Module_4

MODULE 4
IP Spoofing


Internet Protocol Addressing (IP)
An IP address is an address used in order to uniquely identify a device on an IP network. The
address is made up of 32 binary bits that can be divisible into a network portion and host
portion with the help of a subnet mask. The 32 binary bits are broken into four octets (1 octet =
8 bits). Each octet is converted to decimal and separated by a period (dot). This is the reason
why an IP address is said to be expressed in dotted decimal format such as 172.16.81.100. The
value in each octet ranges from 0 to 255 decimal, or 00000000 - 11111111 binary.
Most networks today inclusive of all computers on the internet, use the TCP/IP as a standard to
communicate on the network. This unique identifier in the TCP/IP protocol is the IP Address.
The two kinds of IP Addresses are IPv4and IPv6.


IPv4 vs IPv6

IPv4 uses 32 binary bits to create a single unique address on the network. An IPv4 address is
expressed by four numbers separated by dots. Each number is the decimal (base-10)
representation for an eight-digit binary (base-2) number, also called an octet.

IPv6 uses 128 binary bits to create a single unique address on the network. An IPv6 address is
expressed by eight groups of hexadecimal (base-16) numbers separated by colons. Often
groups of numbers that contain all zeros are omitted to save space, leaving a colon separator to
mark the gap.

IPv6 space is much larger than the IPv4 space due the use of hexadecimals as well as having 8
groups. Most devices use IPv4. However, due to advent of IoT devices and the greater demand
for IP Addresses, more and more devices are accepting IPv6.

Static vs Dynamic

An IP address can be dynamic or static.



A Static address is one that is configured by editing the computer’s network settings. This type
of address is rare, and it can create network issues if used without a good understanding of
TCP/IP.
Dynamic addresses are the most common. They’re assigned by a service running on the
network namely the Dynamic Host Configuration Protocol (DHCP). DHCP typically runs on
network hardware such as routers or dedicated DHCP servers. Dynamic IP addresses are issued
using a leasing system. This means that the IP address is only active for a limited time. Once the
lease expires, the computer will automatically request a new lease.


IP Classes

Typically, the IPv4 space allows us to have addresses between 0.0.0.0 to 255.255.255.255.
However, some numbers in that range are reserved for specific purposes on TCP/IP networks.
These reservations are recognized by the Internet Assigned Numbers Authority (IANA), the
authority on TCP/IP addressing. The following are four specific reservations:

0.0.0.0 - This represents the default network, which is the abstract concept of just being
connected to a TCP/IP network.
255.255.255.255 — This address is reserved for network broadcasts, or messages that
should go to all computers on the network.
127.0.0.1 — This is called the loopback address which is the computer’s way of
identifying itself, regardless of if it has an assigned IP address.
169.254.0.1 to 169.254.255.254 — This is the Automatic Private IP Addressing (APIPA)
range of addresses assigned automatically when a computer is unsuccessful getting an
address from a DHCP server.

The other IP address reservations are for subnet classes. A smaller network of computers
connected to a larger network through a router is known as a subnet. It can have its own
address system so computers on the same subnet can communicate quickly without sending
data across the larger network. A router on a TCP/IP network, including the Internet, is
configured to recognize one or more subnets and route network traffic appropriately. The
following are the IP addresses reserved for subnets:

10.0.0.0 to 10.255.255.255 — This falls within the Class A address range
of 1.0.0.0 to 127.0.0.0, in which the first bit is 0.
172.16.0.0 to 172.31.255.255 — This falls within the Class B address range
of 128.0.0.0 to 191.255.0.0, in which the first two bits are 10.
192.168.0.0 to 192.168.255.255 — This falls within the Class C range
of 192.0.0.0 through 223.255.255.0, in which the first three bits are 110.
224.0.0.0 to 239.255.255.255 - Multicast (formerly called Class D), the first four bits in
the address are 1110
240.0.0.0 to 254.255.255.254. - Reserved for future/experimental use (formerly called
Class E)

The first three (within Classes A, B and C) are those most used in creating subnets. The IANA has
defined specific uses for multicast addresses within Internet Engineering Task Force (IETF)
document RFC 5771. However, it hasn’t assigned a purpose or future plan for Class E addresses
as it reserved the block in its 1989 document RFC 1112. Before IPv6, the Internet was filled with
debates about whether the IANA should release Class E for general use.

Subnets

When you type ipconfig on your UNIX terminal (or CMD prompt for Windows users), you will
get a detailed display of your IP Address information. Below is a screenshot with the data:

IP address: 192.168.1.69
Subnet mask: 255.255.255.0
Twenty-four bits (three octets) reserved for network identity
Eight bits (one octet) reserved for nodes
Subnet identity based on subnet mask (first address): 192.168.1.0
The reserved broadcast address for the subnet (last address): 192.168.1.255
Example addresses on the same network: 192.168.1.1, 192.168.1.103
Example addresses not on the same network: 192.168.2.1, 192.168.2.103
IP addresses on a subnet have two parts: network and node. The network part identifies the
subnet itself. The node, also known as the host, is a single piece of computer equipment
connected to the network and requiring a unique address. By using a subnet mask, each
computer knows how to separate the two parts of the IP address. A subnet mask looks like an
IP address, but it’s just a filter used to determine which part of an IP address assigns the
network and node.



