IN THIS CHAPTER
In this chapter you’ll learn about spoofing attacks—how they are performed, and how you can prevent them.
The secret to creativity is knowing how to hide your sources. | ||
| --Albert Einstein | ||
Spoofing can be summed up in a single sentence: It’s a sophisticated technique of authenticating one machine to another by forging packets from a trusted source address.
From that definition, you can safely conclude that spoofing is a complicated process. However, by this chapter’s end, you’ll have a clear understanding of spoofing and how to prevent it.
There are two recurring themes in Internet security:
Trust
Authentication
Trust is the relationship between machines that are authorized to connect to one another. Authentication is the process those machines use to identify each other.
Trust and authentication generally have an inverse relationship. Thus, if a high level of trust exists between machines, stringent authentication is not required to make a connection. On the other hand, if little or no trust exists between machines, more rigorous authentication is required.
If you think about it, humans exercise similar rules. For example, if your best friend came to your front door, you’d let him right in. Why not? You trust him. However, if a total stranger came knocking, you would demand that he identify himself.
Although you might not realize it, you are constantly being authenticated. For example, you might have to provide a username and password to use any of the following services:
Your Internet connection
FTP sites
Telnet services and shell accounts
Web sites
Applications
In fact, today most subscription-based Web sites require a username and password. You’re subjected to high levels of authentication every day. Do you know what that means? The Internet simply doesn’t trust you!
Authenticating humans, therefore, involves a password scheme. Some models employ a simple username/password scheme, whereas others can be more complex, such as challenge-response systems based on one-time passwords. The end result is the same, though—the user either has the correct password or she does not.
Machines can be authenticated in other ways, depending on their trust relationship. For example, a machine can be authenticated by its host name or an IP source address. Using RHOSTS entries is a common procedure in the Unix world for setting this up.
The RHOSTS system can be used to establish a relationship of trust between machines. It’s described in the Solaris Manual Page:
The
/etc/hosts.equivand.rhostsfiles provide the “remote authentication” database for rlogin(1), rsh(1), rcp(1), and rcmd(3N). The files specify remote hosts and users that are considered “trusted.” Trusted users are allowed to access the local system without supplying a password.
NOTE
hosts.equiv files are essentially .rhosts configuration files for the entire system. These are set by root and apply hostwide. In contrast, .rhosts files are user-based and apply only to particular users and directories. (This is why users should be restricted from making their own .rhosts files. These open smaller holes all over the system.)
A sample .rhosts file might look like this:
node1.sams.hacker.net hickory node2.sams.hacker.net dickory
This file specifies that the user hickory on node1 and user dickory on node2 are now trusted. These users can access the local machine through the r services without being subjected to password authentication. No other users from these nodes are trusted, however.
To complete the process (and create a two-way trust relationship), all four of the machines must also maintain rhost entries.
NOTE
The r services consist of the following applications:
rlogin—. Remote login. This works in a very similar fashion to Telnet, and offers a remote login session.rsh—. Remote shell. This enables users to run shell commands on the remote box.rcp—. Remote file copy. This enables users to copy files from local to remote machines, and vice versa.rcmd—. Remote command. This enables privileged users to execute commands on remote hosts.
All four r services use the /etc/hosts.equiv or .rhosts allow/deny schemes for trust purposes. No trust exists if these files are empty or don’t exist, and therefore a spoofing attack (of this variety) cannot occur.
The authentication that occurs at connection time, then, is based solely on the IP source address. This is known to be a flawed model, as Steve M. Bellovin explains in his paper “Security Problems in the TCP/IP Protocol Suite”:
If available, the easiest mechanism to abuse is IP source routing. Assume that the target host uses the reverse of the source route provided in a TCP open request for return traffic. Such behavior is utterly reasonable; if the originator of the connection wishes to specify a particular path for some reason—say, because the automatic route is dead—replies may not reach the originator if a different path is followed.
