Re: Req: info on IP range popup ad software supposedly called "Extreme Marketing"

From: Joe Schmoe (nomail@forme.com)
Date: 12/31/02 

From: "Joe Schmoe" <nomail@forme.com>
Date: Mon, 30 Dec 2002 19:50:11 -0500

On Mon, 30 Dec 2002 22:44:52 +0000, Barry Margolin wrote:

> In article <pan.2002.12.30.20.49.41.320407@forme.com>, Joe Schmoe
> <nomail@forme.com> wrote:
>>On Mon, 30 Dec 2002 18:52:56 +0000, Barry Margolin wrote:
>>> Since egress filtering forces organizations to use source addresses
>>> that are assigned to them, you can use the source address to determine
>>> what organization sent it.
>>
>>I know what you are saying and agree with you. But if the egress
>>filtering is being done by your ISP, it is probably taking place at the
>>border router for your subnet and that's as far back as they can trace
>>it.
>
> Which is good enough, isn't it? They don't need to know which machine
> is spamming, just what organization is, so that they can cancel your
> connection if you don't stop.
>
> If the organization is also a service provider, they should be able to
> further pin down which of their customers was using the specific IP at
> the time.

I dunno, maybe I am missing something here. Let's say you and me are both
using mediaone as our ISP, your assigned IP is 207.46.249.222, mine is
207.46.249.223...

I decide to send some of these messages out, I don't require a response so
I don't have to supply a valid IP. And I don't want to get caught either,
so I forge the packets with your IP as the source. These packets would
pass the egress filter on the router as they are coming from from a valid
IP within that subnet.

But as someone else in this thread pointed out, your MAC address is also
included in your packet headers... Furthermore, mediaone could have MAC
binding enabled in the router so it will not allow packets to pass in
which the ip address and MAC address contained in the packets headers do
not match it's table of assigned MAC/IP pairs.

Still not a problem... I simply scan my subnet for boxes with port 139
open, then I can peruse my scan logs and pick a target. Once I decide on a
target I just do a nbtstat -A <ip address>....

Now, not only do I have your IP, but I also have your MAC address. I can
now forge perfectly acceptable packets that will pass through the router
unmolested and cannot be traced back to me, they will all point back to
you or whatever target I selected.

Joe

Relevant Pages

  • Re: Router stops routing after changing MAC Address
    ... I have a Linux router and I need the ability to swap hardware without ... How to change MAC addresses is documented well enough - and it works - ... ip link set eth0 down ... the right side and back with echo request and reply packets. ...
    (Linux-Kernel)
  • Re: Cant ping router.
    ... packets transmitted, 0 packets received, 100% packet loss ... and the router has replied with its own hardware ... ping, to the router. ... Mac (but not the reverse for the same reason the Macs won't ping ...
    (comp.sys.acorn.networking)
  • Re: ARP requests on my net?
    ... MAC should be dumped. ... should dump packets not destined for its MAC. ... Or does IP need the MAC of the destination ... needs to send to the router via ethernet so it ARP's the ...
    (Fedora)
  • Re: Blocking a MAC address at the router
    ... Now you cannot easily block a specific MAC address ... > and is only a light touch of the router config. ... Router uses ARP table to send outgoing packets to laptops. ...
    (comp.dcom.sys.cisco)
  • [UNIX] Bug in Linux 2.4 and IPTables MAC Match Module
    ... Bug in Linux 2.4 and IPTables MAC Match Module ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... perform NAT, mangle packets, and access custom extensions for packet ...
    (Securiteam)