Address Spoofing and

Denial of Service
• Agenda
 Mac Modification
 Address Resolution Protocol Trickery
 IP address spoofing
 TCP session Hijacking
 Domain Name Spoofing
 Email Spoofing (not in lab)
 Denial of Service

ECE 4112 - Internetwork Security 1

IP Spoofing and Denial of
Service Lab Exercises
Medium Access Control Address
Spoofing
Windows XP MAC modification
Linux MAC modification
IP Spoofing
From Windows wINJECT
From Linux fraggle.c
Domain Name System Spoofing
dsniff tool
Denial of Service
datapool tool
synful
teardrop
ECE 4112 - Internetwork Security 2
udpflood
The Ethernet Frame - IEEE 802.3

•Destination and Source MAC Addresses are

modified for spoofing.

ECE 4112 - Internetwork Security 3

MAC modification/Spoofing

• Change the MAC on a Host (Cloning)

 Linux (ifconfig)
 Windows Network Settings
• Creating Link Layer Packets (Spoofing)
 libnet (API)
 Linkcat (tool – netcat for link layer)

ECE 4112 - Internetwork Security 4

Modifying Windows XP Network
Interface

ECE 4112 - Internetwork Security 5

Modifying Windows XP Network
Interface (continued)

ECE 4112 - Internetwork Security 6

Modifying Linux Network
Interface

ECE 4112 - Internetwork Security 7

Address Resolution Protocol
(ARP)

• Method to finding a host's Ethernet

address
• Broadcast message looking for the IP
address
• Hosts maintain a cache to avoid frequent
ECE 4112 - Internetwork Security 8
requests
ARP Cache Poisoning

• Man in the Middle (MiM) Attack

 Session Stealing
 Packet/Data Injection
• Beat the Switch
 Making a Switch into a Hub

ECE 4112 - Internetwork Security 9

Arpspoof Example

ECE 4112 - Internetwork Security 10

Network and Transport Layers

• Internet Protocol (IP)

• Internet Control Message Protocol
(ICMP)
• Transmission Control Protocol (TCP)
• User Data Protocol
• TCP Session Hijacking

ECE 4112 - Internetwork Security 11

Internet Protocol (IP)
• IP provides a best-effort way to route datagrams
from source to destination
• Source address, destination address: network
number and host number
• IP spoofing: change or disguise source address
version IHL Type of Service Total length
Identification DF DF MF Fragment offset
Time to live Protocol Header checksum
Source address
Destination address
Options (0 or more words)
ECE 4112 - Internetwork Security 12
IP Spoofing

• Non-blind attacks
 Attacker and target on same subnet
 Reply traffic can be sniffed
• Blind attacks
 Attacker and target on different subnets
 Reply traffic cannot be seen by attacker
 Attacker must be able to predict replies

ECE 4112 - Internetwork Security 13

IP Spoofing

• Attacks made possible by IP spoofing

include
 Denial of Service (DOS)
 Session Hijacking
 Man in the Middle
• To take over a TCP stream, sequence
and acknowledgement numbers
must be sniffed or predicted.
ECE 4112 - Internetwork Security 14
Transmission Control Protocol
(TCP)

• Source and Destination Ports

• Sequence and Acknowledgement number
• Reliability Checksum (not tamperproof)
Source port Destination port
Sequence number
Acknowledgement number
UR AC P R S F
TCP HL G K SH S
T
YN I
N
Window size
Checksum Urgent pointer
Options (0 or more 32-bit words)
Data (Optional)
ECE 4112 - Internetwork Security 15
Transmission Control Protocol
(TCP)

• Packet Types
 URG - Urgent
 ACK - Acknowledge
 PSH - Push
 RST - Reset
 SYN - Synchronize can flood a server
 FIN - Finish

ECE 4112 - Internetwork Security 16

Transmission Control Protocol
(TCP) (4)

• TCP connection initiation

 Three-way handshake
Host 1 Host 2
SYN (SEQ=x)

= y , A CK=x+1)
Q
SYN (SE

(SEQ=x+1,
ACK=y+1)

ECE 4112 - Internetwork Security 17

Session Hijacking
• Session hijacking attacks: based on sniffing and
IP spoofing
 Attacker monitors packets between Alice and
Bob
 Attacker injects spoofed
Alice telnet traffic with a source IP
address of Alice
Alice Bob
network

“Hi, I am
Alice”
Attacker
ECE 4112 - Internetwork Security 18
 DNS Spoofing

• Causes name resolution to result in an

incorrect IP address

• In our lab, use tool dsniff to accomplish

ECE 4112 - Internetwork Security 19

DSniff

• Collection of tools for network

auditing and penetration testing.
• Tools included
 ArpSpoof
 DNSspoof
 Dsniff
 Filesnarf
 Macof

