::::::::::::::::::::::::::::::::::::::::::::::::::::::::Feb/99
::: The Discordant Opposition Journal ::: Issue 2 - File 7 :::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:Behind IP Spoofing:
 Cronus

 IP Spoofing is the art of hiding a connection behind packets
that seem to come from some arbitrary source.  Fooling a server 
into thinking your connection is coming from a spoofed source. 
This is the means by which a trust-related attack would take 
place. By appearing to come from somewhere else you would be 
able to circumvent any form of source authentication such as 
the legendary 'r' commands.
 I have taken the liberty of assuming that the reader has a
partial knowledge of TCP and IP protocols. But if you don't
there are references to some essential reading at the end.
 The one serious drawback to IP spoofing trust-related exploits
is that the initial attack is blind. Since you are impersonating
another server, you will be unable to accept any response from
the server under attack.

 Establishing a Connection

 The TCP protocol is technically defined as a protocol developed 
to allow co-operating computers to share resources across a 
network. In other words, share a connection to transfer data.
 TCP is the most widely used connection-oriented transport
protocol in the TCP/IP suite. This basically means that the two
hosts involved must both first establish a connection through
the form of 3-way handshake. All the 3-way handshake does is
set up the routines to transfer data. Sequence numbers of both
the hosts are exchanged so that a connection can be created. 
This 3-way handshake makes TCP harder to spoof then simple IP
packets.
 The connection handshake is as followed;

       X       ---SYN--->      Y
       X      <--SYN/ACK--     Y
       X       ---ACK--->      Y

 To begin with host X sends an IP packet with the SYN flag to 
Y. This tells host Y that a connection is about to be set up.
The sequence number that X sends will now be set as the ISN
(initial sequence number) for future communication. Host Y next
will reply with its own ISN with the SYN flag on and an ACK flag.
The ACK flag acknowledges X's first packet with its ISN plus one.
X then ACK's the other hosts ISN and communication can take place.

 The Sequence Number

 TCP is marketed as the reliable internet protocol. It accounts 
for all packets, resends lost packets and rearranges out of order 
data. The sequence number is used so that the other host can 
acknowledge receipt of the packet. The receiving end uses the
sequence number to ensure proper ordering of the data and to
eliminate duplicate data bytes.
 Sequence numbers are simply 32-bit variables. They range from 0
to 4,294,967,295.  Each packet sent across a TCP connection is
sequenced. TCP uses the concept of window advertisement for flow
control. The sliding window tells the other end of the connection
how much data can be buffered, the window size is 16-bits so a
receiving host can advertise up to a maximum of 65535 bytes. This
process can be thought of as a means to ensure that neither host 
begins to transmit above the acceptable level of the other host.
 In order to spoof a connection, you must understand how sequence
numbers are chosen and how they change throughout the connection.
The sequence number when a host is first booted is set to 1. The
initial sequence number is incremented by 128,000 every second.
This causes the 32-bit ISN variable to wrap every 9.32 hours is 
no connections occur. But whenever a connection attempt is issued
the ISN jumps by 64,000.
 This process is there to eliminate the possible problem that 
data from an old connection could arrive and damage the current 
connection. This is why random sequence numbers are not used. 
There would be no way to guarantee that arriving data would have 
a different sequence number as stray data that finally freed 
itself from a routing loop somewhere.

 Other Flags

 TCP header flags include RST (reset), PSH (push) and FIN (finish).
The RST flag causes the connection to be immediately torn down. 
The RST flag is basically an in-built error message for when one
host breaks the already established rules of connection. The PSH
flag tells the receiver to send all the queued data as soon as
possible. The FIN flag is the means whereby a host naturally 
closes a connections.

 Syn Flooding

 Once the trusted host is found, it must be disabled. Since the
attack intends to impersonate it, it is necessary to make sure that
the host cannot receive any extra network traffic. If it gets the
TCP packets from the target host, it would send a packet to close
the connection thinking it was an error.
 The best way to deny packets access to a server is to lock it up
with some form of Denial of Service attack. This is quite a complex
operation and requires much research. 
 We have seen above how TCP connections are created and these steps
to creating a connection can be used to the disadvantage of the 
trusted host. A Syn flood is a flood of specially crafter packets
with the Syn flag marked from a random source. The trusted host
picks up the packet and thinks that a connection is about to be
made and sets up the appropriate service. 
 By flooding the trusted server with random Syn packets it is 
possible to fill up the Process table and leave no more room for
new incoming packets. As the connections time out while the trusted
server waits for confirmation of the connection, it is necessary 
to fill the gap that is left. The attacker can send multiple Syn
packets every few seconds to the trusted host and keep it occupied.
 For more information this complex subject see the notes at the 
end of the file.

 The Attack

 To use IP spoofing as an attack you must first choose a target 
and work out a trust-relationship that exists on that server. The
sequence numbers are calculated. The trusted server is put into 
a continual Denial of Service attack and then impersonated. The
attacker then simply issues a command to give him/her a way back
in.
 Here is a step by step outline of the attack;

 X(forged as Z)    ---SYN--->      Y
       Z          <--SYN/ACK--     Y
 X(forged as Z)    ---ACK--->      Y
 X(forged as Z)    ---PSH--->      Y

 The first packet from the attacker has the source IP address 
spoofed as Z which is the trusted host. Y responds with an Ack
of the first packet to Z, but since the trusted host Z is in
the middle of a storm of Syn packets it does not receive the 
Ack packet. 
 The attacker must pause for a moment so that the target host
Y actually has time to send the Ack packet. Then X sends its
own Ack packet with the presumed sequence number plus one since
it is the second Ack. If the calculated sequence number is 
correct then by the last stage the target host believes it is
connected to the trusted host Z and data can be sent.
 Since the attack is blind, the general idea once the trust has
been exploited is to insert a backdoor into the system. The 
most simplest could be 'cat + + >> ~/.rhosts`.  This is a good
idea because it is quick, allows for simple re-entry, and is not
interactive.  Remember the attacker cannot see any traffic coming
from the target, so any responses are sent off into oblivion.

 Summary

 IP spoofing is not difficult because IP is easily forged. This
attack works because many network connections rely on source
authentication. The presumption is that source authentication is
that it is easy and safe. But it is most definitely not the latter.
The most difficult part of this attack is the sequence number 
calculation. This takes timing, skill and guesswork.

 Resources

Request For Comments:          793, 1825, 1948
IP-spoofing Demystified - Trust-Relationship Exploitation
 by daemon9 / route / infinity
 http://www.phrack.com
SYN Floods The cause and Cure
 by NeonSurge
 http://www.rhino9.org
Introduction to the Internet Protocols
 by The Computer Science Facilities Group
 http://homepages.iol.ie/~cronus/ip/info70.txt