, this is known as using a dynamic IP address when a
computer's IP address is assigned each time it restarts.

Using Dynamic Host Configuration Protocol (DHCP), dynamic IP addresses are assigned by
network. DHCP is the most frequently used technology for assigning addresses. It circumvents
the administrative burden of assigning specific static addresses to each device on a network. It
also allows devices to share the limited address space on a network if only some of them are
online at a particular time. Usually, dynamic IP configuration is enabled by default in modern
desktop operating systems.

The address assigned with DHCP is associated with a lease and usually has an expiration period.
If the lease is not renewed by the host before expiry, the address may be assigned to another
device. Some DHCP implementations attempt to reassign the same IP address to a host (based
on its MAC address) each time it joins the network. A network administrator may configure
DHCP by allocating specific IP addresses based on MAC address.

DHCP is not the only technology used to assign IP addresses dynamically. Bootstrap Protocol is
a similar protocol and predecessor to DHCP. Dialup and some broadband networks use dynamic
address features of the Point-to-Point Protocol.

Computers and equipment used for the network infrastructure, such as routers and mail
servers, are typically configured with static addressing. In the absence or failure of static or
dynamic address configurations, using stateless address autoconfiguration, an operating system
may assign a link-local address to a host.

VPN NETWORKING

Overview of VPN connectivity
A virtual private network (VPN) extends a private network across a public network. It enables
users to send and receive data across shared or public networks as if their computing devices
were directly connected to the private network. Applications running on a computing device,
across a VPN may benefit from the functionality, security, and management of the private
network. Common though not an inherent part of a VPN connection is encryption.
Types of VPN
VPNs can be broadly categorized as follows:

1. A firewall-based VPN is one that is equipped with both firewall and VPN capabilities. It
makes use of the security mechanisms in firewalls to restrict access to an internal
network. It feautres include address translation, real time alarms, user authentication,

and extensive logging.


2. Since there is no processor overhead, a hardware-based VPN offers high network
throughout, better performance and more reliability. However, it is also more

expensive.



3. A software-based VPN provides the most flexibility in how traffic is managed. This type
is suitable when VPN endpoints are not controlled by the same party, and where
different firewalls and routers are used. It can enhance performance with hardware

encryption accelerators.

4. An SSL VPN3 allows users to connect to VPN devices using a web browser. The SSL

(Secure Sockets Layer) protocol or TLS (Transport Layer Security) protocol is used to

encrypt traffic between the SSL VPN device and the web browser. An advantage of using

SSL VPNs is ease of use, because all standard web browsers support the SSL protocol,

therefore users do not need to do any software installation or configuration.



Security by VPN

Security is the basic function of a VPN and the reason VPNs were originally created.
Corporations connect their computers and servers located in different parts of the world using
VPNs for security purposes. Apart from corporations, there are commercial companies that
create special VPNs and sell membership plans to those who want to join their VPNs. That
means that ordinary users can buy a membership in such networks. For example, you may need
it in the following cases:

You do not want anyone to have access to the data you submit to the internet.
You do not want your Internet Service Provider (ISP) to know and log your internet
activity.
You do not want various government agencies to track you and your actions on the
internet
You do not want various sites that you visit, and programs installed on your computer,
to collect and send marketing information about you and about what you are doing on
the internet

Protection

Protection is the very essence of the VPN. When you are connected using a VPN, your computer
or device becomes invisible to the rest of the internet. Bots, viruses, trojans and hackers which
inhabit the internet simply cannot attack you, because you do not “exist” for them. If you are
not using a VPN, you are especially vulnerable when you connect to the Internet via an open
Wi-Fi network in the airport, coffee shop or any other public place. As an open Wi-Fi network is
unencrypted and unsecured, attackers may gain access to everything stored on your computer
without any serious effort. They can even intercept your session with your online banking site
and transfer your money to their accounts. However, none of this is possible if you are
connected to a VPN as for your attackers, both you and your connection do not exist.

Anonymity

Whenever you are connected to the Internet, you are assigned an IP address–a numerical
combination that is essentially similar to a regular street address. With an IP address, you can

be tracked down as easily as with a regular street address. Many people do not like that level of
access, so they use a VPN, which replaces their real IP addresses with the IP address of the
gateway, which can be in a different country.

Some websites such as Hulu Plus, Netflix, Amazon Prime, Vudu, CBS, Spotify, Pandora, and
many others, check your IP address. For instance, they prevent you from accessing their
services if you aren’t in the country, they operate in. Therefore, many people use various VPNs
based in the United States so that the above-mentioned services do not see your real IP address
but instead see the one in the U.S. (that belongs to the VPN) and unblock your access.