ECE 4112 - Internetwork Security 20

DSniff

 Mailsnarf
 Msgsnarf
 TCPKill
 TCPnice
 URLSnarf
 WebSpy
 SSHMITM
 WebMITM
ECE 4112 - Internetwork Security 21
DSniff

• All kinds of attacks can be run. E.g. –

 Password Sniffing
 Message and File Capture
 URL Capture
 Man-In-The-Middle
• Lab exercises
 DNS Spoofing

ECE 4112 - Internetwork Security 22

Email Spoofing

• Email spoofing is effective because

most people don’t have time to
double check their headers all the
time.
• An email’s true origin can be further
obfuscated by forging extra
“Received:” lines.
• To force a verification, email can be
cryptographically signed.
ECE 4112 - Internetwork Security 23
Email Spoofing

• Email spoofing is a form of social

engineering.
• Email spoofing is also used by spammers
to make it more difficult to track them.
• A forged email can be detected by close
inspection of its headers.
• Login to SMTP (port 25) is
unauthenticated, so anyone can log in and
send mail.
ECE 4112 - Internetwork Security 24
Email Spoofing (Not in Lab
Assignment)

telnet mail.xyz.gatech.edu 25
220 sark.xyz.gatech.edu ESMTP Sendmail 8.12.10/8.12.8;
Mon, 1 Dec 2003 040500 (EST)
HELO abc4883.com
250 sark.xyz.gatech.edu Hello ece-237-37.abc.gatech.edu
[130.207.237.37], pleased to meet you
MAIL FROM: <fake@abc4883.com>
250 2.1.0 <fake@abc4883.com>... Sender ok
RCPT TO: <gotcha@abc.gatech.edu>
250 2.1.5 <gotcha@abc.gatech.edu>... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
Greetings from abc4883!
.
250 2.0.0 hAUMOh6c005386 Message accepted for delivery
QUIT
221 2.0.0 sark.xyz.gatech.edu closing connection

ECE 4112 - Internetwork Security 25

Raw Sockets

• Allows the application to directly access

the Network Access Layer (TCP/IP model)
• Develop new or build upon existing
protocols
• Programming difference:
 socket( sockfd, SOCK_RAW, IPPROTO_TCP);
 Manually build the necessary headers
• Requires super user access
• Not implemented the same across all
platforms 26
ECE 4112 - Internetwork Security
libnet
• Raw Sockets and Link Layer facilities
• Simplifies packet injection programming
 libnet_build_ipv4( packet_length, type_of_service, identity,
fragment, time-to-live, protocol, checksum, source_port,
destination_port, payload, payload_size, libnet, ptag)
 libnet_autobuild_ipv4( packet_length, protocol, destination_port,
libnet);

• Allows for prebuilding streams of packets

• Efficient mechanism for packet injection
• Portable solution for packet injection

ECE 4112 - Internetwork Security 27

Denial of Service

• Denial of Service
 Easy to mount – script kiddies
 Requires few computing resources
 Most common attack – deadly results
• Comes in various forms. E.g. –
 Buffer Overflow Attack
 Teardrop Attack
 Syn Flood
 Smurf Attack

ECE 4112 - Internetwork Security 28

Internet Control Message
Protocol (ICMP)
• ICMP is used to test the Internet.
• Each ICMP message type is encapsulated in an IP
packet.
Message type Description

Destination unreachable Packet could not be

Time exceeded delivered
Time to live field hit 0
Parameter problem Invalid header field
Redirect Teach a router about
Echo request geography
Ask a machine if it is alive
Echo reply Yes, I am alive

ECE 4112 - Internetwork Security 29

Denial of Service
• Buffer Overflow
 Send more data than allotted buffer space.
E.g. – More than 256 chars in email from field.
• Tear Drop
 Takes advantage of IP Fragmentation.
• Syn Flood
 Flood target with connection requests.
• Smurf
 ICMP echo requests with spoofed IP.

ECE 4112 - Internetwork Security 30

Denial of Service

• Tool to be used in lab – Datapool

• Customizable script with capabilities
to run 106 different DoS attacks
(including ones discussed)!
• Can run attacks against multiple IPs
and learns about vulnerabilities of
each.
• IPSpoofing used to disguise source of
attack.
ECE 4112 - Internetwork Security 31
References WWW

• OSI Model:
RAD Data Communications
• libnet (packetfactory.net)
• Raw Socket Programming (mixter.void.
ru)
• Paketto (www.doxpara.com/paketto)
• Dsniff (naughty.monkey.org/~dugsong/dsniff)

ECE 4112 - Internetwork Security 32

References Books

• Computer Networks Third Edition, Andrew 
Tanenbaum, Prentice­Hall1996.
• Counter Hack. Ed Skoudis, Prentice­Hall 
2002.
• TCP/IP Illustrated, Volume 1. W. Richard 
Stevens, Addison­Wesley1994.

ECE 4112 - Internetwork Security 33