Skip to main content

Section 5.3 Internet Layer Attacks

Subsection 5.3.1 IP Spoofing

Diagram illustrating the structure of an IP packet header, with fields humorously annotated to highlight the concept of IP spoofing.
The diagram displays the format of an IP packet header, noted as being 32 bits wide. The header is broken down into several fields across multiple rows. The first row shows fields for "Vers" (Version), "IHL" (Internet Header Length), "TOS" (Type of Service), and "Total Length." The second row contains "Identification," "Flags," and "Fragment Offset." The third row lists "Time to Live," "Protocol," and "Header Checksum." Following these standard fields, the diagram humorously labels the source address field as "Totally legitimate source address, I’m not lying I swear," and the destination address field as "Victim, err I mean Destination address," alluding to the vulnerability of IP spoofing. Below these address fields, sections for "Options (up to 40 bytes)" and finally "Data (up to 65536 bytes)" are indicated, representing the remainder of the IP packet.
Figure 5.3.1. IP Packet Header
Unfortunately Internet Protocol (IP) was not designed with security in mind. This means that by default any IP address can be put in the packet header and the packet will still be forwarded to the network. This leads to issues where an IP can be spoofed and malicious packets sent out. At this layer there really aren’t any good solutions to this problem. This means that the sources of packets often need to be authenticated in higher layers and protocols must take into account the fact that the IP layer is fundamentally insecure.

Example 5.3.2. Smurf Attack.

Diagram illustrating a Smurf attack, where an attacker uses a broadcast network to flood a target with ICMP echo replies by spoofing the target’s IP address.
The diagram depicts the mechanics of a Smurf attack. On the left, an "Attacker" sends an "Echo request with spoofed source IP" to a central network device, likely a router, with the spoofed source IP address being that of the "Target," who is also shown on the left, below the attacker. The network device then broadcasts this malicious echo request to an "IP broadcast network," represented on the right as a collection of multiple computer systems. Each system on this broadcast network, upon receiving the echo request, sends an ICMP echo reply. Because the original request’s source IP was spoofed to be the Target’s IP, all these numerous echo replies are directed from the broadcast network, through the central network device, and converge upon the unsuspecting "Target," overwhelming it with traffic. Multiple red arrows illustrate this flood of replies overwhelming the Target.
Figure 5.3.3. Smurf Attack
Smurf DDos Attack
 1 
commons.wikimedia.org/wiki/File:Ataque_Smurf_DDoS.png
by Imperva Incapsula
 2 
www.imperva.com/learn/ddos/smurf-attack-ddos/?redirect=Incapsula
used under CC-BY-SA 4.0
 3 
creativecommons.org/licenses/by-sa/4.0/deed.en
The Smurf attack is a great example of how spoofed IP addresses can lead to major problems. The Smurf attack is an early type of Distributed Denial of Service attack. An attacker would create an ICMP echo request with the victims IP address as the source address. This echo request would be directed at a broadcast IP address for a subnet. Many of the clients on the subnet would respond the echo request, flooding the victim with responses. The asymmetric nature of this attack, a single packet prompting possibly hundreds of responses, made it particularly hard to deal with. Using a Smurf attack, an attacker could keep a victim pinned down with minimal bandwidth required on their end. Modern clients no longer respond to ICMP echo requests directed at the broadcast, mitigating the risk of this kind of attack.
You have attempted 1 of 1 activities on this page.