38

Someone recently told me that the NSA could impersonate pretty much anyone they want by using IP address spoofing on the Internet. But how would that work and to what extend is it true anyway?

Could any ISP in the world just spoof any IP address they wanted or is there some kind of protection against that?

Peter Mortensen
  • 877
  • 5
  • 10
Forivin
  • 979
  • 1
  • 11
  • 17

4 Answers4

49

IP Spoofing is NOT IP Hijacking which is causing confusion for anyone reading this. IP Spoofing at its minimum / bare bones explanation is also called impersonation. Let's have an ASCII look at what it does, and how it happens:

You (1.2.3.4) --> connect to your bank --> Bank (2.2.2.2)

In spoofing, I can pretend to be anyone I want, if I am on your network:

Me (1.2.3.4) to you --> I am 2.2.2.2 --> You
Me (1.2.3.4) to you --> I am Google.com --> You

This is a moot point because if you respond, I will NEVER see the response, I am not 2.2.2.2 nor Google. This is called blind spoofing. For impersonation, I want to pretend to be your bank without you knowing this, because I want to steal your money. Therefore I need to see your responses and your bank's response. Now I have to perform multiple impersonations. I have to pretend to you, that I am your bank, and I have to pretend to your bank, that I am you:

Me (1.2.3.5) --> to your ROUTING handler (be it a router or your routing table)
Me (1.2.3.5) --> I am 2.2.2.2 --> You
Me (1.2.3.5) --> I am 1.2.3.4 --> Your bank

For this to occur I MUST be in your infrastructure. Think of this as a proxy server. Using a proxy server the connection is the same:

Me (1.2.3.5) --> proxy server (1.2.3.10) --> Bank (2.2.2.2)
Bank responds --> proxy server --> Me

Traffic needs to flow to and from. In an IP Hijacking scenario, data is relayed, hence there is no spoofing (I can proxy to see everything) BGP Hijacking enables watching the wire. Someone ON the network that is performing the hijacking can then perform the spoofing.

Now in the case of an ISP/NSP/NAP, a government may take this approach:

You (1.2.3.4) --> ISP (1.2.3.1 default route) --> Bank (2.2.2.2) # Normal connection

In the above, this would be the non-tampered session that would occur. In say an NSA tapped network this is what would occur:

You (1.2.3.4) --> ISP (1.2.3.1) --> internal ISP proxy <-- NSA (1.2.4.1) --> Bank (2.2.2.2)

From your perspective, you are connecting to your ISP, then to your bank. You will never (and can never) see the proxying occurring. This is the kind spoofing/masquerating/impersonation done with systems created by companies like Narus that used a tap at AT&T to tap main connections.

There is little to be done on a scale of eavesdropping like this, as government agencies have the capabilities of using SSL certificates, and other means to prevent you from knowing what is going on. VPN tunneling won't prevent it, as you are at the mercy of your provider, and a warrant is a warrant.

There is no need for "BGP Hijacking", BCP filtering to even enter this discussion as BCP filtering will not counter the above proxy example. BCP filtering covers spoofing, not proxying, nor hijacking. If an attacker manages to manipulate the routing table on say your operating system, BCP is a moot point.

OPSXCQ
  • 336
  • 1
  • 5
munkeyoto
  • 8,682
  • 16
  • 31
  • What about HPKP? Couldn't you pin (given that the implementing software supports this) a certificate or public key to detect/prevent this? – comfreak Apr 28 '16 at 20:48
  • @comfreak HPKP revolves around webservers (HTTP/HTTPS), and will do nothing for other servers. In say the banking concept, if some form of non HTTPS application using say JSON calls via something other than HTTPS (say port 9002 client and server interconnection applet), HPKP would do nothing. Let's suppose the bank did transactions over their own unique protocol... HPKP would be a moot point as well – munkeyoto Apr 28 '16 at 22:32
  • 1
    @munkeyoto, **1)** Why do you say "VPN tunneling won't prevent it"? **2)** Also, regarding "if I am on your network" and "in your infrastructure"... what if the attacker is the ISP itself? Is my rogue ISP considered on my network and thus able to hack all my IP packets and thus "faking" all the DNS replies I get from Google's DNS servers? **3)** In fact, I don't get it, if the ISP can hijack/spoof all IP packets then **wouldn't this mean that TLS is completely useless** since TLS runs on IP? – Pacerier Dec 28 '16 at 07:45
17

IP spoofing means creating IP packets with a source address which is not yours and sending those to some destination. To be able to do so, routers on the path have to allow traffic coming from an incorrect source. BCP38 describes a number of techniques (filtering, uRPF) which ISP's can use to prevent spoofed IP traffic originating from their network.

