[Dshield] Spoofing Source Address Verification XP

Mark Rowlands mark.rowlands at minmail.net
Mon Nov 26 17:46:21 GMT 2001


On Monday 26 November 2001 4:22 pm, Neil Richardson wrote:
> At 12:51 AM 11/26/2001, you wrote:
> >The ability to spoof IP addresses has been there all along as long as
> >the pirate was willing to include his own library (for the record,
>
>     Oh?  My understanding was that until now, "Winblows" did not allow you
> to construct your own TCP/IP packets, so therefore could not be used to
> spoof IP addresses.
>
> >winpcap is an open source device driver that will allow you both to
> >sniff all packet reaching the NICs
>
>     I see the winpcap homepage, but I had always thought that a key step in
> sniffing was a hardware issue: having to set the NIC card to "promiscuous
> mode" (sp?) in order for it to pass to the OS all packets it receives (as
> opposed to just those addressed to it and dropping everything else).

works fine here.....


> >  In addition, one must add the win2k also had this
> >ability for quite some time.
>
>     One would hope that a corporate machine with win2k would have
> sufficient protection to keep it from becoming a zombie, 

Haha...heehee.....um,  having just come from a job at a  high-profile 
international insurance company where all users are administrators of their 
local machine, the administator password was a 4 letter word, and as to 
having passwords  on the sql databases.... " what for?".  Oh and the firewall 
was a microsoft proxy server v.1. something.... I am not so sure of this.  
 
> and that the high
> price of W2K would keep it out of the hands of most script-kiddies.  (One
> would *hope*, anyway.)

as a reformed script-kiddy...(just kidding)....  getting hold of software is 
just not an issue.......and well before the shrinkwrap hits the stores

> >No, hackers don't use spoofing, not because it's not available but
> >because it uses illegal packets and, as such, are easy to detect and
> >filter at the source with simple router rules, cutting the efficiency
> >of the attack.

Oh yes they do........some attacks actually demand it, but mostly not  
because it is quicker and easier to find some dope who has just installed
a popular commercial Linux Distro on his nice shinynew dsl connection.

>     Yes, but how many systems have been discussed on this very list that
> _don't_ use "simple router rules"?  No internet router should carry
> 192.168.0.1, but there are plenty that do.  (I like that one guy who added
> his company's assigned IP range to the list of packets to be dropped if
> they're discovered coming in from the outside world--now that's thinking!)

This is  (or should be) standard practise......see the ipfilter readme at for 
example http://www.obfuscation.org/ipf/ipf-howto.html  

any what was the question? 

oh yeah....tracking of spoofed packets....... 

well no it isn't easy but here are two approaches........

http://www.enteract.com/~robt/Docs/Articles/tracking-spoofed.html
http://www.usenix.org/publications/library/proceedings/lisa2000/burch/burch_html/index.html
-----------------------




More information about the list mailing list