How Does a VPN Work?









IP SPOOFING

The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.



The action of making something look like something that it is not in order to gain unauthorized
access to private information is known as Spoofing. With the discovery of a security hole in the
TCP protocol in the 1980s, the idea of spoofing originated. Today spoofing exists in various
forms namely IP, URL and Email spoofing. Most email users have received an email asking them
to update their profile information for their account in either Paypal or other financial
institutions. Some of these users might know that these emails are acts of phishing and thus
they avoid/delete emails like these. Others may not be aware of this practice and so they
navigate to a spoofed Website by clicking on a link provided in the spoofed email. A spoofed
Website is designed to look exactly like the original Website (sometimes even the URL, title bar,

and status bar mimic the original Website, this is referred to as a spoofed URL). A spoofed email
appears to be sent from a legitimate source whereas in fact it was sent from someone else.
Phishing and spoofing are closely related.

The following are possible attacks that can be launched with the help of IP spoofing:

Man in the Middle

This attack occurs when hackers interested in some information intercept data packets sent
from one host to the next. Hackers perform man in the middle attack by accessing information
sent from one end then alter it before releasing the information to the intended recipient. That
means the recipient will receive altered information that is totally different from what was sent.

Man in the middle attack is mostly performed by individuals or organizations that are
interested in knowing the information shared between the sender and the recipient.

Blinding

This form of attack occurs when hacker sends an altered sequence of data packets to his target
while not sure how data transmission within a network takes place.

It's a blind type of spoofing because the hacker is unsure about the sequence used in data
transmission within a network, they are interested in altering the data sent over it.

While hiding their identity, the hacker then takes advantage of the fact that they have accessed
the data then injects wrong information into the packets of data without identifying or
publicizing their identity. The recipient will receive altered data and believe that its data sent
from the genuine sender without knowing that the data contains false information injected by a
hacker.

Non-blinding

In this form of attack, the hacker resides in the same network as the target making it easy for
him to notice or access transmissions. This, as a result, makes it easy for the hacker to identify
or understand data sequence. After getting access to the data sequence, the hacker can
disguise themselves and end up hijacking processes that have been established.





Denial-of-service attack

The IP spoofing is used in DDos attacks to hide the identity of the exact machines from where
the requests are coming. This makes the DDoS attack more powerful because, it will be difficult
to identify the senders and block them.

Services vulnerable to IP spoofing

Configuration and services that are vulnerable to IP spoofing:

1. RPC (Remote procedure call services)
2. Any service that uses IP address authentication
3. The X Window System
4. The R services suite (rlogin, rsh, etc.)

Types of Spoofing

Cybercriminals employ a variety of methods and techniques to carry out spoofing attacks and
steal their victims’ sensitive information. Some of the most common types of spoofing are:

1. Email Spoofing

Email spoofing is the most prevalent form of online spoofing. Similar to phishing,
spoofers send out emails to multiple addresses and use official logos and header images
to falsely introduce themselves as representatives of banks, companies, and law
enforcement agencies. The emails they send include links to malicious or otherwise
fraudulent websites and attachments infected with malicious software.

Some spoofers may also use social engineering techniques to trick the victim into
disclosing information voluntarily. They will often create fake banking or digital wallet
websites and link to them in their emails. When an unsuspecting victim clicks on that
link, they will be taken to the fake site where they will have to log in with their
information, only to have that info sent to the spoofer behind the fake email.

2. DNS Spoofing

Each computer and each website on the internet are assigned their own unique IP
address. For websites, this address is different from the standard “www” internet
address that you use to access them. When you type in a web address into your browser
and hit enter, the Domain Name System (DNS) quickly finds the IP address that matches
the domain name you entered and redirects you to it. Hackers have found ways to
corrupt this system and redirect your traffic to malicious websites. This is called DNS
spoofing.

Also known as DNS cache poisoning, this method is used by cybercriminals to introduce
corrupt DNS data on the user’s end, thus preventing them from accessing the websites
that they want to access. Instead, no matter what web address they type in, the user
will be redirected to the IP addresses defined by the hacker, which most often hosts
malicious software or fake forms that harvest the victim’s personal data.

3. IP Spoofing

As the name suggests, IP spoofing refers to the use of a fake IP address by the sender to
either disguise their real identity or to carry out cyber-attacks. The sender assumes an
existing IP address that doesn’t belong to them in order to send out IP packets to
networks they otherwise wouldn’t have access to. Since they’re coming from a trusted
address, the security system on the recipient’s end will see the incoming packets as part
of the normal activity and won’t be able to detect the threat until it’s too late.

