[Dshield] Spoofing Source Address Verification XP

Neil Richardson pc_freak at cats.ucsc.edu
Mon Nov 26 15:22:17 GMT 2001


At 12:51 AM 11/26/2001, you wrote:
>The ability to spoof IP addresses has been there all along as long as
>the pirate was willing to include his own library (for the record,

    Oh?  My understanding was that until now, "Winblows" did not allow you 
to construct your own TCP/IP packets, so therefore could not be used to 
spoof IP addresses.


>winpcap is an open source device driver that will allow you both to
>sniff all packet reaching the NICs

    I see the winpcap homepage, but I had always thought that a key step in 
sniffing was a hardware issue: having to set the NIC card to "promiscuous 
mode" (sp?) in order for it to pass to the OS all packets it receives (as 
opposed to just those addressed to it and dropping everything else).


>  In addition, one must add the win2k also had this
>ability for quite some time.

    One would hope that a corporate machine with win2k would have 
sufficient protection to keep it from becoming a zombie, and that the high 
price of W2K would keep it out of the hands of most script-kiddies.  (One 
would *hope*, anyway.)


>No, hackers don't use spoofing, not because it's not available but
>because it uses illegal packets and, as such, are easy to detect and
>filter at the source with simple router rules, cutting the efficiency
>of the attack.

    Yes, but how many systems have been discussed on this very list that 
_don't_ use "simple router rules"?  No internet router should carry 
192.168.0.1, but there are plenty that do.  (I like that one guy who added 
his company's assigned IP range to the list of packets to be dropped if 
they're discovered coming in from the outside world--now that's thinking!)


>1/ Any NAT device will solve the problem. (as long as it's not the
>cause of the problem).

    See previous comment.


>2/ Almost all routers can be easily configured to perform egress
>filtering (see http://www.sans.org/infosecFAQ/firewall/egress.htm).

    See previous comment.


>3/ This is something that should be do on the first hop router. If
>you're concerned enough by this problem to look for gateway
>protection, you're very unlikely to be affected. Filtering on the
>first hop router would allow the ISPs to immediately find dangerous
>systems and shut them down.

    See previous comment.


>As for the consumer, there are a variety of gateway firewall that will
>detect that

[snip]

>Finally, for the standalone user, a local firewall/IDS can probably
>detect outgoing spoofed packets. But again, if you have a local
>firewall, you're not likely to have been hacked ;)

    You just made my point for me: Windows is hard enough to keep secure 
when you know what you're doing.  (If it weren't, we wouldn't have a 
worm-of-the-week that can take over PowerPoint.)  For the average user, who 
knows nothing, it's just a matter of time before they get trojaned and 
their machine becomes a zombie.  If my understanding is correct--that under 
previous Windows versions you couldn't construct your own IP packets--that 
means that floods could at least be traced back to zombie systems.  With 
XP, they can't be.


-Neil R.
-- 
Supreme Lord High Commander and Keeper of the Holy Potato
----------
Random thought for the day:

    Let's do it write, uh, rite, uh, oh heck, just do it!




More information about the list mailing list