Spoofing, Fragmentation, and Smurfing

Prabhaker Mateti

This article is part of Internet Security Lectures

Table of Contents

1. Educational Objectives
2. IP Spoofing
   1. Some Uses of IP Address Forgery
   2. IP Spoofing in a Blind Attack
   3. IP Spoofing in a non-Blind Attack
   4. Route Spoofing
3. Detection of IP spoofing
4. Prevention of IP Spoofing
5. IP Fragment Attacks
6. ICMP Smurfing
7. Lab Experiment
8. Acknowledgements
9. References

Educational Objectives

1. Understand the IP at a detailed level.
2. Understand spoofing as a basic technique on which attacks can be built.
3. Understand the reasons for certain IP filtering rules we will use later.

Spoofing

On the Internet, "to spoof" can mean one or more of the following:

1. To deceive for the purpose of gaining access to someone else's resources (for example, to fake an Internet address).
2. To simulate a communications protocol by a program that is interjected into a normal sequence of processes for the purpose of adding some useful function.
3. To playfully satirize a Web site.

IP Spoofing

Be aware that in the exploits literature, there are a number of articles with the words "IP spoofing" in their titles, but which deal with TCP.

It is worth recalling that the Internet Protocol (IP)  defines a datagram that can be routed through the Internet, and it permits a means for fragmenting datagrams into packets and reassembling packets into the original datagrams.   The IP Datagram is as follows.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |Version|  IHL  |Type of Service|          Total Length         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |         Identification        |Flags|      Fragment Offset    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Time to Live |    Protocol   |         Header Checksum       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                       Source Address                          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Destination Address                        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Options                    |    Padding    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                             data                              |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                             data                              |
   \                                                               \
   \                                                               \
   |                             data                              |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |             data              |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

IP spoofing replaces the IP address of (usually) the sender or (in rare cases) the destination with a different address.  Because the IP layer of the OS normally adds these IP addresses to a data packet, a spoofer has to circumvent the IP layer and talk directly to the raw network device.  IP spoofing is normally used to deposit another exploit on the target machine. 

Any services that authenticate based on the IP addresses or host names are vulnerable.  These include RPC,  NFS, r-commands (rlogin, rsh, rcp, etc.), anything wrapped by the TCP daemon wrappers, X windows, and other applications that use source IP addresses for authentication.

The attacker A takes over the identity of a trusted host T in order to subvert the security of the target host U. The trusted host T is either discovered to be down (temporarily for a few seconds say) or is disabled using a variety of methods.  In the so-called blind attack,  A is unable to see the replies, if any, that U gives T.  In the non-blind attack, all conversation between U and T is seen by A.  Depending on how carefully the intervening routers are configured, it is not necessary that A reside on the same subnet as T.

Note that simply reassigning the IP address of T to the host A using ifconfig will not be good enough.  Other hosts, as well as T, will discover (through ARP, e.g.) that there are two machines with the same IP address.

Some Uses of IP Address Forgery

[using Dunnigan and Nofi's classification scheme]

1. Concealment: IP address forgery is commonly used to conceal the identity of an attacker, especially when denial of services is the goal of the attack.
2. Camouflage: IP address forgery is used to make one site appear to be another as a way to convince the victim, for example, that an attack is from a University, when in fact it is from a competitor.
3. False and Planted Information: IP address forgery can be used to create the impression that a particular site is acting maliciously in order to create friction or lead a defender to falsely accuse an innocent third party.
4. Reuses: IP address forgery can be used to support another activity designed to gain the confidence of the defender. For example, a salesperson for information security products could create IP address forgeries in order to convince a client of the need for their services.
5. Displays: IP address forgery has been used in order to lead defenders to believe that many sites are participating in an attack when in fact only a small number of individuals are responsible.
6. Demonstrations: IP address forgery has been used to demonstrate a potential for untraceable attacks as a way to convince defenders not to try to catch attackers.
7. Feints: IP address forgery can be used to try to fool an enemy into believing that an attack is coming from outside or from a particular direction, when the real attack is very different. This is a way to misdirect the enemy into spending limited resources in the wrong way.
8. Lies: IP address forgery has been used to create a more convincing lie that somebody known to the defender is communicating with them about a particular matter.
9. Insight: IP address forgery can be used to gain insight into how an opponent reacts and as a sort of probe to determine what sorts of responses are likely to arise.

Another way to view this issue is in terms of the net effect on information in information systems.

1. Corruption of Information: IP addresses are often used as the basis for Internet control decisions. For example, DNS updates are often designated as coming only from specific servers. With IP address forgery, the entire DNS system could be corrupted, causing services to be rerouted through enemy servers.
2. Denial of Services: The Internet is a fragile network that depends on the proper behavior and good will of the participants for its proper operation. Without wide-ranging changes to the way the Internet works, denial of services is almost impossible to prevent. For example, the same DNS attack could be used to cause widespread denial of services, or perhaps even to create loops in the packet delivery mechanisms of the Internet backbone.
3. Leakage of Information: Forged IP addresses can be used to cause a host to take orders for the delivery of information to enemy sites by forging authorization as if it were from a legitimate authorizing site.
4. Misplaced Liability: Forged IP addresses could be used, as described above under False and Planted Information, to cause defenders to assert claims against innocent bystanders and to lay blame at the wrong feet.

IP Spoofing in a Blind Attack

The attacker A notices an ongoing connection between a host U and a trusted host T.  A sends packets to U with source IP address equal to that of T.  As far as  U knows, it is carrying on a conversation with  T.  The intervening routers route the response packets of U to T.   But T's TCP layer will discard them because the packets are "replies" to packets it never sent.  The reply datagrams U sends back (destined for T) may never reach A, and hence the name of this attack. So the attacker must  know what was sent, and predict what response the server will send.

