Re: IP Spoofing/Masquarading



Assuming that the ISP is not filtering RFC1918 address than the packet
will travel like any other. The source IP is not used in routing to
the destination network. The return trip will need to use the source
IP address. In the case of a spoofed IP attack, the attacker will NOT
be able to receive the response packets unless they are some how
sniffing the connection. A spoofed IP attack is used mostly in DoS
attacks or in situations where the attacker can guess all the response
packets.


On Wed, Sep 9, 2009 at 1:37 AM, M.D.Mufambisi<mufambisi@xxxxxxxxx> wrote:
Im not sure im being clear here. How does the packet get to the
firewall in the first place when it has a source address of a machine
within the firewall perimeter?

internet--------------firewall(router)--------------lan

from the internet....how does the packet get to the firewall when it
has the lan ip addresses (ie private addresses)? Or am i failing to
understand how this attack works?



On 9/9/09, Sebastiaan <littlebighuman@xxxxxxxxx> wrote:
It usually doesn't. Most firewalls will drop this by default as will many
routers.

On 9/9/09, M.D.Mufambisi <mufambisi@xxxxxxxxx> wrote:

I understand that IP packets can be spoofed ie change the source
address to make it look like they originated from the internal LAN.
However, when this is done across the internet, with a private IP
address in its source field, how does this packet get routed through
the internet?

Kind Regards

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require a
full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------




------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



Relevant Pages

  • [NEWS] GnuPG and GnuPG Clients Unsigned Data Injection Vulnerability
    ... GnuPG and GnuPG Clients Unsigned Data Injection Vulnerability ... directly using GnuPG from the command line may be fooled by this attack. ... A packet is a chunk of data that has a tag specifying ... Symmetrical Encryption: ...
    (Securiteam)
  • RE: DoS/DDoS Attack
    ... We are now looking into a HA/LB setup of the IPS 5500. ... The attack lasted about ... my favorite rate-based IPS box is Top Layer. ... >header to the packet you're sending, then the kernel just place the packet ...
    (Pen-Test)
  • RE: IP Spoofing/Masquarading
    ... Routers by default are programmed to forward *all* traffic. ... They tend to only look at the destination addresses only and forward the packet to the interface with a matching route. ... Information Assurance Certification Review Board ... IACRB CPT and CEPT certs require a full practical examination in order to become certified. ...
    (Pen-Test)
  • [Full-Disclosure] RE: Breaking the checksum (a new TCP/IP blind data injection technique)
    ... Capturing a packet isn't ... > downgraded the feasibility of the attack ... fragmentation to start ... checksum remains ...
    (Full-Disclosure)
  • RE: [Full-Disclosure] Bypassing "smart" IDSes with misdirected frames? (long and boring)
    ... question of broadcast packets, but a broadcast packet is still a different ... to IDS to be from same conversation. ... an extra attack step involves host A sending an IP packet addressed ... to host X and containing a valid message (be it a DATA command, ...
    (Focus-IDS)