[svlug] ip address spoofing

Greg Herlein gherlein at herlein.com
Thu Oct 24 12:00:37 PDT 2002


> > 1) gain control of routing for the spoofed IP address.
> > 2) be in the actual path the packet would take to get to the real owner of
> >    the spoofed address.

> Not entirely accurate.  Cf. "blind TCP spoofing" from any of a number
> of sources in the past two years.  I believe Dug Song's penetration

I think the answer is "it depends."  You can inject TCP packets
towards the target just fine...  just like you can UDP packets...
but if you want to get the REPLIES from the target you need to be
in a position that that the packets will get routed back to you
and not to the IP address you are spoofing.

BTW, there's a good article here:

	http://www.linuxgazette.com/issue63/sharma.html

You can blow down a TCP connection by spoofing packets with the
RST bit set, assuming you can guess the sequence number.... which
if you can sniff the connection, you can.

If you cannot sniff the connection because it's on a totally
separate IP segment from you, then I would dare say you
essentially cannot spoof that TCP session - at least, you cannot
modify the flow of data between the hosts, or trick the target
into thinking that your data flow is really from the spoofed
address.  

Caveat: if you can attack and subvert the routers involed to make
them route to you, then by all means you can spoof.  In that
case, all you have to do is just add a virtual interface on your
box with the spoofed IP address and have your way.

Greg




More information about the svlug mailing list