RE: IP address forging

From: David Gillett (gillettdavid_at_fhda.edu)
Date: 07/03/03

  • Next message: Rygg Christian: "RE: Ten least secure programs"
    To: "'Hanuska Ivo'" <hanuska@asd-software.cz>, <security-basics@securityfocus.com>
    Date: Thu, 3 Jul 2003 09:34:30 -0700
    
    
    

      The common term that has emerged is "spoof" rather than
    "forge", and the short answer is that very few bits of the Internet
    bother to apply any check to source IP addresses. Almost
    anybody, almost anywhere, can generate packets that carry
    your IP address as their source. Naturally, a bunch of nasty
    threats take advantage of this, either to hide their origin, or
    to perform a "bounce" attack where innocent bystanders try
    to send replies which all go to the real target of the attack,
    often amounting to a DoS whose perpetrator is effectively
    untraceable.

      What's harder, though, is to spoof a bidirectional (e.g. TCP)
    connection. In order for that to work, packets directed *to*
    your IP address must pass somewhere where the attacker can
    see them. (Depending on the technique used, they may or
    may not continue on to your real machine.) Unless the attacker
    is figuratively on your (or the remote machine's) doorstep, he
    may need to compromise a routing table somewhere....

    >99% of Internet traffic flows over three protocols: TCP, UDP,
    and ICMP. Since TCP requires a bidirectional connection,
    most places don't worry too much about spoofing on it. Good
    border security, though, heavily restricts the ICMP and UDP traffic
    that is permitted.
      ISPs have been slow to implement egress filters that ensure
    that the only traffic leaving their networks is traffic whose source
    shows that it originated there. Most large end-user organizations
    probably do this, though. (It's not as trivial for ISPs as it sounds.
    Many also carry traffic for third parties, and would be in big trouble
    if they accidentally blocked that....)

    David Gillett

    > -----Original Message-----
    > From: Hanuska Ivo [mailto:hanuska@asd-software.cz]
    > Sent: July 1, 2003 23:27
    > To: security-basics@securityfocus.com
    > Subject: IP address forging
    >
    >
    > I have question which does not make me sleep:
    >
    > Is it possible to forge my IP address? Imagine situation that
    > I am connected with some sort of link (not Ethernet like
    > device, there is answer simple, just use ARP manipulation
    > methods) possibly by modem to Internet and I want to forge my
    > IP address (so I do want to pretend, that my IP address is
    > different that really is).
    >
    > Is there somewhere some information about such a procedure
    > and how to protect my resources from connections from such
    > forged IP address?
    >
    > Thank you all,
    >
    > Ivo Hanuška
    >
    >
    > --------------------------------------------------------------
    > -------------
    > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by
    > top analysts!
    > The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    > while InStat has confirmed Neoteris as the leader in marketshare.
    >
    > Find out why, and see how you can get plug-n-play secure
    > remote access in
    > about an hour, with no client, server changes, or ongoing maintenance.
    >
    > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    > --------------------------------------------------------------
    > --------------
    >

    
    

    ---------------------------------------------------------------------------
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access in
    about an hour, with no client, server changes, or ongoing maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    ----------------------------------------------------------------------------


  • Next message: Rygg Christian: "RE: Ten least secure programs"