Not all instances of IP spoofing are malicious. The virtual private network (VPN)
technology is based on IP spoofing, but its main purpose is to protect the users’ identity,
allow them to access content that is otherwise blocked due to internet censorship, and
prevent cyber-attacks while on a public Wi-Fi connection. Although some countries like
China and Turkey have outlawed the use of VPN, it is legal in most countries of the
world as long as it’s not used to engage in cybercriminal activities.

4. DDoS Spoofing

DDoS spoofing is a subtype of IP spoofing used by hackers to carry out Distributed
denial-of-service (DDoS) attacks against computers, networks, and websites.Attackers
use various techniques to scan the internet for computers with known vulnerabilities
and use these flaws to install malicious software. This allows them to create botnets,
armies of “robot” computers, all remotely controlled by the hacker.

Whenever they want, the hacker can activate all the computers in their botnet and use
their combined resources to generate high levels of traffic to target websites and
servers in order to disable them. Each of these computers has their own unique IP
address. Considering that botnets can comprise a million or more computers with as
many unique IPs, tracing the hacker’s actual IP address may prove impossible.

TYPES OF SPOOFING ATTACK

IP address spoofing is one of the most frequently used spoofing attack methods. In this type of
attack, an attacker sends IP packets from a false address in order to disguise itself. Denial-of-

service attacks often use IP spoofing to overload networks and devices with packets that
appear to be from legitimate source IP addresses.

There are two ways that IP spoofing attacks can be used to overload targets with traffic. One
method is by simply flooding a target with packets from multiple spoofed addresses. This works
by directly sending a victim more data than it can handle. The other method is to spoof the
target’s IP address and send packets from that address to many different recipients on the
network. When another machine receives a packet, it will automatically transmit a packet to
the sender in response. Since the spoofed packets appear to be sent from the target’s IP
address, all responses to the spoofed packets will be sent to and thus flood the target’s IP
address.

IP spoofing attacks can also be used to bypass IP address-based authentication. This process is
primarily used when trust relationships are in place between machines on a network and
internal systems as it can be very difficult. Trust relationships use IP addresses rather than user
logins to verify identities of machines when attempting to access systems. This allows malicious
parties to use spoofing attacks to impersonate machines with access permissions and bypass
trust-based network security measures.

ARP Spoofing Attacks

ARP, short for Address Resolution Protocol, is used to resolve IP addresses to MAC (Media
Access Control) addresses for transmitting data. In an ARP spoofing attack, a malicious party
sends spoofed ARP messages across a local area network in order to link the attacker’s MAC
address with the IP address of a legitimate member of the network. This type of spoofing attack
results in data, intended for the host’s IP address, getting sent to the attacker instead.
Malicious parties commonly use ARP spoofing to steal information, modify data-in-transit or
stop traffic on a LAN. ARP spoofing attacks can also be used to aid other types of attacks,
including session hijacking, denial-of-service and man-in-the-middle attacks. ARP spoofing only
works on local area networks that use the Address Resolution Protocol.

DNS Server Spoofing Attacks

The Domain Name System (DNS) is a system that associates domain names with IP addresses.
Devices that connect to the internet or other private networks rely on the DNS for resolving

URLs, email addresses and other human-readable domain names into their corresponding IP
addresses. In a DNS server spoofing attack, a malicious party modifies the DNS server in order

to reroute a specific domain name to a different IP address. In many cases, the new IP address
will be for a server that is actually controlled by the attacker and contains files infected with

malware. These attacks are often used to spread computer worms and viruses.

TOR BROWSER

Tor is free and open-source software for enabling anonymous communication. The Tor Browser
is a web browser that anonymizes your web traffic using the Tor network, making it easy to
protect your identity online.

If you're investigating a competitor, researching an opposing litigant in a legal dispute, or just
do not want your ISP or the government to know what websites you visit, then the Tor Browser
might be the right solution.

Browsing the web over Tor is slower than the clearnet, and some major web services block Tor
users. Tor Browser is also illegal in authoritarian regimes that want to prevent citizens from
reading, publishing, and communicating anonymously.

How to use the Tor Browser

For most people, using Tor Browser is as simple as downloading it and running it, the same way
you'd download Chrome or Firefox.

Tor Browser gives you access to .onion web sites that are only available within the Tor network.
For instance, try to access The New York Times at https://www.nytimes3xbfgragh.onion/ and
Facebook at https://www.facebookcorewwwi.onion using a regular web browser. You can only
reach these sites over Tor. This makes it possible to read the news anonymously, a desirable
feature in a country where you don't want the government knowing which news sites you’re
visiting.

