R
Rob R. Ainscough
Is there any way to determine if a packet is using a spoofed IP source
address?
Thanks, Rob.
address?
Thanks, Rob.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
S
Steven L Umbach
I don't know of a good way unless you know that the packet came from outside
of the network and it has a source IP from inside the network. Most if not
all current routers should drop such traffic in default configuration. What
specific security risk are you concerned about as there usually is a way to
mitigate the risk. --- Steve
of the network and it has a source IP from inside the network. Most if not
all current routers should drop such traffic in default configuration. What
specific security risk are you concerned about as there usually is a way to
mitigate the risk. --- Steve
R
Rob R. Ainscough
Maybe I don't have a concern -- if the packet is external and spoofed the
source can NOT obtain a return -- is that correct? So the incoming packet
would have to hit an valid listener that would then process the packet and
do XYZ (assuming the valid listener is capable of doing XYZ) -- assume no
"invalid listeners" on the destination.
Does this sound correct?
I assume most attackers gain control of a drone/PC (say GWB) then do the
attacking from that machine so no spoofing is used. Spoofing is used only
when delivery of the controlling payload to GWB PC?
I guess my thought pattern here is that detection of spoofed packets is a
good indicator that a target has been selected (the GWB PC). Once the
target is identified it can be relatively easy have that target track the
remote attacker? I guess you might say I'm working on a bait and trap
project or at the very least bait and identify (since most remote attacks
seem to come from outside the US) before the drone can even start other
attacks.
This might be a very handy tool for $50,000 prize entry for Vista. With
Vista (in theory) one could setup a "Bait" session just waiting for the
hacker to deliver their payload -- once the hacker establishes his "virtual
drone" connection, then my service can start the monitoring and
identification process and/or even reverse attack (depending on the length
of drones nodes used).
Just a thought.
Rob.
source can NOT obtain a return -- is that correct? So the incoming packet
would have to hit an valid listener that would then process the packet and
do XYZ (assuming the valid listener is capable of doing XYZ) -- assume no
"invalid listeners" on the destination.
Does this sound correct?
I assume most attackers gain control of a drone/PC (say GWB) then do the
attacking from that machine so no spoofing is used. Spoofing is used only
when delivery of the controlling payload to GWB PC?
I guess my thought pattern here is that detection of spoofed packets is a
good indicator that a target has been selected (the GWB PC). Once the
target is identified it can be relatively easy have that target track the
remote attacker? I guess you might say I'm working on a bait and trap
project or at the very least bait and identify (since most remote attacks
seem to come from outside the US) before the drone can even start other
attacks.
This might be a very handy tool for $50,000 prize entry for Vista. With
Vista (in theory) one could setup a "Bait" session just waiting for the
hacker to deliver their payload -- once the hacker establishes his "virtual
drone" connection, then my service can start the monitoring and
identification process and/or even reverse attack (depending on the length
of drones nodes used).
Just a thought.
Rob.
G
Guest
AFAIUI, that is correct, spoofed packets are only of use to do malicious
damage such as causing a buffer-overflow, DoS or whatever. The transaction is
one-way since any reply would go to the spoofed address, not the actual
sender.
I suppose in principle a spoofed packket could be made to cause a
buffer-overfow (and hence code execution) whose instructions contain a
hard-coded reply IP, thereby returning data to the sender. Wheter that's
likely in practice I couldn't say.
damage such as causing a buffer-overflow, DoS or whatever. The transaction is
one-way since any reply would go to the spoofed address, not the actual
sender.
I suppose in principle a spoofed packket could be made to cause a
buffer-overfow (and hence code execution) whose instructions contain a
hard-coded reply IP, thereby returning data to the sender. Wheter that's
likely in practice I couldn't say.
S
Steven L Umbach
The links below does a good job at describing packet spoofing which is used
to create denial of service attacks or man in the middle and sessions
hijacking of established sessions in order to try and gain access to an
established session impersonating an authorized/authenticated user which is
much much more difficult these days. For current version of Microsoft
operating systems spoofing is mostly a non issue with the use of the Windows
Firewall [which is stateful], enhancements in the default registry settings
for tcp/ip, and in particular a well designed ipsec policy that would
require computer authentication via Kerberos, pre shared key, or certificate
before any network connection would even be considered as all
unauthenticated traffic would be dropped.
http://www.securityfocus.com/infocus/1674
http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/ipsecapd.mspx
It sounds like you are not really talking about spoofed packets here as
zombie computers, etc can have there true public IP addresses routinely seen
in firewall logs for all activity. Those type of attacks are basically
looking for vulnerable computers that are not protected by a firewall and
have the needed service/port enabled and possibly for an operating system
that is vulnerable to the attack because it has not been patched for the
vulnerability. In my opinion currently the biggest threats are
vulnerabilities in Internet Explorer even behind a firewall and social
engineering attacks such as phishing or malicious email attachments that
entice users to open them. --- Steve
to create denial of service attacks or man in the middle and sessions
hijacking of established sessions in order to try and gain access to an
established session impersonating an authorized/authenticated user which is
much much more difficult these days. For current version of Microsoft
operating systems spoofing is mostly a non issue with the use of the Windows
Firewall [which is stateful], enhancements in the default registry settings
for tcp/ip, and in particular a well designed ipsec policy that would
require computer authentication via Kerberos, pre shared key, or certificate
before any network connection would even be considered as all
unauthenticated traffic would be dropped.
http://www.securityfocus.com/infocus/1674
http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/ipsecapd.mspx
It sounds like you are not really talking about spoofed packets here as
zombie computers, etc can have there true public IP addresses routinely seen
in firewall logs for all activity. Those type of attacks are basically
looking for vulnerable computers that are not protected by a firewall and
have the needed service/port enabled and possibly for an operating system
that is vulnerable to the attack because it has not been patched for the
vulnerability. In my opinion currently the biggest threats are
vulnerabilities in Internet Explorer even behind a firewall and social
engineering attacks such as phishing or malicious email attachments that
entice users to open them. --- Steve