Sidebar: IP spoofing

A frequently exploited trick for breaking into a system is called IP spoofing. It is based on the fact that a system with an IP address of 1.x.y.z pretends to be a system with the address 2.a.b.c. In this case, the first address denotes an untrusted host, whereas the second address denotes a trusted host (very often the local host address 127.0.0.1). Because the IP layer normally adds these IP addresses to a data packet, a spoofer has to circumvent the IP layer and talk directly to the raw network device. The spoofer builds an IP packet by hand and puts it on the wire. This may sound more complicated than it really is.

Faking a UDP packet is relatively simple. The header of a UDP packet is very simple due to its connectionless nature. So, you can fill in any IP address you like and pretend to be somebody else. There is one problem however. If a server needs to send a reply, it will send it to the "real" 2.a.b.c instead of to the machine faking it. So, IP spoofing is normally used to deposit another exploit on the target machine.

Faking a TCP connection is much harder, but not impossible. The difficulty lies in the fact that a TCP connection is established, both the server and the client generate a sequence number from which they will start counting the packets transmitted. This sequence number is generated at random (or at least it should be), and should be hard to predict. However, some implementations of the TCP/IP protocol make it rather easy to predict this sequence number. Once the spoofer has managed to predict the sequence number, he or she can send packets to the target machine just as if the connection were established. This is also often used to deposit another exploit on the target machine. Figure 2 shows what happens when a client and a server make a TCP connection.