Security
Security |
|
It is easy for an unauthorized user to spoof IP packets, that is, to make packets appear to have come from another destination. This is achieved by writing applications that build complete, but invalid, IP packets and then sending them to a target computer. The packets are invalid in that the source IP address is incorrect, does not exist, or is unreachable because of router settings. The target computer attempts to set up a connection with the unreachable source but fails, and in so doing (although the target will wait for a while to accommodate latencies in the network), the target must allocate memory for the connection anyway. If the system receives a large number of the invalid packets, the target will eventually run out of memory and probably stop responding. This is a denial-of-service attack.
IPSec can provide strong authentication of packet data in order to help alleviate many of these common spoofing attacks.