Since the source address of the packet is spoofed, return traffic will not reach the host spoofing the packets, but will instead reach the host which has the spoofed IP address. This causes protocol like TCP to break, since that requires a threeway handshake. I don't think IP spoofing is high on the NSA's list of tools, since it has very limited use for observation.

IP spoofing is mostly used in DDoS attacks: if you can figure out a way to send a small UDP request (for example a DNS query) with the IP of a DDoS target as the spoofed source address to a host which sends a large answer (for example a large DNSSEC signed DNS reply), you can easily generate a large amounts of traffic towards the target.

Jordan Melo
  • 105
  • 2
Teun Vink
  • 6,788
  • 2
  • 27
  • 35
  • Very good points. I didn't think of the fact that even for a tcp request without a response, data needs to go back and forth. – Forivin Jul 25 '16 at 09:23
4

tldr: Yes, No (both: until IPSec)

I understand your question as

Can someone (an ISP, for example) impersonate an internet host on the IP level? If so, how and how can that be mitigated?

The right term for that is not IP Spoofing, which as Teun put out in his answer, is spoofing the origin address of packets sent to a host; they are most useless with TCP connections but can be used with UDP and are often abused for DDoS attacks.

The right term for that is Hijacking and the rest of the answer will presume you meant that.

The Answer

This depends on the target. There are different methods to impersonate another host on an TCP/IP level. Those do however, require access to the infrastructure.

  • If a specific host is to be the victim of this, their ISP can re-route the traffic for the "spoofed" IP(s) to a machine of their choice instead, without affecting other parts of the internet.

    Thus, this attack is hardly trackable outsido of the ISPs network. If ISPs cooperate with three letter agencies with a warrant, this would be the easiest way.

  • If a specific IP should be spoofed for a lot of people, the Border Gateway Protocol can be used to make other routers on the internet reroute their traffic for that IP to you - provided you have sufficient resources.

    I think the great firewall of china (did / does?) this for some prominent internet platforms to establish a large scale MiTM, but I cannot find any links to that at the moment.

As the TCP/IP technology (and the BGP) mostly depend on trust (and are pretty old), there is nothing in there to prevent that. However, IPSec sets out to mitigate such problems, yet isn't broadly supported at this point in time.

Additionally, TLS can be deployed on a higher level to mitigate this problem in the TCP branch of the ISO/OSI model above the IP Layer.

Tobi Nary
  • 14,302
  • 8
  • 43
  • 58
  • 2
    There is actually one thing which can prevent BGP hijacks: RPKI (https://en.wikipedia.org/wiki/Resource_Public_Key_Infrastructure), which allows networks to digitally sign the IP prefixes belonging to them, so any announcement of the same prefix (or a more specific) from another network will result in a validation error. RPKI isn't widely implemented yet thougth (both signing and validating), at it has another drawback: it puts all trust into the signing authority (just like is done with DNSSEC signing of the root). – Teun Vink Apr 27 '16 at 13:31
  • 1
    BGP hijacking can be prevented with RPKI. And BGP Hijacking is not IP spoofing, as IP spoofing is NOT IP hijacking. – munkeyoto Apr 27 '16 at 13:31
  • @munkeyoto, As detailed in my answer, I presume from the wording of the question that OP does not use the right teminology and that I am instead answering the question as if OP asked for Hijacking. And I still believe this is what OP actually meant. – Tobi Nary Apr 27 '16 at 13:51
  • @SmokeDispenser I answered based on his initial statement: "Impersonate pretty much anyone they want" which is why I decided to illustrate the differences and clarify the issues. I just wanted to point out the BGP Hijacking issue via RPKI which Tuen also answered. – munkeyoto Apr 27 '16 at 13:58
  • @munkeyoto teun also pointed out as to why I'm not mentioning RPKI - it's not supported; nowhere - and your comment implies I don't know the difference between hijacking and spoofing, which is pretty insulting, especially with my clarification on that I chose to interpret the question as using the wrong vocabulary. – Tobi Nary Apr 27 '16 at 14:02
0

As others have stated, IP spoofing involves faking the source address of IP packets that you send. I noticed that the general consensus is that it is not possible to get the reply unless you are on the same network as the IP you are impersonating.

I thought that it was worth mentioning that in the case of hacking satellite connections, that same network can be a very large region.

schroeder
  • 123,438
  • 55
  • 284
  • 319
N00b
  • 1