Slashdot Mirror
Can You Spoof IP Packets?
nweaver writes "Spoofed IP packets are still believed to be a significant problem for the Internet. But are they? The Spoofer Project is attempting to measure the problem. Apparently, 80% of the IP addresses measured no longer support spoofing! Their methodology is simple: have users download a client which attempts to spoof packets to the monitor. Using these packets, they can determine the filter rules. So everyone, download the client and help!"
Oh yes! Everyone download this executable from known IP Spoofers and run it. It won't root your system, we promise...
Even you can help the next generation of scammers find an ISP to call home!
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
Oh wait. This isn't an "Ask Slashdot"?
Nevermind...
my pet machine
1. Write a piece of software claiming to help monitor spoofed IP packets but really it does something more sinister.
2. Post a story to Slashdot with a link to the software on an MIT server and ask people to run it on their internal networks and send the data back to the author.
3. ???
4. Profit and say to yourself, "suckers"
Maybe I'm too paranoid. But this is a good example of how social engineering can be used to get you into places you shouldn't be. I guess the source cod
e is provided. How many people will really read it?
"have users download a client which attempts to spoof packets to the monitor"
But my monitor does not have an ethernet port! Can I send packets into my DVI port?
...No.
Seriously, why would I want to participate in this?
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
I'm getting lots of "server terminated prematurely" and "writen error: No error" and "readline error: No error" and "Session Key: Not Found!" errors (Windows 2000, cable modem, northeast Indiana).
On my patched FC3 boxes I get an error after trying to run the Linux client. "Server terminated prematurely". Now I'm going to download and run the Windows cient.
Not.
My packets have spoof all over them ! Anyone have a tissue?
This took out my wireless network on XP Home SP2 using Microsoft's wireless zero configuration tool for the software side of it. During the spoof portion of the test, all network connectivity halted and immediately reported that the wireless connection had disconnected.
Vehicle Stars used car search is my current project
But my monitor does not have an ethernet port!
Yours may not, but these do.
It's a collaboration between Slashdot and MIT to finally get adware on Linux machines.
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
Getting too many connections from slashdotters...?
This sounds like it would help out the RIAA in thier court battles to me....
...you can use a network packet monitor, and there's two ways to get your hands on such a device - the cheap...and the expensive way, the expensive way being the safest one (A hardware network monitor = hardware device to look and monitor what's going in/out of your ethernet connection directly connected to your "whatever" device)
or
Do the same thing by rigging a second computer, also known as a network monitor. Set up a Linux box...and monitor & control all the ports & packets being delivered to your network, and if you do your homework - you will "know" if that application you just downloaded and executed...truly is honest...and "doesn't phone home...like E.T"... he he he..
Live and learn kids.
What this world is coming to - is for you and me to decide.
Nearly 5 years ago, the great and all knowing Steve Gibson predicted that the raw sockets in Windows XP would allow packet spoofing that would bring down the internet with unstoppable DOS attacks.
So it must be true.
How many old boxes are there that still accept source routed packets, that's what I want to know (evil laugh).
"This took out my wireless network on XP Home SP2 using Microsoft's wireless zero configuration tool for the software side of it. During the spoof portion of the test, all network connectivity halted and immediately reported that the wireless connection had disconnected."
:)
Says Kwiik as he made an emergency dash to a landline to let Slashdot know before it's too late.
...every self-respecting network operator has RPF (or some other antispoof-ingressfilter) enabled at the edge. Gone are the days of spoofing, just like respecting IP packet's loose/strict source routing options and other similar exploits :)
Spoofed packets were the idea behind an anonymous P2P network I envisaged, and designed a few years ago. udpp2p.sf.net, if you're interested. Man, that was ropey code. (I didn't write any of it, by the way!)
Get your own free personal location tracker
Get your own free personal location tracker
i invented that one too
The win versionh is less than useless. Doesn't work on Win98. When I tried it under XP it ran, but in a command shell and then tried to start IE. Well, IE will never get past my firewalls, and I couldn't tell much from the giberish the stupid client printed out (the final html link it gave me was useless).
I'm an American. I love this country and the freedoms that we used to have.
I can spoof IP packets, so I guess the answer for me is a resounding "YES!". It may differ for other people though - with your line in questioning, have you thought about a job in politics?
