Guide to IP Spoofing Protection

A 1989 article titled "Security Problems in the TCP/IP Protocol Suite" by S. M. Bellovin explored IP Spoofing attacks. Bellovin described how Robert Morris, creator of the now infamous Internet Worm, figured out how Transmission Control Protocol (TCP) created sequence numbers, which is how he forged a packet sequence. This IP spoofing attack included the victim’s destination address and the ability to obtain root access to his targeted system without a User ID or password. In this article, we will discuss what IP spoofing is, its various types, how to detect or prevent attacks, and review some newer forms of IP spoofing that are being discussed in modern cybersecurity trends.

How Can IP Spoofing Lead to Network Security Issues?

IP spoofing is a technique used to gain unauthorized access to computers. The attacker sends messages to a computer with a forged IP address indicating that the message comes from a trusted host. There are a few variations on the attacks in network security that use IP spoofing:

Non-Blind Spoofing

When a cybercriminal and their target are on the same subnet looking at the same sequence and acknowledgment of packets, it is known as a non-blind spoofing attack. This type of spoofing threat focuses on session hijacking or taking over the victim’s server due to a lack of security in their network. An attacker could bypass any authentication measures needed in order to breach the target’s web session, which can be accomplished by corrupting the DataStream of an established connection and then re-establishing it based on correct sequences and acknowledgment numbers with the attacking computer.

Blind Spoofing

In a blind spoofing attack, a cybercriminal will send several packets of incorrect sequence and acknowledgment numbers in order to take advantage of cybersecurity vulnerabilities by getting the target to reveal the correct code. Blind spoofing allows attacks to access unreachable servers by tricking users into providing the information needed to hack into a system. Today, most OSs implement random sequence number generation, which can make it difficult to predict orders accurately to cause cloud security breaches. However, if the sequence number is compromised, data can be sent to a target to ensure a spoofing attack.

Man in the Middle Attack

Also known as connection hijacking, a Man in the Middle attack takes place when a malicious party intercepts a legitimate communication between two hosts in order to gain control over the flow of communication between them to eliminate or alter the information sent by one of the original participants without their knowledge. As a result of a lack of security, an attacker can fool a target into disclosing confidential information by spoofing the identity of the original sender or receiver. Connection hijacking exploits TCP communication by formulating a "desynchronized state," which is when the sequence number in a received packet is not the same as the expected one. Depending on the actual value of the received sequence number, the TCP layer may either discard or buffer the packet and when two hosts are desynchronized enough, they will scrap packets from each other. An attacker can then inject forged packets with the correct sequence numbers and modify or add messages to the communication, which requires the attacker to use the same communication path as the two hosts.

Denial of Service Attack

A Denial of Service attack (DoS) is when an attacker makes a specific server incapable of being utilized. In these attacks, cybercriminals are concerned with consuming bandwidth and resources by flooding the target with as many packets as possible in a short amount of time, thus making cloud security frameworks too overwhelmed to combat any breach. To effectively conduct the DoS, attackers spoof source IP addresses to make tracing and stopping the DoS as tricky as possible for data and network security services. When multiple compromised hosts participate in the attack, a lot of spoofed traffic occurs, which can be challenging to block quickly.

An IP Spoofing Misconception

A common misconception regarding IP Spoofing would be how it can be used to hide your IP address while surfing the Internet, chatting online, sending emails, and more. This is generally not true, as forging the source IP address causes message responses to be misdirected. As a result, you cannot create a standard network connection. However, IP spoofing can be used in the integral parts of various networks that do not need responses to operate.

How Can I Detect IP Spoofing Network Security Threats?

There are multiple ways to pick up on IP spoofing attacks and network security issues:

• We can improve security posture by overseeing IP spoofing packets with network-monitoring software. Then, we can tell if a packet has an external interface with both the source and destination IP addresses in the local domain.
• We can compare the process accounting logs between systems on your internal networks. If the IP spoofing attack has succeeded on one of your systems, you may get a log entry on the victim machine showing remote access; on the apparent source machine, there will be no corresponding entry for initiating that remote access.

How Can I Prevent IP Spoofing Cloud Security Breaches?

Here are some standard practices in cybersecurity trends that you can use to prevent IP spoofing from happening in your network and ensure ultimate security for your company:

• Avoid using source address authentication and instead implement a lightweight cryptography cybersecurity authentication system-wide.
• Configure your network to reject packets from subnets that claim to originate from a local address but appear as though they could be a network security threat.
• Implement ingress and egress filtering on the border routers and implement an Access Control List (ACL) that blocks private IP addresses on your downstream interface.
• If you allow outside connections from trusted hosts, enable encryption sessions at the router to prevent further exploits in cybersecurity methods your company uses.

