Spoofing Defense Dissed By Security Experts

A defense lawyer in an ongoing federal computer sabotage trial is pushing the idea that four years ago, a hacker masqueraded as his client to surreptitiously plant the logic bomb that took down thousands of servers at UBS PaineWebber, thus framing an innocent man.

Roger Duronio, a former systems administrator at UBS, is currently on trial in a District Court in Newark, N.J., for allegedly building and distributing the logic bomb that crippled the company's ability to do business for a day in some locations, and for as long as two to three weeks in others, costing UBS a reported $3.1 million in cleanup costs alone. If convicted, Duronio faces a maximum sentence of 30 years, fines of up to $1 million and restitution for the money UBS spent on recovery.

Chris Adams, Duronio's attorney and a partner at Walder Hayden & Brogan in Roseland, N.J., has been throwing a slew of who-done-it theories at the jury, including an outside hacker, another systems administrator or even a slip-up by Cisco Systems, Inc., which was doing a penetration test of the UBS network during the March 4, 2002 incident.

But one major theme that Adams keeps returning to is the idea of someone -- whether inside UBS or outside -- using IP spoofing to pretend to log into the company's Unix-based network from Duronio's home, using the defendant's own corporate VPN connection. That's Adam's explanation for why forensics examiners and federal investigators traced remote connections to the network directly back to Duronio's own IP address, during the times when pieces of the malicious code were being planted on the system. The problem with this theory, according to several security professionals and even one long-time hacker, is that, technically, it simply can't be done.

''Spoofing the IP address is not difficult,'' says Johannes Ullrich, chief research officer at the SANS Institute. ''The problem is transferring data with a spoofed IP address. It's close to impossible to do.'' Ullrich also is the chief technology officer for the Internet Storm Center, a cooperative cyber threat monitoring and alert system.

IP spoofing (short for Internet Protocol address spoofing) is a way to fool a computer into thinking that a packet is coming from machine A when it is really coming from machine B. The header of every IP packet contains its source address - normally the address that the packet was sent from. By putting a different address into the header, a hacker can give the appearance that the packet was sent from a different machine.

IP spoofing often is used for denial-of-service attacks because the attacker simply has to overwhelm a network with a flood of pings or useless traffic. explains Ken van Wyk, a 20-year IT security veteran and principal consultant with KRvW Associates, LLC of Alexandria, Va. A session doesn't have to be established. The attacker, simply put, has to pound on the door. He doesn't actually need to be let inside.

But Duronio's defense attorney has been asking various UBS witnesses who have taken the stand so far to talk about IP spoofing and sniffing, which is the act of capturing information - generally packets - as they go over the network. ''You can read the packets and use them to pretend you're coming from another IP address, can't you?''

Adams last week asked Rafael Mendez, who was UBS' division vice president for network services at the time of the attack. Mendez responded that spoofing becomes much more difficult to do if the packets are encrypted. He also said most ISPs set up sniffing roadblocks, blocking that kind of security problem. The idea of hackers using IP spoofing is generally traced back to Kevin Mitnick, one of the world's most famous hackers and a cause celebre at one time in the hacker community. Mitnick was arrested in 1995 and was convicted of wire fraud and breaking into computer systems at major companies like Sun Microsystems, Inc. and Motorola. He used IP spoofing to try to hide his identity during at least one attack.

The difference between what Mitnick did, and what the defense in the Duronio trial is suggesting happened in this case, is that in this latest scenario, IP spoofing would have had to have been used to load actual lines of code onto the UBS servers. Mitnick just needed to get a few packets through to the receiving server - a real session wouldn't have had to have been established. That's a whole different story from starting and maintain a session long enough to load on, or modify code, says George Bakos, a self-proclaimed hacker with 20 years of experience, and a senior security expert with the Institute for Security Technology Studies at Dartmouth College in Hanover, N.H.

''When you connect to a machine, there are dozens of packets that are exchanged just to authenticate and get ready to do things,'' says Bakos, who said he broke into his first mainframe back in 1979. ''If you're modifying code, or changing 70 lines of code, it would like taking hundreds, if not thousands, of TCP segments.''

Bakos explained that when using TCP (Transmission Control Protocol), every data segment that's sent must be acknowledged by the recipient. That acknowledgement contains a number that must be used when the sending computer ships more data to the server. They are called TCP sequence numbers, and the exchange of these numbers must remain synchronized.

The problem, according to both Bakos and Ullrich, is that with IP spoofing, the acknowledgement goes back to the true owner of the IP address - not to the machine that is pretending to be at that address. Since the server would not get a response from the spoofed address, the connection would be broken.

Van Wyk said it would be like sending a postcard with someone else's address on it. If the person who receives the card, responds, she'll reply to the address written on the card and it will never get to the phony sender.

''You can do it for a few packets, but the synchronization challenge is very, very difficult,'' says Bakos. ''Once you lose synchronization, then everything else you've done is thrown away. Unfortunately, when doing TCP spoofing, you're flying blind. You never see the responses come back to you. And what you're doing is out of synch with what the server is doing Then everything that you got into the server will be tossed out if you don't maintain that synchronization.''

Ullrich says the TCP sequence numbers are chosen randomly out of 4 billion options. He says guessing it would be ''close to impossible'' or at least a one-in-4-billion chance. Back in the mid-1990s, these numbers were not picked randomly, so Mitnick had a much easier job figuring out which ones to use.

And Ullrich also notes that an IP spoofing attack would be fairly easy to spot on an enterprise system. ''If something is trying to do that on your network, it's pretty obvious. It generates a lot of traffic because these hosts are sending acknowledgements that they don't understand.'' He also said there would be a record of the attempts.

As for a hacker using a sniffing technique to get the IP address while it's in transmission, Ullrich explained that a VPN has its own encryption, along with ways to validate the IP address and the user. ''That's what you have a VPN for,'' he said. ''All the traffic is encrypted and authenticated. Unless you're NSA or somebody like that, you're not going to break that encryption.''