[Dshield] Spoofing Source Address Verification XP

security@admin.fulgan.com security at admin.fulgan.com
Mon Nov 26 08:51:55 GMT 2001


MW> With win XP's arrival.. The ability to spoof of the source address is
MW> apparently very easy accomplished  http://grc.com/dos/xplaughter.htm.
MW> In fact I am wandering why MS did not include a GUI to make this
MW> happen...

Oh, please, when will you give up with this issue ?

Gibson's web site is only a proof of how little this guys knows about
networking in general and security in in particular (not counting
operating system design).

The ability to spoof IP addresses has been there all along as long as
the pirate was willing to include his own library (for the record,
winpcap is an open source device driver that will allow you both to
sniff all packet reaching the NICs and to use raw sockets, including
the spoofing option). In addition, one must add the win2k also had this
ability for quite some time.

No, hackers don't use spoofing, not because it's not available but
because it uses illegal packets and, as such, are easy to detect and
filter at the source with simple router rules, cutting the efficiency
of the attack.

The real problem is: "how to properly secure the end user" and winXP
is step in the right direction since it (at last) implement user
security in a home product (although I personally thinks it's still
far too permissive by default, at least, the ability is here).

MW> Do some of the most common DSL/Cable routers with built in fire walls
MW> protect against this??

1/ Any NAT device will solve the problem. (as long as it's not the
cause of the problem).
2/ Almost all routers can be easily configured to perform egress
filtering (see http://www.sans.org/infosecFAQ/firewall/egress.htm).
3/ This is something that should be do on the first hop router. If
you're concerned enough by this problem to look for gateway
protection, you're very unlikely to be affected. Filtering on the
first hop router would allow the ISPs to immediately find dangerous
systems and shut them down.

MW> Also are there any free legit tools out there to test for this both on
MW> the ISP's side and test personal firewalls???

Writing a spoofer application is very easy to do. In it's own tine
Ntobjectives released a program called PacketX that allowed you to
create any packet you wanted. This tool seems now not to be available
any more. Apart from that, the routers logs will show you dropped
packet and you can easily find spoofed ones (that's for the ISP).

As for the consumer, there are a variety of gateway firewall that will
detect that (NAT device could do so as well but they usually aren't
too strong on the loging side). Cisco PIX and Zixel ZyWall firewalls
will detect such attacks of home networks. You could also build a
router using NT or Linux and use snort rules to extract suspicious
packets or, if you're using a hub, you can use a separate PC to run
snort).

Finally, for the standalone user, a local firewall/IDS can probably
detect outgoing spoofed packets. But again, if you have a local
firewall, you're not likely to have been hacked ;)

Good luck,
Stephane




More information about the list mailing list