The attacker can then pick any IP source address desired, including that of a trusted machine on the target’s local network. Any facilities available to such machines become available to the attacker.
TIP
“Security Problems in the TCP/IP Protocol Suite” by Steve M. Bellovin can be found on the Web at http://www.deter.com/unix/papers/tcpip_problems_bellovin.pdf.
The following points have been established for now:
Trust and authentication have an inverse relationship; more trust results in less stringent authentication.
Initial authentication is based on the source address in trust relationships.
IP source address authentication is unreliable because IP addresses (and most fields of an IP header) can be forged.
A trust relationship of some kind must exist for a spoofing attack to work.
From this, you can surmise one of the reasons why IP spoofing has achieved cult status in the cracker community. Most cracking attacks have historically relied on password schemes; crackers would steal the /etc/passwd file and crack it. They would do their dirty work after obtaining the root password (and at least one user login/password). In spoofing, however, neither a username nor a password is passed during the attack. The security breach occurs at a very discrete level.
Another reason IP spoofing has gained much notoriety is that it can be used as a key element in other forms of attack. One example of this is known as “session hijacking,” which is described in the next section.
The mere fact that source address authentication is flawed does not in itself make IP spoofing possible. Here’s why: The connection process requires more than just the right IP address. It requires a complete, sustained dialog between machines.
You can more easily understand the process in steps:
IP is responsible for packet transport. Packet transport performed by IP is unreliable, meaning that there is no absolute guarantee that packets will arrive unscathed and intact. (For example, packets can be lost, corrupted, and so forth.) The main point is this: IP merely routes the packets from Point A to Point B. Therefore, the first step of initiating a connection is for the packets to arrive intact to the proper host.
After the packets arrive, TCP takes over. TCP is more reliable, and has facilities to check that packets are intact and are being transported properly. Each one is subjected to verification. For example, TCP first acknowledges receipt of a packet and then sends a message verifying that it was received and processed correctly.
TCP’s process of packet error checking is done sequentially. If five packets are sent, Packets 1, 2, 3, 4, and 5 are dealt with in the order they were received. Each packet is assigned a number as an identifying index. Both hosts use this number for error checking and reporting.
In his article “Sequence Number Attacks,” Rik Farrow explains the sequence number process used in the attack on Tsutomu Shimomura’s computer by Kevin Mitnick:
The sequence number is used to acknowledge receipt of data. At the beginning of a TCP connection, the client sends a TCP packet with an initial sequence number, but no acknowledgment (there can’t be one yet). If there is a server application running at the other end of the connection, the server sends back a TCP packet with its own initial sequence number, and an acknowledgment: the initial sequence number from the client’s packet plus one. When the client system receives this packet, it must send back its own acknowledgment: the server’s initial sequence number plus one. Thus, it takes three packets to establish a TCP connection….
TIP
Find “Sequence Number Attacks” by Rik Farrow online at http://www.nwc.com/unixworld/security/001.txt.html.
The attacker’s problem is thus twofold: First, he must forge the source address, and second, he must maintain a sequence dialog with the target. It is this second task that makes the attack complex. Here’s why: The sequence dialog is not arbitrary. The target sets the initial sequence number, and the attacker must counter with the correct response.
This further complicates the attack: The attacker must guess the correct sequence response because he never actually receives packets from the target. In his article “A Weakness in the 4.2BSD UNIX TCP/IP Software,” Robert Morris explains:
4.2BSD maintains a global initial sequence number, which is incremented by 128 each second and by 64 after each connection is started; each new connection starts off with this number. When a SYN packet with a forged source is sent from a host, the destination host will send the reply to the presumed source host, not the forging host. The forging host must discover or guess what the sequence number in that lost packet was, in order to acknowledge it and put the destination TCP port in the ESTABLISHED state.
TIP
Find Morris’s article online at http://www.pdos.lcs.mit.edu/~rtm/papers/117-abstract.html.
