HostedDB - Dedicated UNIX Servers

-->
IT Baseline Protection Manual T 5.48 IP Spoofing

T 5.48 IP Spoofing

IP spoofing is a method of infiltration in which incorrect IP numbers are used to act out a false identity to the IP system being attacked.

Within many protocols of the TCP/IP family, authentication of the IT systems communicating with each other takes place only via the IP address which is easily falsified. If one also exploits the fact that the sequence numbers used by computers for synchronisation when making a TCP/IP connection are easy to guess, it is possible to send packets using any sender address at all. Thus, appropriately configured services such as rlogin can be used. In this case, however, an invader must possibly take into account the fact that he will not receive an answer packet from the computer which is being used improperly.

Additional services which are threatened by IP spoofing are rsh, rexec, X-Windows, RPC-based services such as NPS and TCP-Wrapper which is otherwise a very worthwhile service for setting up access monitoring for TCP/IP networked systems. Unfortunately, the addresses used in level 2 of the OSI model such as Ethernet or hardware addresses are also easy to falsify and therefore provide no reliable basis for authentication.

In LAN's in which the Address Resolution Protocol (ARP) is used, many more effective spoofing attacks are possible. ARP is used to find the 48 bit hardware or Ethernet address belonging to a 32 bit IP address. If a corresponding entry is not found in an internal table in the computer, an ARP broadcast packet is transmitted with the unknown IP number. The computer with this IP number then transmits an ARP answer packet back with its hardware address. As the ARP answer packets are not secure against manipulation, it is usually sufficient to gain control over one of the computers in the LAN in order to compromise the entire network.


© Copyright by
Bundesamt für Sicherheit in der Informationstechnik
 
home