Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

IP Spoofing question

0 views
Skip to first unread message

r...@recon.org

unread,
Jun 5, 2000, 3:00:00 AM6/5/00
to
Am I correct that someone engaged in an IP spoof attack will not be able
to receive any response packets? If they are forging the source IP, that
same address becomes the destination IP for any responses. It's hard to
see how the intermediate routers would "know" to redirect those response
packets back to the attacker's machine.

Pointers to specific RTFM's gratefully accepted....


Sent via Deja.com http://www.deja.com/
Before you buy.

Barry Margolin

unread,
Jun 5, 2000, 3:00:00 AM6/5/00
to
In article <8hgoml$b9t$1...@nnrp1.deja.com>, <r...@recon.org> wrote:
>Am I correct that someone engaged in an IP spoof attack will not be able
>to receive any response packets? If they are forging the source IP, that
>same address becomes the destination IP for any responses. It's hard to
>see how the intermediate routers would "know" to redirect those response
>packets back to the attacker's machine.

Unless they have access to some of the routers along the way to the to the
address they're spoofing, and can reconfigure their routing, you're
correct. IP spoofing is used for attacks where you don't need to see the
responses. For instance, in a SMURF attack, you spoof the address of the
machine you want to bombard; in a SYN-Flood you spoof the addresses of
nonexistent machines; and in TCP hijacking you might send a command like
"rm -r *", whose output you don't need to see to know what it does.

--
Barry Margolin, bar...@genuity.net
Genuity, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

Walter Roberson

unread,
Jun 5, 2000, 3:00:00 AM6/5/00
to
In article <ZPR_4.12$Ai.1307@burlma1-snr2>,
Barry Margolin <bar...@genuity.net> wrote:

:In article <8hgoml$b9t$1...@nnrp1.deja.com>, <r...@recon.org> wrote:
:>Am I correct that someone engaged in an IP spoof attack will not be able
:>to receive any response packets? If they are forging the source IP, that
:>same address becomes the destination IP for any responses. It's hard to
:>see how the intermediate routers would "know" to redirect those response
:>packets back to the attacker's machine.

:Unless they have access to some of the routers along the way to the to the
:address they're spoofing, and can reconfigure their routing, you're
:correct. IP spoofing is used for attacks where you don't need to see the
:responses. For instance, in a SMURF attack, you spoof the address of the
:machine you want to bombard; in a SYN-Flood you spoof the addresses of
:nonexistent machines; and in TCP hijacking you might send a command like
:"rm -r *", whose output you don't need to see to know what it does.

Adding to what Barry said:

Another thing to watch out for is "IP source routing". One of the
options in a TCP packet header is to say "The destination IP address
is the one you see in the main header, but data for it should be routed
through this list of addresses in turn." Sort of like giving a letter
to your neighbour who gives it to a business partner who happens to
be travelling on Florida for vacation, who will meet there someone from
Seattle who will take the letter and drop it at your Aunt Harriet's --
only in reverse, telling the destination computer each step of the way
how to get data back to the source. This can be a problem because
one of the steps along the way in the header could be the attacking
computer -- who has just cleverly set it up so they see a copy of
the response and yet someone else gets the blame.

Most sites these days block all source-routed packets.


On the topic of TCP hijacking: to do that kind of spoofing, the
attacker has to be able to predict what the TCP packet acknowledgement
sequence number is going to be. Some systems change their sequence
numbers very slowly, so that if the attacker sent an innocuous
message under their own address, they would get back a sequence number,
and they could then just add one or two to it to get the sequence
number that the target will respond with when the attacker forges
a new message to look like it came from someone else {e.g., some
system inside the target's security perimeter, that the target trusts!}

The response to this has been to generally make sequence numbers harder
to predict. Each system has to do that individually, though (it isn't
a standard), so lots of systems still have poor sequence number
algorithms. If you are interested in this issue, I suggest you look
at the 'nmap' scanner, which has code in it to try to map out sequence
number algorithms.

Jason A. Ramsey

unread,
Jun 5, 2000, 3:00:00 AM6/5/00
to
And to add to what Walter said:

You can find the home page for nmap at http://www.insecure.org/nmap.

--

regards,

(o: jason :o)


---------------------//contact information//---------------------
jason a. ramsey jra...@wsgi.com
technical analyst
windstar group, inc. http://www.wsgi.com

windstar group : 2607 southeast blvd bldg a : spokane, wa 99223
voice: 509.535.8837 direct:509.444.8146 facsimile: 509.535.8934
-----------------------------------------------------------------

"Walter Roberson" <robe...@ibd.nrc.ca> wrote in message
news:8hh21c$oue$1...@canopus.cc.umanitoba.ca...

0 new messages