In the above example, the subnet mask is 255.255.255.0, indicating that 1 byte being dedicated
for the host. It can also be 255.255.0.0 (2 byes) and 255.0.0.0 (3 bytes).

Spoofing






The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.




The action of making something look like something that it is not, in order to gain unauthorized
access to a user's private information is known as spoofing. In the 1980s, with the discovery of a
security hole in the TCP protocol, the idea of spoofing originated. Today spoofing, exists in
various forms usually as IP, URL and email spoofing. Most users may have received an email
asking to update their profile information for their account in either Paypal or other financial
institutions. Some of these users might know that these emails are acts of phishing and thus
they avoid/delete emails like these. Others may not be aware of these practices. By clicking on
a link provided in the spoofed email, they navigate to a spoofed Website. A spoofed Website is

designed to look exactly like the original Website with sometimes even the URL, title bar, and
status bar mimic the original Website. This is referred to as a spoofed URL. A spoofed email
appears to be sent from a legitimate source whereas in fact it was sent from someone else.
Phishing and spoofing are closely related.



Let's take a look at possible attacks that can be launched with the help of IP spoofing:

Man in the Middle

Just as the name suggests, this attack occurs when hackers interested in some information
intercept data packets sent from one host to the next. Hackers perform man in the middle
attacks by accessing information sent from one end then alter it before releasing the
information to the intended recipient. That means the recipient will receive altered information
that is different from what was sent. Man in the middle attack is mostly performed by
individuals or organizations that are interested in knowing the information shared between the
sender and the recipient.

Blinding

This attack occurs when a cracker or hacker sends an altered sequence of data packets to their
target while not sure how data transmission within a network takes place.

It's a blind type of spoofing because the hacker is unsure about the sequence used in data
transmission within a network, they are interested in altering the data sent over it.

While hiding their identity, the hacker then takes advantage of the fact that they have accessed
the data. Then they inject wrong information into the packets of data while hiding their
identity. The recipient will receive altered data and believe that its data sent from the genuine
sender without knowing that the data contains false information injected by a hacker.

Non-blinding

In this type of attack, the hacker resides in the same network as the target making it easy for
him to notice or access transmissions. As a result, this makes it easy for the hacker to
understand data sequence. After getting access to the data sequence, the hacker can disguise
themselves and end up hijacking processes that have been established.

Denial-of-service attack

When a DDoS attack is launched, the IP spoofing is used hide the identity of the exact machines
from where the requests are coming. This makes the DDoS attack more powerful because, it
will be difficult to identify the senders and block them.

IP Address Spoofing

IP address spoofing is one of the most frequently used spoofing attack methods. In this type
attack, an attacker sends IP packets from a false or spoofed source address to disguise itself.
Denial-of-service attacks often use IP spoofing to overload networks and devices with packets
that appear to be from legitimate source IP addresses.

There are two ways that IP spoofing attacks can be used to overload targets with traffic. One
method is to simply flood a selected target with packets from multiple spoofed addresses by
directly sending a victim more data than the system can handle. The other method is to spoof
the target’s IP address and send packets from that address to many different recipients on the
network. When another machine receives a packet, it will automatically transmit a packet to
the sender in response. Since the spoofed packets appear to be sent from the target’s IP
address, all responses to the spoofed packets will be sent to flood the target’s IP address.

IP spoofing attacks can also be used to bypass IP address-based authentication. This process
can be very difficult and is primarily used when trust relationships are in place between
machines on a network and internal systems. Rather than user logins, trust relationships use IP
addresses to verify machines’ identities when attempting to access systems. This allows
malicious parties to use spoofing attacks to impersonate machines with access permissions and
bypass trust-based network security measures.

ARP Spoofing Attacks

ARP is short for Address Resolution Protocol. This protocol is used to resolve IP addresses to
MAC (Media Access Control) addresses for transmitting data. In an ARP spoofing attack, a
malicious party sends spoofed ARP messages across a local area network to link the attacker’s
MAC address with the IP address of a legitimate member of the network. This type of spoofing
attack results in data being sent to the attacker instead of the intended host’s IP address ARP
spoofing is commonly used to steal information, modify data-in-transit or stop traffic on a
LAN. It can also be used to facilitate other types of attacks including DoS, session hijacking
and man-in-the-middle attacks. ARP spoofing only works on local area networks that use the
Address Resolution Protocol.

DNS Server Spoofing Attacks

The Domain Name System (DNS) is a system that associates domain names with IP addresses.
Devices that connect to the internet or other private networks depend on the DNS for resolving
URLs, email addresses and other human-readable domain names into their corresponding IP
addresses. In a DNS server spoofing attack, an attacker modifies the DNS server in order to
reroute a specific domain name to a different IP address. In many cases, the new IP address will
be for a server that is controlled by the attacker and contains files infected with malware. DNS
server spoofing attacks are mostly used to spread computer worms and viruses.

VPN (Virtual private Network)

A virtual private network (VPN) is programming that creates a safe and encrypted connection
over a less secure network, such as the public internet. A VPN works by using the shared public
infrastructure while maintaining privacy through tunneling protocols and security procedures.
By encrypting data at the sending end and decrypting it at the receiving end, the protocols send
the data through a "tunnel" that cannot be "entered" by data that is not properly encrypted. An
additional level of security involves encrypting not only the data, but also the originating and
receiving network addresses.

Types of VPN

VPNs can be broadly categorized as follows:

1. A firewall-based VPN is one that is equipped with both firewall and VPN capabilities. It
makes use of the security mechanisms in firewalls to restrict access to an internal
network. Its features include address translation, user authentication, real time alarms

and extensive logging.


2. A hardware-based VPN offers high network throughput, better performance and more

reliability since there is no processor overhead, but it is also more expensive.



3. A software-based VPN provides the most flexibility in how traffic is managed. This type
is suitable when VPN endpoints are not controlled by the same party, and where
different firewalls and routers are used. It can be used with hardware encryption

accelerators to enhance performance.


4. An SSL VPN3 allows users to connect to VPN devices using a web browser. The SSL
(Secure Sockets Layer) protocol or TLS (Transport Layer Security) protocol is used to
encrypt traffic between the web browser and the SSL VPN device. An advantage of using
SSL VPNs is ease of use. As all standard web browsers support the SSL protocol, users do

not need to do any software installation or configuration.

How does it work?



TOR Browser

Tor is an Internet networking protocol designed to anonymize the data relayed across it.Tor's
software makes it difficult, if not impossible, for any snoops to see your mail, search history,
social media posts or other online activity. They also won't be able to identify which country
you are in by analyzing your IP address, which can be very useful for journalists, activists,

businesspeople and more.

Tor browser is similar to a normal web browser in many ways. It’s as easy as using Google
Chrome or Microsoft Edge. The difference is that Tor browser connects you to the internet
through the Tor network.

Tor is free, open-source software that helps you stay anonymous online. “Tor” is short for The
Onion Router. It refers to the way that Tor protects your data by wrapping it in multiple layers
of encryption like an onion.

How Tor Works?

Tor works on the concept of ‘onion routing’ method in which the user data is first encrypted
and then transferred through different relays present in the Tor network. This creates a multi-
layered encryption (layers like an onion), thus keeping the identity of the user safe.

One encryption layer is decrypted at each successive Tor relay, and the remaining data is
forwarded to any random relay until it reaches its destination server. For the destination server,
the last Tor node/exit relay appears as the origin of the data. It is thus tough to trace the
identity of the user or the server by any surveillance system acting in the mid-way.

Other than providing anonymity to standalone users, Tor can also provide anonymity to
websites and servers in the form of Tor Hidden Services. Also, P2P applications like BitTorrent
can be configured to use the Tor network and download torrent files.



Spoofing Attack Prevention

There are many tools and practices that organizations can utilize to reduce the threat of
spoofing attacks. A few common measures that organizations can take to prevent spoofing
attack include:

Packet filtering: Packet filters inspect packets as they are transmitted across a network.
Packet filters are useful in IP address spoofing attack prevention as they can filter out
and block packets with conflicting source address information i.e. packets from outside
the network that show source addresses from inside the network and vice-versa.
Avoid trust relationships: Organizations should develop protocols that rely on trust
relationships as little as possible. As trust relationships only use IP addresses for
authentication, it is significantly easier for attackers to run spoofing attacks when trust
relationships are in place
Use spoofing detection software: There are many programs available that help
organizations detect spoofing attacks, particularly ARP Spoofing. These programs work
by inspecting and certifying data before it is transmitted and blocking data that seems to
be spoofed.
Use cryptographic network protocols: Transport Layer Security (TLS), Secure Shell (SSH),
HTTP Secure (HTTPS) and other secure communications protocols bolster spoofing
attack prevention efforts by encrypting data before it is sent and authenticating data
when it is received.

IP Spoofing Evolution
• IP Spoofing is still possible today but has evolved in the face of growing security.
• New issue of Phrack includes a method of using IP Spoofing to perform remote scans
and determine TCP sequence numbers
• This allows a session Hijack Attack even if the Attacker is blind.



References:

What is an IP Address?

https://www.scribd.com/document/234829224/What-is-an-IP-Address
Basics of IP Addresses in Computer Networking – Sayed Sadat Nazrul
https://medium.com/@sadatnazrul/basics-of-ip-addresses-in-computer-networking-

f1a4661ea85c
VPN Security – Government of HKSAR

https://www.slideshare.net/ericfedwa/a-depth-detail-about-vpn-security
Spoofing Attack: IP, DNS & ARP- Neil DuPaul
https://www.veracode.com/security/spoofing-attack
TOR vs NSA – Monis
https://medium.com/@monismagic/tor-vs-nsa-1d1cace21a38
How to Spoof the IP Address? – PLK Digital

https://www.plkdigital.com/ethical-hacking/spoof-ip-address