ipaddressforgery.txt

                INTERNET HOLES - ELIMINATING IP ADDRESS FORGERY
                                       
  COPYRIGHT (C), 1996, MANAGEMENT ANALYTICS - ALL RIGHTS RESERVED
  
   
     _________________________________________________________________
   
Series Introduction

   
   
   The Internet is now the world's most popular network and it is full of
   potential vulnerabilities. In this series of articles, we explore the
   vulnerabilities of the Internet and what you can do to mitigate them.
   
An Introduction IP Address Forgery

   
   
   The Internet Protocol (IP) (RFC791) provides for two and only two
   functions. It defines a datagram that can be routed through the
   Internet, and it provides a means for fragmenting datagrams into
   packets and reassembling packets into the original datagrams. To quote
   from RFC791:
   The internet protocol is specifically limited in scope to provide the
       functions necessary to deliver a package of bits (an internet
       datagram) from a source to a destination over an interconnected
       system of networks. There are no mechanisms to augment end-to-end
       data reliability, flow control, sequencing, or other services
       commonly found in host-to-host protocols. The internet protocol
       can capitalize on the services of its supporting networks to
       provide various types and qualities of service.
       
   
   
   Here's a description of an IP datagram, also from RFC791:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |Version|  IHL  |Type of Service|          Total Length         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |         Identification        |Flags|      Fragment Offset    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Time to Live |    Protocol   |         Header Checksum       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                       Source Address                          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Destination Address                        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Options                    |    Padding    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                             data                              |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                             data                              |
   \                                                               \
   \                                                               \
   |                             data                              |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |             data              |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                     Description of an IP Datagram

   
   
   Note that the 4th line of the description calls for the Source Address
   of the datagram. In the simplest form of IP address forgery, the
   forger only needs to create a packet containing a false Source Address
   and insert it into the Internet by writing it into the output device
   used to send information to the rest of the Internet. For the
   non-expert forger, there is a tool called iptest which is part of the
   free and publicly available ipfilter security package that
   automatically forges packets for the purpose of testing configurations
   or routers and other IP security setups.
   
   The infrastructure of the Internet consists primarily of a set of
   gateway computers and packet routers. These systems have multiple
   hardware interfaces. They maintain routing tables to let them decide
   which output interface to send a packet out on based on the input
   interface that it came in on and the destination IP address specified
   in the packet. When a forged packet arrives at an infrastructure
   element, that element will faithfully route the packet toward the
   destination address, exactly as it would a legitimate packet.
   
How Can IP Address Forgery Be Used

   
   
   At its root, IP address forgery is a method of deception, and thus it
   can be used in much the same way as other forms of deception.
   Dunnigan95 More specifically, and using Dunnigan and Nofi's
   classification scheme, here are some quick ideas about how IP address
   forgery might be used:
     * Concealment: IP address forgery is commonly used to conceal the
       identity of an attacker, especially when denial of services is the
       goal of the attack.
     * Camouflage: IP address forgery is used to make one site appear to
       be another as a way to convince the victim, for example, that an
       attack is from a University, when in fact it is from a competitor.
     * False and Planted Information: IP address forgery can be used to
       create the impression that a particular site is acting maliciously
       in order to create friction or lead a defender to falsely accuse
       an innocent third party.
     * Reuses: IP address forgery can be used to support another activity
       designed to gain the confidence of the defender. For example, a
       salesperson for information security products could create IP
       address forgeries in order to convince a client of the need for
       their services.
     * Displays: IP address forgery has been used in order to lead
       defenders to believe that many sites are participating in an
       attack when in fact only a small number of individuals are
       responsible.
     * Demonstrations: IP address forgery has been used to demonstrate a
       potential for untraceable attacks as a way to convince defenders
       not to try to catch attackers.
     * Feints: IP address forgery can be used to try to fool an enemy
       into believing that an attack is coming from outside or from a
       particular direction, when the real attack is very different. This
       is a way to misdirect the enemy into spending limited resources in
       the wrong way.
     * Lies: IP address forgery has been used to create a more convincing
       lie that somebody known to the defender is communicating with them
       about a particular matter.
     * Insight: IP address forgery can be used to gain insight into how
       an opponent reacts and as a sort of probe to determine what sorts
       of responses are likely to arise.
       
   
   
   Another way to view this issue is in terms of the net effect on
   information in information systems. Here is another way of viewing
   this issue with an example from each category.
     * Corruption of Information: IP addresses are often used as the
       basis for Internet control decisions. For example, DNS updates are
       often designated as coming only from specific other servers. With
       IP address forgery, the entire DNS system could be corrupted,
       causing services to be rerouted through enemy servers.
     * Denial of Services: The Internet is basically a fragile network
       that depends on the proper behavior and good will of the
       participants for its proper operation. Without wide-ranging
       changes to the way the Internet works, denial of services is
       almost impossible to prevent. For example, the same DNS attack
       could be used to cause widespread denial of services, or perhaps
       even to create loops in the packet delivery mechanisms of the
       Internet backbone.
     * Leakage of Information: Forged IP addresses can be used to cause a
       host to take orders for the delivery of information to enemy sites
       by forging authorization as if it were from a legitimate
       authorizing site.
     * Misplaced Liability: Forged IP addresses could be used, as
       described above under False and Planted Information, to cause
       defenders to assert claims against innocent bystanders and to lay
       blame at the wrong feet.
       
   
   
   These are only some of the examples of what forged IP addresses can
   do. Without a lot of effort, many other examples can be created.
   
What Can We Do About It?

   
   
    As individuals, there is little we can do to eliminate all IP address
   forgery, but as a community, we can be very effective. Here's how.
   Instead of having all infrastructure elements route all packets, each
   infrastructure element could, and should, enforce a simple rule. They
   should only route packets from sources that could legitimately come
   from the interface the packet arrives on.
   
   This may sound complicated, but it really isn't. In fact, the
   technology to do this is already in place, and always has been.
   Virtually every router and gateway in existence today allows for the
   filtering of packets based on their input interface and IP source and
   destination address. This is a necessary component of their operation
   and is the basis for the way they route all packets.
   
   The only change that has to be made is for these routers and gateways
   to enforce the network structure that is legitimately in place. Or in
   other words, the routers and gateways should refuse to route
   ridiculous packets. Here are some of the simpler examples of known bad
   packets:
     * The IP address 127.0.0.1 is ONLY used for internal routing of
       packets from a host to itself. There is no legitimate IP datagram
       that should pass through a router or gateway with this as the
       source address. In fact, routing these packets is dangerous
       because they may be used to forge packets from the local...