Problem #2: An Attacker Can Pretend to Be From A Trusted Host
In addition to obscuring the attackers identity during a DDoS, IP address spoofing can also be used to circumvent trusted host configurations. Kevin Mitnick publicized this as a technique he used to break into a banks transaction system. To see how this can happen, well look at an example.
To set the scene A company has 2 systems to control its online automated purchasing service. System 1, lets call it Freedom, controls the stock and picking system. System 2, lets call it Spirit, controls the banking credit and debit system. Whenever an order or goods return request is placed, an application on Freedom reduces or increases the stock count as appropriate, and sends a purchase/refund request to Spirit. Spirit then connects to the bank and completes the transaction.
Because both Freedom and Spirit sit in the companys backend network, the inexperienced system administrator believes that it would be safe to configure them with a trusted host system only. In other words, he configured Spirit so that it would only ever accept connections from Freedom, because thats the only host that should ever talk to it. Both systems are, however, completely secured and up to date with patches etc.
So if the systems are secure, how can an attacker use this configuration to their advantage? The answer lies in IP spoofing. While the attacker cant actually break into either Freedom or Spirit, he can control Spirits behavior by manually creating packets with Freedoms IP address as the source. If the attacker crafts a packet containing data to make a transaction of £1million into a bank account, then sets the source IP address to Freedoms IP address, when Spirit receives this packet it will check the source IP, see that it matches Freedoms IP, process it as normal and the fake transaction will go through.
While this is a slightly wild example, the theory is valid. Because the IP stack itself does not provide any measures for verifying the source IP address, systems that do not employ other measures are vulnerable to this type of spoofing attack.
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.