IP Fragmentation Attacks

An IP Fragmentation is when large packets are split up into pieces that can more easily be sent to another network. This could result from interface hardware limitations or exceeding Maximum Transmission Unit (MTU) size requirements. While fragmented, the parts of the packet will carry the same identification field value, and the fragments will be labeled with an offset to indicate the position of the fragment in the context of the pre-split-up packet. Intermediate routers are not expected to re-assemble the fragments; instead, the final destination will reassemble all the parts of an IP packet and pass it to higher protocol layers like TCP or User Datagram Protocol (UDP).

In an IP Fragment Attack, cybercriminals create artificially fragmented packets in order to circumvent firewalls that do not perform packet reassembly but instead only consider the properties of each individual fragment. Then, these systems let the fragments through to their final destination. 

One such attack involving fragments is known as the tiny fragment attack, where IP packets are split up into even smaller packets, which can be processed under MTU and sent through to a targeted network. Two TCP fragments are created; the first fragment is small and contains only part of the TCP header, while the second fragment includes the remainder of the TCP header and the port number. Another type of malicious fragmentation revolves around fragments that have illegal fragment offsets. These fragments have value given to the index position of a reassembled packet. Another fragment contains the offset value, which is typically less than the length of the data in the first packet. For example, if the first fragment was 24 bytes long, the second fragment may claim to have an offset of 20. Upon reassembly, the data in the second fragment overwrites the last four bytes of the data from the first fragment. If the unfragmented packet were a TCP packet, the first fragment would contain the TCP header overwriting the destination port number.

In the IP layer implementations of nearly all OS, there are bugs in the reassembly code. As a result, an attacker can create and send a pair of carefully crafted but malformed IP packets, which can cause a server to panic and crash during the reassembly process. The receiving host attempts to reassemble such a packet but calculates a negative length for the second fragment. This value is then passed to a function, such as memcpy, which should perform a copy from/to a memory that takes the negative number as an enormous unsigned (positive) number, providing a mixup that will lead to a server crash.

One more attack involves sending fragments that, if reassembled, would be an abnormally large packet that exceeds the MTU length for an IP packet. The attacker hopes the receiving host server crashes while attempting to reassemble the packet. The Ping of Death used this attack to create an ICMP echo request packet, which was more significant than the maximum packet size, 65,535 bytes.

Understanding these types of IP spoofing attacks is vital when IP packets are constantly being exchanged. Such knowledge is helpful in protecting the data and network security of your company.

ICMP Smurfing

An automated program, Smurf, attacks a network by exploiting IP broadcast addressing. Smurf and similar programs cause the flooded part of a network to become "inoperable." Network nodes and their administrators exchange information about the state of the network using Internet Control Message Protocol (ICMP).

A Smurf program builds a network packet with a spoofed victim source address. The packet contains an ICMP ping message intended for an IP broadcast address or all IP addresses in a given network. When a routing device delivers traffic to the networks, it performs a program that causes most hosts to respond using an ICMP echo reply.  The echo responses to the ping message are sent back to the victim address, and enough pings and resultant echoes can flood a network, making it unusable for real traffic and causing attacks on network security.

Fraggle is an attack similar to Smurf. It rewrites Smurf programming and uses UDP echo packets in the same fashion as the ICMP echo packets. The intermediary (broadcast) devices and the spoofed victim are both hurt by this attack, as cybercriminals rely on the ability to source spoofed packets to the "amplifiers" in order to generate the traffic, which causes a Denial of Service attack.

In order to stop ICMP Smurfing, all networks should perform filtering at the access layer, where the customers connect to a server, or at the edge of the network, where there are connections to upstream providers. This will defeat the possibility of source address spoofed packets entering from downstream or leaving from upstream networks. To prevent an ICMP Smurfing attack, you can disable IP broadcast addressing at each network router if it is hardly used.

Final Thoughts on Protecting Against IP Spoofing

IP spoofing is a growing form of attack in network security that should not be dealt with lightly. As we have addressed, there are various ways in which these network security threats can manifest, causing harm to a network or server, which could take a long time to recover. Be sure to watch for attacks like these when working on all platforms, and use the practices mentioned in this article to combat any cybersecurity vulnerabilities that might put your company at risk.