Re: How to determine TCP/IP pack source IP spoofing?



Maybe I don't have a concern -- if the packet is external and spoofed the
source can NOT obtain a return -- is that correct? So the incoming packet
would have to hit an valid listener that would then process the packet and
do XYZ (assuming the valid listener is capable of doing XYZ) -- assume no
"invalid listeners" on the destination.

Does this sound correct?

I assume most attackers gain control of a drone/PC (say GWB) then do the
attacking from that machine so no spoofing is used. Spoofing is used only
when delivery of the controlling payload to GWB PC?

I guess my thought pattern here is that detection of spoofed packets is a
good indicator that a target has been selected (the GWB PC). Once the
target is identified it can be relatively easy have that target track the
remote attacker? I guess you might say I'm working on a bait and trap
project or at the very least bait and identify (since most remote attacks
seem to come from outside the US) before the drone can even start other
attacks.

This might be a very handy tool for $50,000 prize entry for Vista. With
Vista (in theory) one could setup a "Bait" session just waiting for the
hacker to deliver their payload -- once the hacker establishes his "virtual
drone" connection, then my service can start the monitoring and
identification process and/or even reverse attack (depending on the length
of drones nodes used).

Just a thought.

Rob.


"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A_ydnRnAa-gihtjZnZ2dnUVZ_vmdnZ2d@xxxxxxxxxxxxxx
I don't know of a good way unless you know that the packet came from
outside of the network and it has a source IP from inside the network. Most
if not all current routers should drop such traffic in default
configuration. What specific security risk are you concerned about as there
usually is a way to mitigate the risk. --- Steve


"Rob R. Ainscough" <robains@xxxxxxxxxxx> wrote in message
news:ezjB3ekYGHA.4620@xxxxxxxxxxxxxxxxxxxxxxx
Is there any way to determine if a packet is using a spoofed IP source
address?

Thanks, Rob.





.



Relevant Pages

  • RE: Intrusion Prevention requirements document
    ... The tools consider one interface as "client" and other ... Packet 1 is first sent out on client interface. ... > my previous company was Blade Software where I developed IDS Informer ... Up to 75% of cyber attacks are launched on shopping carts, ...
    (Pen-Test)
  • Re: ISS Proventia email overflow
    ... Is the email spam or did is it from a known good source? ... I took from a packet capture in the smtp portion of the packet ... In buffer overflow attacks, an attacker supplies data that is longer ...
    (Focus-IDS)
  • Re: ISS Proventia email overflow
    ... I took from a packet capture in the smtp portion of the packet ... In buffer overflow attacks, an attacker supplies data that is longer ... with real-world attacks from CORE IMPACT. ...
    (Focus-IDS)
  • Re: Smurf ,land attacks
    ... > Subject: AW: Smurf,land attacks ... > with "IP spoofing" you give a different source address to the packet. ... > Smurf is a DoS-Attack ...
    (Security-Basics)