However, many prominent web services block access to Tor, often without useful error
messages. If a site you normally visit suddenly returns 404 when visiting over Tor, the service is
likely blocking Tor traffic and being needlessly opaque about it. Sites that do not block Tor
might push you to click through a ton of captchas. It's not the end of the world, but it is
annoying.

How Tor Browser works

Tor Browser routes all your web traffic through the Tor network making it anonymous. As the
images below illustrate, Tor consists of a three-layer proxy, like layers of an onion (hence Tor's
onion logo). Tor Browser connects at random to one of the publicly listed entry nodes, bounces

that traffic through a randomly selected middle relay, and finally spits out your traffic through
the third and final exit node.


As a result, a website may be shown in a foreign language. These services look at your IP
address and guess your approximate country and language. However, when using Tor, you will
often appear to be in a physical location halfway around the world.

If you live in a place that blocks Tor or need to access a web service that blocks Tor, you can
also configure Tor Browser to use bridges. Unlike Tor's entry and exit nodes, bridge IP addresses
are not publicly listed, making it difficult for web services, or governments, to blacklist those IP
addresses.

The Tor network routes TCP traffic of all kinds but is optimized for web browsing. Tor does not
support UDP, so don't try to torrent free software ISOs, as it won't work.

TOR BROWSER

A Tor user's SOCKS-aware applications can be configured to direct their network traffic through
a Tor instance's SOCKS interface, which is listening on TCP port 9150 at localhost.[83] Tor
periodically creates virtual circuits through the Tor network through which it can multiplex and
onion-route that traffic to its destination. Once inside a Tor network, the traffic is sent from
router to router along the circuit, ultimately reaching an exit node at which point
the cleartext packet is available and is forwarded on to its original destination. Viewed from the
destination, the traffic appears to originate at the Tor exit node.

PROXY SERVER

Proxy server is an intermediary server between client and the internet. Proxy servers offers
basic functionalities such as:

Firewall and network data filtering.
Network connection sharing

Data caching Monitoring and Filtering

Proxy servers allow us to do several kind of filtering such as:

Content Filtering
Filtering encrypted data
Bypass filters
Logging and eavesdropping

Proxy servers allow to hide, conceal and make your network id anonymous by hiding your IP
address.

Purpose of Proxy Servers

Following are the reasons to use proxy servers:

Monitoring and Filtering
Improving performance
Translation
Accessing services anonymously
Security

How proxy servers work

When a proxy server receives a request for an Internet resource it looks in its local cache of
previously pages. If it finds the page, it returns it to the user without needing to forward the
request to the Internet. If the page is not in the cache, the proxy server, acting as a client on

behalf of the user, uses one of its own IP addresses to request the page from the server out on
the Internet. When the page is returned, the proxy server relates it to the original request and
forwards it on to the user.
Proxy servers are used for both legal and illegal purposes. In the enterprise, a proxy server is
used to facilitate administrative control, security, caching services as well as other purposes.
For personal computing , proxy servers are used to enable user privacy and anonymous surfing.
Proxy servers can also be used for to monitor traffic and undermine user privacy.
To the user, the proxy server is invisible. all Internet requests and returned responses appear to
be directly with the addressed Internet server. In reality, the proxy is not actually invisible. Its IP
address has to be specified as a configuration option to the browser or other protocol program.
Users can configure web browsers or access web proxies online to constantly use a proxy
server. Browser settings include automatically detected and manual options for HTTP, FTP, SSL,
and SOCKS proxies. Proxy servers may be shared and serve many users or be dedicated and just
serve one user per server.

References:

IP Address
https://db0nus869y26v.cloudfront.net/en/IP_address
What is IP Address
http://tech-updates.online/what-is-ip-address/
VPN explained in Simple Words
https://vpnobserver.com/vpn-explained-in-simple-words/
Spoofing “The False Digital Identity” – Martina Sturdikova
https://www.scribd.com/document/210075018/Final-Paper
IP Spoofing – Matthew Tanase
https://www.symantec.com/connect/articles/ip-spoofing-introduction
Spoofing Attack- Veracode
https://www.veracode.com/security/spoofing-attack
What is the Tor Browser? How it works and how it can help you protect your identity
online- J.M. Porup
https://www.csoonline.com/article/3287653/what-is-the-tor-browser-how-it-works-
and-how-it-can-help-you-protect-your-identity-online.html
Proxy Server
https://www.scribd.com/document/28350427/proxy-server