What is IP Spoofing ?
IP spoofing is a kind of technique used by hackers to gain unauthorized access to devices. The IP spoofing is occasionally done simply to mask a DoS's origin (Denial of Service) attack. In fact, it is necessary to mask the actual IP address from where the attack has originated.
In this scenario, the attacker pretends the IP address is coming from a known source to the victim. But actually, he is using a different IP unknown to the destination. The intention here is to gain unauthorized access and then spoof an IP address of the target victim, which is known to the victim system's trusted host.
First, the hacker or intruder should possess a known IP address known to the target network that is considered a trusted source. After obtaining a known IP, the IP packet headers are modified to come from a known host.
Unlike other attacks, the network security experts had known IP spoofing attacks on a theoretical level before it was ever used for a real attack. Even if the concept was known, it was primarily theoretical until Robert Morris found a practical security weakness in TCP protocol, known as sequence prediction.
What happen nowadays ?
Nowadays IP spoofing attacks are less frequent because the security features are thorough in today’s networks making IP spoofing is less useful. However, still, the network security administrators should address the IP spoofing protection.
How to secure from IP spoofing?
Do not reveal any information regarding the internal IP addresses, which helps to internal network IP addresses from being spoofed.Using network monitoring software to check the signs of IP spoofing of the incoming packets to the network.
Vulnerabilities and Risks Associated with IP Spoofing
The worst-case that happens in IP spoofing is that some firewalls do not examine the packets that seem to come from an internal IP address.
Moreover routing packets through filtering routers is possible if the network routers are not configured well to filter the incoming packets, whose source address is in the Local domain,
More vulnerable cases are:-
- Routers that do not filter packets whose address is in the Local domain,
- Proxy firewalls where uses the source IP address for authentication.
- Routers that have multiple interfaces to the internal network.
Enhancing TCP/IP Security in Linux
In Linux Linux Kernel /etc/sysctl.conf Security Hardening can be used to improve TCP/IP stack security and performance improvements.
The IPv4 setting for rp_filter or Reverse Path filtering is a method used by the Linux Kernel to help prevent attacks used by Spoofing IP Addresses. Reverse Path filtering is a kernel feature that, when enabled, is designed to ensure packets that are not routable are dropped.
This can be enabled in Linux servers as follows:
- Open system. conf in an editor.
- By default,following lines are commented
net.ipv4default .conf.default.rp_filter=1
net.ipv4.conf.all .rp_filter=1
- Uncomment those lines to enable IP filtering.
1 Comments
Great contents. I am waiting for your next article
ReplyDelete