That might sound confusing, so let me illustrate the concept more clearly. Assume the following:
The cracker knows that the hosts
207.171.0.111and199.171.190.9have a trust relationship.He intends to penetrate
207.171.0.111.To do so, he must impersonate
199.171.190.9.To impersonate
199.171.190.9, he forges that address.
The problem is that all responses from 207.171.0.111 are actually routed to 199.171.190.9 (and not the cracker’s machine). Because of this, the cracker cannot see the packet traffic. He is driving blind. It is because of this inability to see the responses that this method of spoofing is known as blind spoofing. Non-blind spoofing occurs when the responses can be seen because the traffic occurs along a network segment that the attacker can watch.
The blind spoofing situation presents an even more serious obstacle. What if 199.171.190.9 responds to packets from the target while the cracker is conducting his attack? This blows the entire operation by throwing off the expected sequence numbers. Therefore, the cracker must perform one last additional step prior to actually conducting the attack: He must either attempt the spoof when 199.171.190.9 is not running or put 199.171.190.9 to sleep.
NOTE
Killing 199.171.190.9 is simple. To do so, the cracker exposes 199.171.190.9 to a syn-flood attack. This floods the connection queues of 199.171.190.9, temporarily rendering that machine unable to process incoming connection requests. This works because of the way connection requests are processed. Each time a connection request is received, the target attempts to complete the three-way handshake. Eventually, the target times out on that request and attempts to process the next one. All connection requests are handled in the order they’re received. Thus, if the target is flooded with hundreds of such requests, considerable time will pass before the flooded host can again process connection requests.
At this point, let’s recap everything presented until now.
These are the essential steps that must be taken in a spoofing attack:
The cracker must identify his targets.
He must anesthetize the host he intends to impersonate.
He must forge the address of the host he’s impersonating.
He must connect to the target, masquerading as the anesthetized host.
He must accurately guess the correct sequence number requested by the target.
The first four steps are easy. The difficult part is guessing the correct sequence number. To do so, the cracker must execute a trial run:
He contacts the intended target requesting connection.
The target responds with a flurry of sequence numbers.
The cracker logs these sequence numbers and cuts the connection.
The cracker next examines the logs of sequence numbers received from the target. In his analysis, he seeks to identify a pattern. He knows, for example, that these sequence numbers are incremented uniformly by an algorithm designed specially for this purpose. His job is to determine that algorithm, or at least determine the numeric values by which the numbers are incremented. When he knows this, he can reliably predict what sequence numbers are required for authentication.
He is now ready to perform the spoofing attack. In all, spoofing is an extraordinary technique. However, what’s even more extraordinary is this: Since 1985, the security community has known that spoofing was possible.
When the connection and authentication procedures are complete, the cracker must create a more suitable hole through which to compromise the system. (He should not be forced to spoof each time he wants to connect.) He therefore fashions a custom hole. The easiest method is to rewrite the .rhosts file so that the now-compromised system accepts connections from any source without requiring additional authentication.
Having done this, the cracker shuts down the connection and reconnects. He can now log in without a password and has control of the system.
IP spoofing can only be implemented against certain machines running certain services. Many flavors of Unix are viable targets. (This shouldn’t give you the impression that non-Unix systems are invulnerable to spoofing attacks. There’s more on that later in this chapter.)
The following are some of the configurations and services are known to be vulnerable:
Any device running Sun RPC
Any network service that uses IP address authentication
The X Window System from MIT
The r services
To put that in perspective, consider this: Most network services use IP-based authentication, and although RPC, X Window System, and the r services have problems inherent to Unix-based operating systems, other operating systems are not immune.
Windows NT and even Windows 2000, for example, are vulnerable to sequence number attacks. Sessions can be hijacked via TCP sequence number guessing. At its heart, the problem is a spoofing issue. It affects a multitude of network services, not just RPC. In fact, it even affects NetBIOS and SMB connections. Exploit code for the attack can be found at http://www.engarde.com/software/seqnumsrc.c.
