-3

Both UDP and TCP does not include source address, but how does it say UDP IP spoofing is easier than TCP? For example, the following webpage also says about UDP vulnerability.

"Unlike TCP, UDP does not have a mechanism for verifying a packet source, which makes it very vulnerable to source-packet spoofing and inception attacks." http://www.onlamp.com/pub/a/onlamp/2004/10/14/dnssec.html

Please help me to understand.

Jaeh
  • 123
  • 1
  • 3

2 Answers2

12

Both UDP and TCP does not include source address

Your question is based on a misunderstanding. It's true that neither UDP or TCP headers include a source address, but that's because they don't have to: source address is already included in the header of the encapsulating transport protocol, which in this case would be the IP header.

As for why UDP spoofing is of particular note:

  • TCP sessions are initiated with a three way handshake before payload is delivered. (SYN, ACK, SYN ACK) The device holding an IP address that another is spoofing will refuse an unexpected ACK or SYN ACK packet, preventing the session from being established. This still wastes the resources of the victim, but is not very bandwidth efficient.
  • There is no handshake required to begin transmitting a payload via UDP. Any authentication of packets must be implemented within the payload itself and is not built into the protocol. Services which commonly do not implement such checks (DNS, NTP) are therefore vulnerable to source address spoofing, since the software will assume that any incoming data with a spoofed source address is valid and reply with the requested information.
  • Since many UDP based applications can be fooled into replying to a small UDP query with a much larger UDP reply, it's more bandwidth efficient for malicious parties to leverage these in their attacks. This phenomenon is referred to as an amplification effect.
Andrew B
  • 32,588
  • 12
  • 93
  • 131
0

Assume you want to spoof a DNS request, because a DNS server will answer to both UDP and TCP.

How many packets do you have to send for a DNS request by UDP -- and how many packets do you need for the same request by TCP? Which attack is easier?

mschuett
  • 3,146
  • 21
  • 21