He's talking about the tenants of the Internet architecture in his introduction... should I assume he means the electrons, or the switches?
My blog. Good stuff (when I remember to update it). Read it.
Create an selinux policy to ensure that this software doesn't do anything weird. Give it no access to your filesystem (it shouldn't need it) and ability to use libnet (or whatever it uses to generate the packets). Voilla, paranoia (mostly) gone.
The Right Reverend K. Reid Wightman,
80% of the IP addresses measured no longer support spoofing!
Given the move to broadband with home routers and NAT it seems obvious that spoofing capable networks are on the decline.
Are the spoofed packets' evil bits set to 1?
This opened IE. My default browser is FF, so the stupid fsking thing must be hard-coded to open IE. Why?
Unpleasantries.
Even with anti-spoofing, attackers can just use free open proxies to hide where they're coming from.
These additional demands are met:
1. a free lollipop.
2. a car ride deep in the forest
The questions is not can an IP be spoofed (yes, it can always be spoofed from somewhere), but rather from where can it be spoofed and to where can it be spoofed to. You can spoof any IP address to another box on your local ethernet segment -- there are no routers en route that can drop the packet. You probably cannot spoof an IP to someone on the other side of the world, but your ISP or your ISP's ISP can. In fact, you can spoof any IP to almost everywhere if you have a connection to one of the few core Internet routers.
The project basically is saying that home users cannot spoof IPs to their measurement server. That's well and good, but useless.
Home users no longer need to spoof IPs to hide the source of the attack (as in days past). Home users now are simply trojan/zombie boxes that are hiding the true source of the attack by using their own IP -- no spoofing required. Back when zombies were not a problem, attackers used spoofing to hide their true location; it is no longer required now that boxes can be 0wned with relative ease.
I don't see the point of this project.
...the other 20% of spoofable IP addresses are reported to be in the possession of Weird Al Yankovic, who, according to US Attorney General Alberto R. Gonzales, is capable of spoofing damn near anything.
A full-blown investigation is under way to put an end to Weird Al's wild spoofing. Rap legend Coolio has pledged his support in these investigations.
Weird Al was unavailable for comment, but his assistant did pass along his official response, which was, "Mecha lecha hi, Mecha hiny hiny ho."
More at 11.
"You will pay for your lack of vision..." - Emperor Palpatine to Ray Charles
Apparently, 80% of the IP addresses measured no longer support spoofing!
Yes, but how many of those are unique IPs?
What?
I've been checking IP addresses on all the workstations around me and every one of them has 127.0.0.1 entered. I can't believe our internet even works here!
It is easier to build strong children than to repair broken men. -Frederick Douglass
Seriously, they provide source. It's a small program, you can browse it and get the gist of what it's doing in fairly short order. You can change it any way you want, and recompile. beautiful, isn't it?
The program doesn't have a particular license attached though, I would assume that the intention is that it be licensed under the MIT license. Mighht want to check that before packaging it for Debian.
-Dom
So I can get my ISP pissed at me and watching what I do because attempting to spoof packets is something "hackers" do.
I like my broadband too much to participate in anything that even LOOKS bad to the security idiots watching my cable modem.
yup, did it with tor. wouldn't work on my debian unstable box, but after installing tor it worked without a hiccup. try it
Why don't we do something less invasive, like snmpwalk every address on the Internet?
True, the Win XP SP stops you from writing raw, but you can just write the ethernet frames to get around that.
Am I missing something? IP spoofing, in the classical sense, involves SYN flooding and messing with the three-way handshake and all that. What they are testing is, how many IP stacks out there can set a false source address on a UDP packet. This was one of the functionalities removed by XP SP2. I might be missing something, but I think this is a badly-titled article.
So get one here cheap! FB!!!
http://makeashorterlink.com/?A25124D0D
Otherwise, there's still the feeling, well, gee, if it's happened to me before, then it may very well happen again. The comforting come in when you can have the illusion that not that many people could actually do it to you. A comfort I don't believe in taking.
I can't, I don't allow spoofed traffic in or out. Duh.
in some enviroments its still possible to send a something unencapsulates on the other end as a spoofed packet.
Spoofing packets is soooooo 20th century.