TIP
Sun RPC refers to Sun Microsystems’ standard of Remote Procedure Calls, which enable users to issue system calls that work transparently over networks. The RFC that addresses RPC, titled “RPC: Remote Procedure Call Protocol Specification,” can be found at http://www.netsys.com/rfc/rfc1057.txt.
Spoofing attacks used to be rare. However, they became far more common after January 1995. Consider this Defense Data Network advisory from July 1995:
ASSIST has received information about numerous recent IP spoofing attacks directed against Internet sites internationally. A large number of the systems targeted in the IP spoofing attacks are name servers, routers, and other network operation systems, and the attacks have been largely successful.
TIP
To view the DDN bulletin online, visit http://csrc.ncsl.nist.gov/secalert/ddn/1995/sec-9532.txt.
Prior to 1995, spoofing was a very grass-roots attack. Anyone trying to spoof had to have a very strong background in TCP/IP, sockets, and network programming in general. This is no longer true.
After it was demonstrated that spoofing actually worked (it was previously a theoretical notion), spoofing code immediately began surfacing. Today, prefabbed spoofing utilities are widely available. The following sections present some useful spoofing utilities.
Language: C
Build Platform: FreeBSD
Target Platform: Unix
Requirements: C compiler, IP header files, FreeBSD
URL: http://www.insecure.org/sploits/ttcp.spoofing.problem.html
Language: C
Build Platform: Linux
Target Platform: Linux
Requirements: C compiler, Linux
Language: C
Build Platform: Unix
Target Platform: Unix
Requirements: C compiler, IP Header Files, Unix
Language: C
Build Platform: Unix
Target Platform: Unix
Requirements: C compiler, IP Header Files, Unix
URL: http://staff.washington.edu/dittrich/talks/qsm-sec/P50-06.txt
Language: C
Build Platform: Linux
Target Platform: Unix
Requirements: C compiler, IP header files, Linux
URL: http://packetstorm.decepticons.org/Exploit_Code_Archive/rbone.tar.gz
Language: C
Build Platform: Linux
Target Platform: Unix
Requirements: C compiler, IP header files, Linux 1.3 or later
Language: C
Build Platform: Linux
Target Platform: Unix
Requirements: C compiler, IP header files, Linux
URL: http://packetstormsecurity.nl/Exploit_Code_Archive/synk4.c
NOTE
There’s also a UDP spoofing utility available. To try it, download it from http://www.deter.com/unix/software/arnudp.c.
Configuring your network to reject packets from the Net that claim to originate from a local address can thwart IP spoofing attacks. This is done at the router level. Conversely, it is also generally a good policy to reject packets originating from inside your network that claim to come from a host on the inside.
NOTE
Although routers are a solution to the general spoofing problem, they too operate by examining the source address. Thus, they can only protect against incoming packets that purport to originate from within your internal network. If your network (for some inexplicable reason) trusts foreign hosts, routers will not protect against a spoofing attack that purports to originate from those hosts.
There are several products that incorporate anti-spoofing technology into their general design. Here are a couple:
NetVision Synchronicity for Windows NT. The Synchronicity product line incorporates concurrent management of NDS and NT objects and systems. Anti-spoofing support is built in. Check it out at http://www.netvision.com/products/synchronicity.html.
Cisco PIX Firewall. PIX is Cisco’s premier Internet security product. This is a full-fledged firewall with built-in anti-spoofing capabilities. http://www.cisco.com/warp/public/cc/pd/fw/sqfw500
Certain products can also test your network for vulnerability to IP spoofing. (Check Chapter 11, “Vulnerability Assessment Tools,” for scanners that perform this diagnostic.)
CAUTION
If you’re running a firewall, it does not automatically protect you from spoofing attacks. If you allow internal addresses access through the outside portion of the firewall, you’re still vulnerable. Moreover, if your firewall runs proxies, and those proxies perform their authentication based on the IP source address, you have a problem. (Essentially, this type of authentication is no different from any other form of IP-based authentication.)