IP Spoofing in a non-Blind Attack

Non-blind spoofing is related to session hijacking, and will be described in the lecture on TCP Exploits.

Route Spoofing

There are three main mechanisms by which an attacker can spoof routing information.

1. An attacker sends an ICMP redirect packet with the source address set to the regular router. The packet also contains the ``new'' router to use. The recipient of such a packet is expected to change their routing tables replacing the old router with the new one. 
2. RIP-based attacks work by broadcasting illegitimate routing information to passive RIP hosts and routers via UDP port 520. In both of the above cases, the redirection can be made to any host chosen by the attacker.
3. Source routing allows the sending host to choose a route that a packet must travel to get to its destination.  Traffic coming back to that host will take the reverse route.  The attacker designs a route so that the packets go through his site. 

Detection of IP spoofing

A datagram on an external interface that has both its source and destination IP addresses in the local domain is an indication of IP spoofing.  Another way to detect IP spoofing is to compare the process accounting logs between systems. If the IP spoofing attack has succeeded, there should be a log entry on the victim machine showing a remote access, and on the apparent source machine, there will be no corresponding entry for initiating that remote access.

Prevention of IP Spoofing

All routers must employ proper IP filtering rules.  They should only route packets from sources that could legitimately come from the interface the packet arrives on.  Most routers now have options to turn off the ability to spoof IP source addresses by checking the source address of a packet against the routing table to ensure the return path of the packet is through the interface it was received on. We will be discussing IP filtering techniques and tools in a later lecture.

IP Fragment Attacks

When packets are too large to be sent in a single IP packet, due to interface hardware limitations for example, they can be split up by an intermediate router unless prohibited by the Don't Fragment flag. IP fragmentation occurs when a router receives a packet larger than the MTU (Maximum Transmission Unit) of the next network segment.  All such fragments will have the same Identification field value, and the fragment offset gives the position of the current fragment  in the context of the pre-split up packet.  Intermediate routers are not expected to re-assemble the fragments.  The final destination will reassemble all the fragments of an IP packet and pass it to higher protocol layers (like TCP or UDP).

Attackers create artificially fragmented packets in order to circumvent firewalls that do not perform packet reassembly.  These only consider the properties of each individual fragment, and let the fragments through to final destination. 

One such attack involving fragments is known as the tiny fragment attack. Two TCP fragments are created. The first fragment is so small that it does not even include the full TCP header, particularly the destination port number. The second fragment contains the remainder of the TCP header, including the port number. 

In the IP layer implementations of nearly all OS, the reassembly code has bugs, and/or not so carefully coded algorithms.  An attacker can create and send a pair of carefully crafted but malformed IP packets, with the use of illegal fragment offsets, which in the process of reassembly cause a server to (i) panic and crash, or (ii) reassemble the datagram in a surprising way.

1. E.g., if the first fragment was 24 bytes long, the second fragment may claim an offset of 20. Upon reassembly, the data in the second fragment overwrites the last four bytes of the data from the first fragment. If the unfragmented packet was TCP, the first fragment would have been the TCP header, and the second fragment overwrote the destination port number.

2. The receiving host in reassembling a malformed packet calculates the length for the second fragment, and it can turn out to be negative because of the clever crafting. This value is passed to a function (such as memcpy()) which does a copy from/ to memory, takes the negative number to be an enormous unsigned (positive) number.

3. Fragments can be so crafted that when reassembled the resul will be an abnormally large packet, larger than the maximum permissible length for an IP packet. The attacker hopes that the receiving host will crash while attempting to reassemble the packet. The Ping of Death used this attack. It creates an ICMP echo request packet which is larger than the maximum packet size of 65,535 bytes.

ICMP Smurfing

"Smurf" is the name of an automated program that attacks a network by exploiting IP broadcast addressing. Smurf and similar programs can cause the attacked part of a network to become "inoperable."  ICMP is used by network nodes and their administrators to exchange information about the state of the network.  A smurf program builds a network packet with a spoofed victim source address. The packet contains an ICMP ping message addressed to an IP broadcast address, meaning all IP addresses in a given network.  If the routing device delivering traffic to those broadcast addresses performs the IP broadcast to layer 2 broadcast function, most hosts on that IP network will reply to it with an ICMP echo reply each. The echo responses to the ping message are sent back to the victim address. Enough pings and resultant echoes can flood the network making it unusable for real traffic.

A related attack is called "fraggle", simple re-write of smurf, uses UDP echo packets in the same fashion as the ICMP echo packets.  The the intermediary (broadcast) devices, and the spoofed victim are both hurt by this attack. The attackers rely on the ability to source spoofed packets to the "amplifiers" in order to generate the traffic which causes the denial of service.  In order to stop this, all networks should perform filtering either at the edge of the network where customers connect (access layer) or at the edge of the network with connections to the upstream providers, in order to defeat the possibility of source address spoofed packets from entering from downstream networks, or leaving for upstream networks.

One way to defeat smurfing is to disable IP broadcast addressing at each network router since it is seldom used. The CERT Coordination Center's Advisory on "smurf" IP Denial-of-Service Attacks provides further suggestions.

Lab Experiment

None.

Acknowledgements

References

1. Brecht Claerhout, A short overview of IP spoofing: Parts I and II,  1996. The papers are found in many web archives, but do not seem to be published in any formal way.   ipspoof.tgz is a collection of files from these papers. Recommended Reading.
2. Craig A. Huegen, The Latest in Denial of Service Attacks: "Smurfing": Description and Information to Minimize Effects, Feb 2000, http://www.quadrunner.com/~chuegen/smurf.txt Recommended Reading.