IP address spoofing IP fragmentation attack network ID and subnet mask, uses IP address restric- tion. Access may then be either allowed or denied for each address or block of addresses. Another example is the Apache Web server, where access to Web content can be controlled using IP addresses by configuring the .htaccess file on UNIX platforms. IP address restriction is considered a weak form of access control since attackers may be able to circum- vent such restrictions by spoofing the source addresses of IP packets. Notes A related method of controlling access is domain name restriction, which restricts access based on the Domain Name System (DNS) domain to which the host trying to obtain access belongs. See Also: access control, .htaccess, IP address spoof- ing, Rlogin, spoofing IP address spoofing The process of falsifying the source Internet Protocol (IP) address of IP packets. Overview IP address spoofing (or simply, IP spoofing) is a method used by intruders to impersonate trusted systems. By default, routers generally ignore source IP addresses when routing packets, and they use only destination IP addresses to ensure packets reach their intended desti- nation. The result is that an attacker who forges IP packets containing source addresses of trusted systems may be able to circumvent router security and initiate denial of service (DoS) attacks, redirect traffic, or hijack sessions using man-in-the-middle (MITM) attacks. IP spoofing is especially a hazard on UNIX platforms running such applications as Rsh or Rlogin that authen- ticate connections using source IP addresses stored in .rhosts files. IP address authentication is a weak form of authentication supported by many UNIX applications and should be replaced by password authentication to ensure security. The standard approach for preventing IP spoofing attacks is to configure ingress filters on routers or fire- walls in order to deny any inbound traffic whose source address is from a trusted host on your internal network. When an intrusion detection system (IDS) detects such traffic, there is a high probability that a spoofing attack is under way. Encryption of traffic between routers and external hosts is another effective way of protecting against spoofing attacks. Notes Tools used by attackers to launch spoofing attacks include Dsniff, Hunt, Ipspoof, and Spoofit. See Also: Dsniff, ingress filtering, .rhosts, spoofing IP fragmentation attack An attack that uses fragmented Internet Protocol (IP) packets. Overview The IP standard supports fragmentation to allow IP packets to traverse different types of transmission media, for example, to travel between two local area networks (LANs) over a wide area network (WAN) connection. Fragmentation can also be used to attack IP hosts, however, and by deliberately crafting fragmented IP packets, it may be possible for attackers to circum- vent firewall protection, hide traffic from intrusion detection systems (IDSs), or create denial of service (DoS) conditions to prevent legitimate users from accessing network services. Early forms of fragmentation attacks were able to cir- cumvent firewall restrictions because of the fact that firewall products didn’t apply their rules until frag- mented packets had been reassembled. As a result, fire- wall products were found to be vulnerable to DoS attack by continually sending them large numbers of forged initial fragments until the internal resources of the firewall were consumed. Tools used to initiate such attacks included Jolt2, Teardrop, and Nmap. Most fire- wall vendors have since modified their products to pro- tect against such attacks. A tool called Fragrouter can I 153 IP address spoofing IP fragmentation attack network ID and subnet mask, uses IP address restric- tion. Access may then be either allowed or denied for each address or block of addresses. Another example is the Apache Web server, where access to Web content can be controlled using IP addresses by configuring the .htaccess file on UNIX platforms. IP address restriction is considered a weak form of access control since attackers may be able to circum- vent such restrictions by spoofing the source addresses of IP packets. Notes A related method of controlling access is domain name restriction, which restricts access based on the Domain Name System (DNS) domain to which the host trying to obtain access belongs. See Also: access control, .htaccess, IP address spoof- ing, Rlogin, spoofing IP address spoofing The process of falsifying the source Internet Protocol (IP) address of IP packets. Overview IP address spoofing (or simply, IP spoofing) is a method used by intruders to impersonate trusted systems. By default, routers generally ignore source IP addresses when routing packets, and they use only destination IP addresses to ensure packets reach their intended desti- nation. The result is that an attacker who forges IP packets containing source addresses of trusted systems may be able to circumvent router security and initiate denial of service (DoS) attacks, redirect traffic, or hijack sessions using man-in-the-middle (MITM) attacks. IP spoofing is especially a hazard on UNIX platforms running such applications as Rsh or Rlogin that authen- ticate connections using source IP addresses stored in .rhosts files. IP address authentication is a weak form of authentication supported by many UNIX applications and should be replaced by password authentication to ensure security. The standard approach for preventing IP spoofing attacks is to configure ingress filters on routers or fire- walls in order to deny any inbound traffic whose source address is from a trusted host on your internal network. When an intrusion detection system (IDS) detects such traffic, there is a high probability that a spoofing attack is under way. Encryption of traffic between routers and external hosts is another effective way of protecting against spoofing attacks. Notes Tools used by attackers to launch spoofing attacks include Dsniff, Hunt, Ipspoof, and Spoofit. See Also: Dsniff, ingress filtering, .rhosts, spoofing IP fragmentation attack An attack that uses fragmented Internet Protocol (IP) packets. Overview The IP standard supports fragmentation to allow IP packets to traverse different types of transmission media, for example, to travel between two local area networks (LANs) over a wide area network (WAN) connection. Fragmentation can also be used to attack IP hosts, however, and by deliberately crafting fragmented IP packets, it may be possible for attackers to circum- vent firewall protection, hide traffic from intrusion detection systems (IDSs), or create denial of service (DoS) conditions to prevent legitimate users from accessing network services. Early forms of fragmentation attacks were able to cir- cumvent firewall restrictions because of the fact that firewall products didn’t apply their rules until frag- mented packets had been reassembled. As a result, fire- wall products were found to be vulnerable to DoS attack by continually sending them large numbers of forged initial fragments until the internal resources of the firewall were consumed. Tools used to initiate such attacks included Jolt2, Teardrop, and Nmap. Most fire- wall vendors have since modified their products to pro- tect against such attacks. A tool called Fragrouter can I 153 . address spoof- ing, Rlogin, spoofing IP address spoofing The process of falsifying the source Internet Protocol (IP) address of IP packets. Overview IP address spoofing (or simply, IP spoofing). address spoof- ing, Rlogin, spoofing IP address spoofing The process of falsifying the source Internet Protocol (IP) address of IP packets. Overview IP address spoofing (or simply, IP spoofing). high probability that a spoofing attack is under way. Encryption of traffic between routers and external hosts is another effective way of protecting against spoofing attacks. Notes Tools