Siphoning Packets is much more obfusophisticated. =p
the only permanence in existence, is the impermanence of existence.
There's one thing I seem to be missing in all of the comments here: what's the point of this exactly?
The massive DDoS attacks generally come from botnets that do not need to bother spoofing their source IP. Also, anyone who relies on IP address alone (especially with "connectionless" protocols like IP/ICMP/UDP) for their security needs is just begging for problems because they're trusting a network that is not trustworthy. Seems to me it would be far easier to discourage the practice of trusting an untrustworthy network -- the black hats seem useful for this purpose -- than it would be to check each and every individual subnet for whether they will pass spoofed packets.
Given this, what does it matter whether I can spoof UDP/ICMP packets? What service or what architecture that is widely used today is so brain-dead that it does not require a password or strong encryption or some other form of security and/or authentication that would ensure that spoofing the IP address does not constitute a successful attack?
All of this would have been great ten years ago but today, the DDoS kiddies and spam botnets are enabled by the unwillingness to value security on the part of too many Windows users with broadband connections, combined with Microsoft's inability or unwillingness to market a secure-by-default OS. I say "market" here because I am assuming that with the resources at their disposal, Microsoft could create an extremely secure OS, if they really wanted to. Just look at what the OpenBSD team has done with far fewer resources available to them.
And yes, I see that as a responsibility of Microsoft's since their fortunes are largely built by mass-marketing a technical product to the non-technical, "I just want it to work with zero effort" crowd (and apparently this type of can't-be-bothered-to-learn-anything user wants it to be the first thing in this life ever observed to do so, other than entropy). If Windows were marketed exclusively to computer security specialists then I would not blame Microsoft if extremely insecure configurations kept happening.
So anyway, somebody please explain to me how it will matter one way or the other whether 0% of all internet users can spoof or whether 100% of them can spoof.
It is a miracle that curiosity survives formal education. - Einstein
Put all hosts behind networks that can't forward from other networks, problem solved. Hosts can't spoof hosts from other networks, because the next network up sees that the address isn't coming from the network not allowed to forward.
From TFA:
./spoofer
On *nix systems, you must run the spoofer as root (in order to create the raw socket) with no arguments, e.g.
#
On Windows, simply double-click on the spoofer executable after downloading.
Classic.
"Science is a tribute to what we can know although we are fallible" -Jacob Bronowski
-1, stupid kiddie.
I dunno about it being a Linux "litmus-test"
/usr/ucb in the front of your PATH.
ps -ef vs ps aux is just a SysV vs. BSD thing.
Of course on Solaris the aux thing might make sense if you had
But I learned on Solaris and I use ps -ef. Which is the way-we-do-things-now (TM).
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
This won't work under Windows XP SP2, apparently, so don't waste your time if that's what you have. Ummmm.... Not that I'm running XP... I'm a linux guy. Yeah... A friend told me. That's what happened...
"On Windows, simply double-click on the spoofer executable after downloading. "
Try that on a non-administrator account, then get back with us on the results.*
*If memory serves, Linspire originally use to run root as default.
Not long after Fyodor put out the freebie chapter for how to own a continent, I looked into the process of spoofing a full TCP connection.
I felt it prudent to follow the RFC's and set said evil bit. So now I have a DoS tool with the evil bit...
If spoofing is no longer valid, then someone has a hell of a lot of explaining to do as to why this tool works so well...
Me failed English...
FreeBSD over Linux. If my comments seem odd, this may explain...
Addresses that can be spoofed are completely dependant on each ISPs filter rules. No ISP should allow you to use an address they don't own unless you have a BGP peer relationship with them and can show that your ASN has been assigned those addresses.
Hey, the point is that you're already giving it access to your network through root access on your machine so that you can generate special packets. Its not much of a step from that to sniffing your network for packets. And the big deal is that the program is sniffing or scanning your network from INSIDE your network, behind DMZ firewalls, etc. Using SELinux or virtual machines won't necessarily protect you and I wasn't refering to a local machine exploit in my original post.
