IP Spoofing – is it feasible?

January 17, 2012 § Leave a comment

IP spoofing is the attack used by hackers to steal a user’s IP address. IP spoofing involves spoofing a Transmission Control Protocol (TCP) connection, since IP Addresses are passed within TCP packets. When two hosts want to establish a TCP session, they must synchronize their connection using a TCP mechanism called “3 way handshake”. This mechanism is composed of three phases:

  1. The first packet, with flag SYN, is sent by the client to the server.
  2. The server responds with a SYN-ACK packet.
  3. Finally, the client sends an ACK packet to conclude the 3 way handshake.

From the output of this TCP connection, it’s possible to see a couple of long numbers, the sequence number and the acknowledgment number. These values have a size of 32bit, and are randomly generated by modern operating systems every time a new connection is started. During the session, these numbers are incremented by the number of bytes transmitted. So, for example, if the client sends to the server 6 bytes of data, the acknowledge number (example – 1779314099) is calculated from the sequence number of the client, plus the number of bytes received (1779314093 + 6). On the other side, if now the client wants to send more data, it must use 1779314099 as a sequence number (the number that now the server expects).

IP Spoofing, in the past, was a suitable technique to impersonate a different IP address and defeat security systems (such as firewalls). With the randomization of session numbers, an attacker trying to conduct a remote IP Spoofing must predict the 32bit acknowledge number sent by the server in the middle of the 3 way handshake (the SYN-ACK packet). Assuming that the size of a minimal TCP ACK packet (to conclude the handshake) is 54 bytes, and that the number is (on average) predicted correctly after 2^34/2=2147483648 attempts, the total amount of data the attacker must send is 54*2147483648, which would be 108 Gigabytes of data.

This is clearly not feasible, considering that the server considers invalid the 3 way handshake after a short timeout. The only possible way, at present, to conduct an IP spoofing attack, is to have access to the sequence numbers sent by the legitimate client.

Article By: Emanuele Acri.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

What’s this?

You are currently reading IP Spoofing – is it feasible? at Naik Vinay.


%d bloggers like this: