Can You Spoof IP Packets?

nweaver writes "Spoofed IP packets are still believed to be a significant problem for the Internet. But are they? The Spoofer Project is attempting to measure the problem. Apparently, 80% of the IP addresses measured no longer support spoofing! Their methodology is simple: have users download a client which attempts to spoof packets to the monitor. Using these packets, they can determine the filter rules. So everyone, download the client and help!"

Spoofed UDP packets

[caluml]

Spoofed packets were the idea behind an anonymous P2P network I envisaged, and designed a few years ago. udpp2p.sf.net, if you're interested. Man, that was ropey code. (I didn't write any of it, by the way!)

Re:Spoofed UDP packets

[evilviper]

I've plugged the project a few times here on /. before, as I had a very similar myself long before udpp2p existed.

I think it's a real shame development has stopped, as it had the potential to be as fast as any other P2P network, and completely anonymous for the sender. All without requiring extensive communities and webs of trust to decide who to allow full access to your encrypted P2P VPN.

As to the retransmit problems listed on your site, you should really use the Gnutella model, but broadcasting ACKs in this case as well as searches. You can make the window quite large, to form a large list of packets needing resend, and compress that data so it uses up as little bandwidth as possible.

Re:I think I speak for most of us when I say...

[squiggleslash]

I'm having difficulty figuring it out too.

IP spoofing isn't even a bad thing. There's a work-around that allows two hosts hidden behind NAT gateways to communicate directly with one another by having them both spoof a cooperating proxy. (It goes something like: Host A establishes a UDP link with the proxy, Host B establishes a UDP link with a proxy, Proxy then gives A enough information to allow it to spoof packets as Proxy and send them directly to B, and proxy gives B the information needed to spoof packets from Proxy to A.)

This is useful in some P2P applications, notably VoIP.

This is going to break if spoofing some how gets prevented completely, and from what I can figure out, that's what the above system is treating as some kind of "hole" that needs to be fixed.

Re:I think I speak for most of us when I say...

[squiggleslash]

Any trick you can do with spoofing, you can do without

No, you can't.

You could argue that it's easier to run your P2P applications without a firewall since you don't have to go to all that extra trouble to set up the firewall.

The example I gave had nothing to do with firewalls. It's about NAT. NAT's a technology that means multiple devices can share a single Internet connection. Getting multiple IPs isn't an option for most households, nor is dedicating the entire connection to one machine always practical, and gateway configuration has limits.

Until we move to IPv6, tricks like this (and NAT to begin with) are absolutely necessary to make certain types of system viable.

IP spoofing isn't as dangerous, but, it definitely has its security problems. Overall people are better off without spoofing even for things that can legitimately benefit.

IP spoofing only allows really security exploits for badly designed security systems, save for preventing a particular type of DDoS attack that's arguably better dealt with via other means. It's hard to see what we gain by preventing it, and as I showed above, there's at least one example of a technology where it's useful.

Right now, the Internet is becoming more reliant on patchworks of hacks to get around limitations that are increasingly more problematic for end users. The only way we're going to fix that is to move to IPv6. In the mean time, we should be avoiding unnecessary breaks in network infrastructure to fix problems that, for the most part, do not really exist. We don't want to fuck up routing like we did email.