6 Problem Page 1 1 Probem Research IP Spoofing attack Resear

6. Problem Page: 1 1. Probem Research IP Spoofing attack. Research this topic and answer the following questions: 6.1 Part 0o What type of attack is it? (Check all that apply) Active, Passive, Operating System Based, Network Based, Denial of Service, Man-in the-Middle. 6.2 Part What fields/flags of TCP/IP headers were used in the attack. What fields/lags ofTCPMP

Solution

Part a : IT is active , network based , denial of service , man in the middle attack

Explaination : IP spoofing is sometimes the starting point for more sophisticated LAN attacks like denial of service, man in the middle and session hijacking. The current methods of detection use a passive approach, monitoring the ARP traffic and looking for inconsistencies in the Ethernet to IP ad- dress mapping. The main drawback of the passive approach is the time lag between learning and detecting spoofing. This sometimes leads to the attack being discovered long after it has been orchestrated.

part2 : Source IP address and destination IP address are used in IP spoofing

Explaination : Valid source IP address, illustrates a typical interaction between a workstation with a valid source IP address requesting web pages and the web server executing the requests.When the workstation requests a page from the web server the request contains both the workstations IP address (i.e. source IP address 192.168.0.5) and the address of the web server executing the request (i.e. destination IP address 10.0.0.23). The web server returns the web page using the source IP address specified in the request as the destination IP address, 192.168.0.5 and its own IP address as the source IP address, 10.0.0.23.

Spoofed source IP address, illustrates the interaction between a workstation requesting web pages using a spoofed source IP address and the web server executing the requests. If a spoofed source IP address (i.e. 172.16.0.6) is used by the workstation, the web server executing the web page request will attempt to execute the request by sending information to the IP address of what it believes to be the originating system (i.e. the workstation at 172.16.0.6). The system at the spoofed IP address will receive unsolicited connection attempts from the web server that it will simply discard.

part 3 :

The router that connects a network to another network is known as a border router. One way to mitigate the threat of IP spoofing is by inspecting packets when they the leave and enter a network looking for invalid source IP addresses. If this type of filtering were performed on all border routers, IP address spoofing would be greatly reduced.

Egress filtering checks the source IP address of packets to ensure they come from a valid IP address range within the internal network When the router receives a packet that contains an invalid source address, the packet is simply discarded and does not leave the network boundary This type of filtering may not prevent a system from participating in a DoS attack as the spoofed IP address used could fall within the valid internal address range. It will simplify the process of tracing the packets, since the systems will have to use a source IP address within the valid IP range of the network. Ingress filtering checks the source IP address of packets that enter the network to ensure they do not come from sources that are not permitted to access the network . At a minimum, all private, reserved, and internal IP addresses should be discarded by the router and not allowed to enter the network.