From spoofer.c
/* spawn an IE window with the results */
#ifdef _WIN32
snprintf(buf, SMALLBUF*2, "c:\\progra~1\\intern~1\\iexplore http://s/report.php?sessionkey=%25s\n",
REPORT_HOST, sessionkey);
system(buf);
winpause("Press Enter to Exit.");
#endif
Wow. It's been a while since I've seen a hard coded path to an executable compiled in a win32 program. I mean, wtf are you thinking? Ugh, and 8.3 assumptions as well. It would have been more versatile if he'd replaced "c:\\progra~1\\intern~1\\iexplore" with simply "start". That would have defaulted to the "HKEY_CLASSES_ROOT\http\shell\open\command" key value.
-Malakai
A Dragon Lives in my Garage
Well whoever own the 34/8 subnet, they are getting used as a source for some spoofed packets Im seeing on my router trying to access a high number port. Almost looks like a scan for a Trojan.
But then again, are they really being spoofed? Who can say for sure. Im still keeping in mind that that has been a part of my firewall ruleset for over 6 years, and April of this year was the first month I saw them from that address/port.
Take a look at who owns that netblock.
Blockquoth the poster:
On *nix systems, you must run the spoofer as root (in order to create
the raw socket) with no arguments, e.g.
#
Ahahahahahahah! You're kidding, right?
You are checking your backups, aren't you?
A new social engineering experiment has been set up where people are encouraged to download a program which reports back to home with the results to see how many people will idly run any program they are told to. To make it more interesting users are told they must give the program full access to their system (known as "root" in geek terms) for it to work. Results of this experiment will be out tommorow!
anyway, who cares. in many places (eg china) p2p will soon be banned and blocked completely behind firewalls and proxies that no one can circumvent.
If you can spoof IP, you can spoof many UDP applications successfully - spoofing TCP is not impossible, but it's much much harder, because you not only have to guess sequence numbers (can be easy or hard, depending on whether your TCP stack vendor listened to Steve Bellovin's early warnings), but for both protocols you aren't going to see the response packets from the packet destination.
This means that Zombies on ISPs that allow spoofing can participate in UDP or ICMP DDOS attacks, such as smurf broadcasts or large-response DNS queries forged from the victim's IP address. (Spoof-proofing prevents these attacks.) But they can't do email spam in ways that hide their IP address, because email requires a TCP connection and multiple Layer-7 handshakes. So if they're spamming, you'll be able to see that the email came from port123.router456.cable-modem-carrier.example.net instead of the real IP addresses for Paypal or Chase Bank. (And if those financial institutions had the sense to use SPF, you'd be able to recognize those addresses and discard the spam.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
uRPF works pretty well on most Cisco router models - typically you use strict enforcement on end-user access lines and loose enforcement on connections from other ISPs. There are some problems that are harder, such as customers that are homed to multiple ISPs for reliability reasons - you can't strict-enforce on them, and you have to be careful to accept route advertisements for both halves of their connections, and deal with the issues if they change one of their ISPs, so it's harder to automate. On the other hand, most of those customers run firewalls and aren't likely to allow outbound spoofed packets. There are other people, often consumers or SOHO, doing lightweight dual-homing, e.g. they have a cable modem and a DSL line and aren't always symmetric about their routing.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
All your points are valid, especially about how things are measured.
My quibble here is that if my servers were on the receiving end of a DDOS attack, I would want to be able to filter out the attacking machines. So if I am being attacked by zombies that don't sppof their IP addresses, I would begin filtering IP addresses that are making too many requests. Granted, this would not lead me to the ultimate source of the attack, but might be enough to keep me servers working and defeat the attack.
If these zombies spoofed their packets, then my job is more difficult.
What would I do if zombies spoofed packet? Hmmm...Well if a substantial part of the Internet was using some kind of ingress/egress filtering, perhaps I would look at my traffic and look for areas of address space that are sending few or no packets and allow those areas to connnect to my server. Areas of address space giving me heavy traffic are suspected of not filtering, areas with light traffic are considered clean. This would definitely block many legit users, but may keep me up and allow some users to connect. The beauty is that users on networks that user ingress/egress filtering are more likely to get service.
gcj --main=rodi.Start -g -o rodi.bin rodi/*.java rodi/chat/*.java rodi/dt/*.java rodi/dt/naive/*.java rodi/mng/*.java rodi/msg/*.java rodi/parser/*.java rodi/rm/*.java rodi/util/*.java rodi/xml/*.java
It will give you console only, no GUI version.