Slashdot Mirror
Can You Spoof IP Packets?
nweaver writes "Spoofed IP packets are still believed to be a significant problem for the Internet. But are they? The Spoofer Project is attempting to measure the problem. Apparently, 80% of the IP addresses measured no longer support spoofing! Their methodology is simple: have users download a client which attempts to spoof packets to the monitor. Using these packets, they can determine the filter rules. So everyone, download the client and help!"
1. Write a piece of software claiming to help monitor spoofed IP packets but really it does something more sinister.
2. Post a story to Slashdot with a link to the software on an MIT server and ask people to run it on their internal networks and send the data back to the author.
3. ???
4. Profit and say to yourself, "suckers"
Maybe I'm too paranoid. But this is a good example of how social engineering can be used to get you into places you shouldn't be. I guess the source cod
e is provided. How many people will really read it?
...No.
Seriously, why would I want to participate in this?
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
...you can use a network packet monitor, and there's two ways to get your hands on such a device - the cheap...and the expensive way, the expensive way being the safest one (A hardware network monitor = hardware device to look and monitor what's going in/out of your ethernet connection directly connected to your "whatever" device)
or
Do the same thing by rigging a second computer, also known as a network monitor. Set up a Linux box...and monitor & control all the ports & packets being delivered to your network, and if you do your homework - you will "know" if that application you just downloaded and executed...truly is honest...and "doesn't phone home...like E.T"... he he he..
Live and learn kids.
What this world is coming to - is for you and me to decide.
Of course there is no possibility at all that another source-code was used to compile the binaries, huh, Mr Knows-It-ALl?
...every self-respecting network operator has RPF (or some other antispoof-ingressfilter) enabled at the edge. Gone are the days of spoofing, just like respecting IP packet's loose/strict source routing options and other similar exploits :)
Get your own free personal location tracker
So it must be true.
I really hope that is sarcasm. Yes, it must be. However some of the other replies are not, which worries me slightly as people don't seem to realise Gibson is the guy behind Spin Rite. Spin Rite, people. Think of that next time you read some of his "advice".
80% of the IP addresses measured no longer support spoofing!
Given the move to broadband with home routers and NAT it seems obvious that spoofing capable networks are on the decline.
So I can get my ISP pissed at me and watching what I do because attempting to spoof packets is something "hackers" do.
I like my broadband too much to participate in anything that even LOOKS bad to the security idiots watching my cable modem.
One of the best ways to detrmine if someone's *ix experience is limited to Linux, or if they have experience with Solaris, AIX, etc. Also how they use ps is a dead givaway.
Finkployd
There's one thing I seem to be missing in all of the comments here: what's the point of this exactly?
The massive DDoS attacks generally come from botnets that do not need to bother spoofing their source IP. Also, anyone who relies on IP address alone (especially with "connectionless" protocols like IP/ICMP/UDP) for their security needs is just begging for problems because they're trusting a network that is not trustworthy. Seems to me it would be far easier to discourage the practice of trusting an untrustworthy network -- the black hats seem useful for this purpose -- than it would be to check each and every individual subnet for whether they will pass spoofed packets.
Given this, what does it matter whether I can spoof UDP/ICMP packets? What service or what architecture that is widely used today is so brain-dead that it does not require a password or strong encryption or some other form of security and/or authentication that would ensure that spoofing the IP address does not constitute a successful attack?
All of this would have been great ten years ago but today, the DDoS kiddies and spam botnets are enabled by the unwillingness to value security on the part of too many Windows users with broadband connections, combined with Microsoft's inability or unwillingness to market a secure-by-default OS. I say "market" here because I am assuming that with the resources at their disposal, Microsoft could create an extremely secure OS, if they really wanted to. Just look at what the OpenBSD team has done with far fewer resources available to them.
And yes, I see that as a responsibility of Microsoft's since their fortunes are largely built by mass-marketing a technical product to the non-technical, "I just want it to work with zero effort" crowd (and apparently this type of can't-be-bothered-to-learn-anything user wants it to be the first thing in this life ever observed to do so, other than entropy). If Windows were marketed exclusively to computer security specialists then I would not blame Microsoft if extremely insecure configurations kept happening.
So anyway, somebody please explain to me how it will matter one way or the other whether 0% of all internet users can spoof or whether 100% of them can spoof.
It is a miracle that curiosity survives formal education. - Einstein
Hey, the point is that you're already giving it access to your network through root access on your machine so that you can generate special packets. Its not much of a step from that to sniffing your network for packets. And the big deal is that the program is sniffing or scanning your network from INSIDE your network, behind DMZ firewalls, etc. Using SELinux or virtual machines won't necessarily protect you and I wasn't refering to a local machine exploit in my original post.