[Dshield] Spoofing Source Address Verification XP
mark.rowlands at minmail.net
Mon Nov 26 17:46:21 GMT 2001
On Monday 26 November 2001 4:22 pm, Neil Richardson wrote:
> At 12:51 AM 11/26/2001, you wrote:
> >The ability to spoof IP addresses has been there all along as long as
> >the pirate was willing to include his own library (for the record,
> Oh? My understanding was that until now, "Winblows" did not allow you
> to construct your own TCP/IP packets, so therefore could not be used to
> spoof IP addresses.
> >winpcap is an open source device driver that will allow you both to
> >sniff all packet reaching the NICs
> I see the winpcap homepage, but I had always thought that a key step in
> sniffing was a hardware issue: having to set the NIC card to "promiscuous
> mode" (sp?) in order for it to pass to the OS all packets it receives (as
> opposed to just those addressed to it and dropping everything else).
works fine here.....
> > In addition, one must add the win2k also had this
> >ability for quite some time.
> One would hope that a corporate machine with win2k would have
> sufficient protection to keep it from becoming a zombie,
Haha...heehee.....um, having just come from a job at a high-profile
international insurance company where all users are administrators of their
local machine, the administator password was a 4 letter word, and as to
having passwords on the sql databases.... " what for?". Oh and the firewall
was a microsoft proxy server v.1. something.... I am not so sure of this.
> and that the high
> price of W2K would keep it out of the hands of most script-kiddies. (One
> would *hope*, anyway.)
as a reformed script-kiddy...(just kidding).... getting hold of software is
just not an issue.......and well before the shrinkwrap hits the stores
> >No, hackers don't use spoofing, not because it's not available but
> >because it uses illegal packets and, as such, are easy to detect and
> >filter at the source with simple router rules, cutting the efficiency
> >of the attack.
Oh yes they do........some attacks actually demand it, but mostly not
because it is quicker and easier to find some dope who has just installed
a popular commercial Linux Distro on his nice shinynew dsl connection.
> Yes, but how many systems have been discussed on this very list that
> _don't_ use "simple router rules"? No internet router should carry
> 192.168.0.1, but there are plenty that do. (I like that one guy who added
> his company's assigned IP range to the list of packets to be dropped if
> they're discovered coming in from the outside world--now that's thinking!)
This is (or should be) standard practise......see the ipfilter readme at for
any what was the question?
oh yeah....tracking of spoofed packets.......
well no it isn't easy but here are two approaches........
More information about the list