Slashdot Mirror

← Back to Stories (view on slashdot.org)

Can You Spoof IP Packets?

Posted by ryuzaki0 on from the something-to-think-about dept.

nweaver writes "Spoofed IP packets are still believed to be a significant problem for the Internet. But are they? The Spoofer Project is attempting to measure the problem. Apparently, 80% of the IP addresses measured no longer support spoofing! Their methodology is simple: have users download a client which attempts to spoof packets to the monitor. Using these packets, they can determine the filter rules. So everyone, download the client and help!"

13 of 211 comments (clear)

  1. Warning by Kwiik · · Score: 5, Informative

    This took out my wireless network on XP Home SP2 using Microsoft's wireless zero configuration tool for the software side of it. During the spoof portion of the test, all network connectivity halted and immediately reported that the wireless connection had disconnected.

    --
    Vehicle Stars used car search is my current project
  2. Re:Oh yes! by Anonymous Coward · · Score: 1, Informative

    It seems everyone is wonderful about pointing out the possible things this application can do wrong.

    Did anyone fail to notice - The sourcecode is also available for download?

  3. Re:If you TRULY want to know... by Danny+Rathjens · · Score: 5, Informative

    ... or just run ethereal or tcpdump on your local machine to watch outgoing packets. or just watch from your firewall. You are overcomplicating things. :) or maybe you are just paranoid enough. ;)

  4. Re:Sounds dangerous by Fulkkari · · Score: 2, Informative

    You should be paranoid in these days, and yes, the source code is provided. There is 1090 lines of source code including the Makefile, so I don't think it would take that much time to read it trough.

    To answer the question how many people will really read it, I answer that I won't compile nor run it before I have read it.

    --
    I demand the Cone of Silence!
  5. Use SELinux (was Re:Sounds dangerous) by giminy · · Score: 3, Informative

    Create an selinux policy to ensure that this software doesn't do anything weird. Give it no access to your filesystem (it shouldn't need it) and ability to use libnet (or whatever it uses to generate the packets). Voilla, paranoia (mostly) gone.

    --
    The Right Reverend K. Reid Wightman,
  6. The usefulness of this measurement is questionable by saikatguha266 · · Score: 5, Informative

    The questions is not can an IP be spoofed (yes, it can always be spoofed from somewhere), but rather from where can it be spoofed and to where can it be spoofed to. You can spoof any IP address to another box on your local ethernet segment -- there are no routers en route that can drop the packet. You probably cannot spoof an IP to someone on the other side of the world, but your ISP or your ISP's ISP can. In fact, you can spoof any IP to almost everywhere if you have a connection to one of the few core Internet routers.

    The project basically is saying that home users cannot spoof IPs to their measurement server. That's well and good, but useless.

    Home users no longer need to spoof IPs to hide the source of the attack (as in days past). Home users now are simply trojan/zombie boxes that are hiding the true source of the attack by using their own IP -- no spoofing required. Back when zombies were not a problem, attackers used spoofing to hide their true location; it is no longer required now that boxes can be 0wned with relative ease.

    I don't see the point of this project.

  7. UTSL by Dom2 · · Score: 2, Informative
    Use The Source, Luke

    Seriously, they provide source. It's a small program, you can browse it and get the gist of what it's doing in fairly short order. You can change it any way you want, and recompile. beautiful, isn't it?

    The program doesn't have a particular license attached though, I would assume that the intention is that it be licensed under the MIT license. Mighht want to check that before packaging it for Debian.

    -Dom

  8. Re:Sounds dangerous by Surt · · Score: 2, Informative

    Source code is provided, but will anyone bother to check that the compiled result matches the binary provided?

    --
    "Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
  9. Re:Oh yes! by jcochran · · Score: 5, Informative

    The "tar xfz spoofer-xxx-0.4.tar.gz" command will work just fine is using GNU tar. However, the "z" option isn't available for the original tar command and frankly the portability of pipelined version is better.

  10. Re:IE? by molarmass192 · · Score: 3, Informative

    Yep, line 429 of spoofer.c in the source code, hardcoded. He should have used the rundll url call instead.

    --

    Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws-Plato
  11. Re:Sounds dangerous by addaon · · Score: 4, Informative

    Use -frandom-seed.

    --

    I've had this sig for three days.
  12. Re:Sounds dangerous by autocracy · · Score: 2, Informative

    Chroot with a systrace. Looks clean to me. Wish I knew why the damn thing got a SIGPIPE and died, though.

    --
    SIG: HUP
  13. Re:Spoofing has not been a problem for years by Pheersome · · Score: 2, Informative

    disallow non-expected source IP addresses from interfaces in the first place

    This is much easier said than done. Cf.:

    http://www.lasr.cs.ucla.edu/save/save_to_infocom.p df
    http://www.lasr.cs.ucla.edu/classes/239_1.spring03 /papers/park.pdf

    --
    Better to light a candle than to curse the darkness.