Closely monitoring your network is another preventative measure. Try identifying packets that purport to originate within your network, but attempt to gain entrance at the firewall or first network interface that they encounter on your wire. The following paragraph is excerpted from Defense Information System Network Security Bulletin #95-32. This bulletin can be found online at http://csrc.ncsl.nist.gov/secalert/ddn/1995/sec-9532.txt.
There are several classes of packets that you could watch for. The most basic is any TCP packet where the network portion (Class A, B, or C or a prefix and length as specified by the Classless Inter-Domain Routing (CIDR) specification) of the source and destination addresses are the same but neither are from your local network. These packets would not normally go outside the source network unless there is a routing problem worthy of additional investigation, or the packets actually originated outside your network. The latter can occur with mobile IP testing, but an attacker spoofing the source address is a more likely cause.
As a closing note, if you can afford the resource overhead, you can also detect spoofing through logging procedures (even in real-time). Running a comparison on connections between trusted hosts is a good start. For example, assume that trusted hosts A and B have a live session. Both will show processes indicating that the session is underway. If one of them doesn’t indicate activity, a spoofing attack is afoot.
IP spoofing is only one form of spoofing. Other spoofing techniques exist, including ARP, DNS, and Web spoofing. Let’s examine each.
ARP spoofing is a technique that alters the ARP cache. Here’s how it works: The ARP cache contains hardware-to-IP mapping information. The key is to keep your hardware address, but to assume the IP address of a trusted host. This information is simultaneously sent to the target and the cache. From that point on, packets from the target are routed to your hardware address. (The target now “believes” that your machine is the trusted host.)
There are severe limitations to this type of attack. One is that the ruse might fail when crossing intelligent hubs and some routers. Therefore, ARP cache spoofing is reliable only under certain conditions, and even then it might be restricted to the local network segment. Moreover, cache entries expire pretty quickly. Thus, you still have to backtrack periodically and update the cache entries while implementing the attack.
Can ARP spoofing be defeated? Absolutely. There are several things that you can do. One is to write your address mappings in stone. This can, however, be an irritating prospect. Paul Buis explains in his paper “Names and Addresses”:
Many operating systems do however have provisions for making entries in the ARP cache “static” so they do not time out every few minutes. I recommend using this feature to prevent ARP spoofing, but it requires updating the cache manually every time a hardware address changes.
TIP
Get Paul Buis’s paper from http://www.cs.bsu.edu/homepages/peb/cs637/nameadd/.
Another choice is to use ARPWATCH. ARPWATCH is a utility that watches changes in your IP/Ethernet mappings. If changes are detected, you are alerted via email. (Also, the information will be logged, which helps track down the offender.) Get ARPWATCH at ftp://ftp.ee.lbl.gov/arpwatch.tar.gz.
In DNS spoofing, the cracker compromises the DNS server and explicitly alters the hostname-IP address tables. These changes are written into the translation table databases on the DNS server. Thus, when a client requests a lookup, she is given a bogus address; this address is the IP address of a machine that is completely under the cracker’s control.
DNS spoofing has now been automated, at least on some platforms. A utility called Jizz, written by Nimrood (and based on code written by Johannes Erdfelt), does this. To try it out, download it from http://packetstormsecurity.org/Exploit_Code_Archive/jizz.c.
DNS spoofing is fairly easy to detect, however. If you suspect one of the DNS servers, poll the other authoritative DNS servers on the network. Unless the originally-affected server has been compromised for some time, evidence will immediately surface that it has been spoofed. Other authoritative servers will report results that vary from those given by the cracked DNS server.
Polling might not be sufficient if the originally-spoofed server has been compromised for some time. Bogus address-host name tables might have been passed to other DNS servers on the network. If you are noticing abnormalities in name resolution, you might want to employ a script utility called DOC (domain obscenity control). As articulated in the utility’s documentation:
DOC (domain obscenity control) is a program which diagnoses misbehaving domains by sending queries off to the appropriate domain name servers and performing a series of analyses on the output of these queries.
