February 24, 2001

Honeynet Challenge Submission

I recently worked on a Forensic Challenge and learnt a lot during the investigation. I hope the copy of document I posted HERE can be of some help to you too.

Update: The results can be found here. I was a little dissapointed that I didn't make it to the top three, but the experience itself was worth the effort.

February 20, 2001

Spoofing IP Addresses

TCP/IP is a protocol which has a long history of stabalization. The protocol which has come a long way since it first began is said to be almost perfect for the internet. However there are a few flaws in this protocol which have been recogonised as security hazards. IPv4's next version IPv6 addressess these issues effectively, but IPv6 has a long way to go before its implemented around the world. This article would give an insight to a IP loophole which allows "spoofing".

Internet uses TCP/IP for all its communication. IP is a connectionless protocol on which TCP runs for reliable connection oriented protocols. Protocols like telnet,ftp,pop,smtp etc are all connection oriented and others like talk,icp,icq,dns etc use ip datagrams only. To start a TCP which is supposed to be much more secure and reliable, the server and client goes under what is known as "three way hand-shake".

If you look at a simple telephone conversation initialization, the dialing of number could be taken as the first part of handshake, the responce from the reciever "hello" could be the second part of handshake, and finaly the person who has dialed says "hello". The telephone conversion after this procedes as normal as both now know who is at the other end of telephone.

Any TCP socket can be identified by two numbers, the port number, and the IP address. To build a TCP connection,4 numbers would be required, 2 each from client and the server. What is intresting to note here is the fact that TCP does support multiple connections between cleint/server which has the same set of four numbers. This intresting feat is done with the help of simple sequence numbers which act as session identifier. Every packet generated by any TCP server contains this sequence number which has to acknowldged by the reciever by sending the same back after adding 1 to the numbers. The probability of two connections having the same set of two sequence numbers and same set of socket identifiers (both client and server generate sequence numbers for all outgoing packets) are very remote which is close to impossible.

A spoofer in short has to have the socket identifiers right and should have the right sequence numbers to acknowledge.

Any machine on the same lan segment who can hear all the conversation of both the machines can easily obtain all the parameters required to spoof a client. But crackers don't usually crack thier own computers unless we are talking about crackers who have gained access to the site (which more or less is conventional method of steeling things). But what crackers could do is compromise a un-secure client and then attack the target server using by listening to the conversation.

Lets go back to our telephone example and imagine this, what happens when a cross connection happens. Lets say the client wants to offer 20lacks for a house and the propriotor is requesting 25lacks for the same house. If now a third persons comes in between and says "25 is fine", the client will hear this and immediately inform the proprioter that it was not him and that he should ignore that message. Now look at this senario again, where the client is attending another call, and put the proprioter on hold. If the spoofer goes online and says "25 is fine", the proprioter would have no reason to disbelieve, unless the voice patterns dont match and would close the deal.

On a LAN also the spoofer would have to do something to either keep the client occupied or disengage the client totally by crashing it completely. There are many ways by which a hacker has been able to achieve this feat. The best of all noticed yet is the SYN-flood mechanism which I won't be explaining here. Once the client is occupied the spoofer can take over the session and do what ever it wants. If the client is not bussy, it would generate a packet immediately informing the server that a problem has been detected and the connection should be terminated.

A spoofer who just wants to terminate a client-server TCP connection just needs to issue a "FIN" packet with the right server or client sequence numbers. This tool is a very important tool, and can are used by network administrators as an effective bandwidth controlling tool.

Spoofing is easy when we are talking about the same lan segment. When we look at Internet which is composed of thousands of small networks we have think bigger. A lan with a network address of 234.94.10.0 will never allow any packets with that network address to leave its routers. So if a cacker wishes to hack an address line 234.94.10.0 he has to deal with the fact that the servers response would never be visible to him since the address he is spoofing is not in his lan segment which can be sniffed.

This brings him to another problem of obtaining the sequence numbers the server sends the packets with, without receiving the so called server reply packets or packet acknowledgements. There is an intresting article by Robert Morris who was one of the first ones to discover the weekness in BSD UNIX TCP/IP software. The BSD Unix, maintains a global initial sequence numbers which are incremented by 128 every second and another 64 after each connection. Knowing this is a valuable tool in the hands of a cracker who can effectively guess the next sequence number after a series of trials and errors. Over the years this information has been used by many crackers who have now built tools which are designed to predict the increase in the sequence numbers so that a connection could be established without listening to the server.

This flaw in TCP protocol of not being able to effectivly authenticate users based on just the IP addresses doesn't mean much to the cracker unless there is a way to get into the target machine with root previledges using just the IP address alone(without username and password authentication). Most unix implementations have remote access tools called the "r tools" (rlogin, rcp, rsh etc) which allows access to any machine which is listed in the "rhost" file. In small networks this is a neat way of authenticating users avoiding re-entering username and password everytime a process needs to be initiated. Most spoofing tools use this mechanism to gain access.

Apart from removing all rhost entry (which can stop this) the more accepted way of stopping this kind of attack is to program the routers to reject any packets comming from the internet which has the source address of the local lan network. Almost all firewalls today reject SYN-floods which initiate this kind of attack. All good networks, especially ISPs should think of implementing network security monitoring tools which can detect such attacks on the network round the clock.