TIP
DOC is available online at ftp://coast.cs.purdue.edu/pub/tools/unix/sysutils/doc/doc.2.0.tar.Z.
Other techniques that defeat DNS spoofing attacks include the use of reverse DNS schemes. Under these schemes, sometimes referred to as tests of your forwards, the service attempts to reconcile the forward lookup with the reverse. This technique might have limited value. In all likelihood, the cracker has altered both the forward and reverse tables. For more information on configuring your DNS server, see the following sites:
Quite a few sites on the Internet these days require a paid membership to access their content. Often, when you pay for membership at one site, you also get access to other paid content as well. There are several ways this can be implemented. It is easy, however, to implement a setup that is easy to spoof.
Our examples feature a paid membership site called Music By Gus (http://members.musicbygus.com/). All the members of Gus’s site also get free access to the site Music by Alice (http://members.musicbyalice.com/). It should be stressed that you can easily find examples of each of the following setups on the Internet, as they’re all common.
Alice and Gus first agree that Gus will publish a user ID and password to Alice’s site in his membership area. This user ID/password combination is the same for all of Gus’s users. Needless to say, over time this password leaks out to nonmembers on the Internet.
Alice learns about this, so she and Gus decide to change the password every day. This greatly improves the situation. However, what they don’t know is that there are dozens of underground hacker sites and IRC channels on the Internet that find and publish passwords in a matter of minutes.
Alice decides that this approach is not going to work. She talks to some Web experts and comes up with a more advanced system.
When you connect to a Web page, your browser reports what site you were on when you clicked the link to go to the current page. This piece of information is known as a referral, and Alice decides to make use of it. If the Referrer field tells her Web site that the user came from Gus’s membership site (for example, http://members.musicbygus.com/partners.html), she’ll allow them into her Web site without asking for a user ID and password. This is a trust relationship, and in many ways similar to the RHOSTS approach we discussed earlier.
Remember all the steps we had to go through to spoof IP packets? By comparison, spoofing the referral is a piece of cake. For one thing, the source code for Mozilla is open source. It wouldn’t be hard for a programmer to build a Mozilla that lies about the Referral field. Also, Windows offers APIs that allow you to take control of Internet Explorer (IE).
However, it doesn’t even require this much trouble: Hacker tools, most of which are based on the IE APIs, are available that are so easy to use that computer novices can referral spoof to their heart’s content. Novices can also find files containing spoofs of thousands of Web sites, which can be loaded into these tools. The most famous of these tools is ZSpoof, which is available at http://www.securityadvise.de/deny/hosted/wm/.
Alice learned that the referral setup didn’t work either. The Web experts next recommend that Gus and Alice agree on some session-specific URLs that time out. Basically, Gus’s site will generate URLs that look like http://members.musicbyalice.com/ab38383afe39393/music.html. The string of characters in the middle is the session key. This session key is based on an algorithm, and times out after a while.
In the end, the problem ends up being the same as the temporary passwords we discussed earlier. Hackers will quickly post these URLs up on sites and via IRC.
Now Alice fires her Web experts. She hires some new ones who tell her the problem all along was that she was using trust relationships, and trust relationships by their nature allow spoofing attacks. They recommend that she must authenticate Gus’s users. This means one of two setups.
The first is that Gus sends all new accounts to Alice, and she creates the user accounts as well. Users must now log in twice: first to Gus’s site, and then again to access Alice’s site if they come through the link.
The other option is that Alice and Gus share a common authentication realm so that users only need to log in once. However, this couples their Web sites closer together, and could make severing the partnership difficult.
Spoofing is popular, and when done from the outside, leaves relatively little evidence. At a minimum, you should block apparent local requests that originate outside your network, and as always, you should employ logging utilities. Finally, I recommend keeping up with the latest advisories—particularly from your router vendor. New spoofing attacks tend to emerge every few months or so.