[svlug] ip address spoofing

Mark C. Langston mark at bitshift.org
Thu Oct 24 15:11:16 PDT 2002

On Thu, Oct 24, 2002 at 02:56:38PM -0700, Vince Hoang wrote:
> On Thu, Oct 24, 2002 at 12:57:38PM -0700, Mark C. Langston wrote:
> > It's not just theoretical; I do believe this has been done in
> > the lab and in the wild. However, I don't have the papers to
> > hand at the moment.
> Please cite other resources when you come across them again.
> Here are a few related resources that I found:

Will do.  I'm in the middle of eight other things at the moment,
so probably can't dig through my resources until some later point,
but there is at least one flaw with the method I described
in my last post:  If $VICTIM's IP is live, and not simply dropping
packets on the floor (as opposed to sending a FIN or RST for 
what would appear to be a spoofed ACK to the victim, as there would
be no state maintained for the session from $VICTIM's point of view),
$VICTIM may well sent a RST to $IMTA, thus ending the session you
were blind-spoofing.  And, since you *were* blind during the 
spoofing process, you wouldn't know it.

Probably one of the few good reasons I can think of to have a
stateful packet-filtering firewall actually respond to unwanted
incoming traffic rather than simply /dev/nulling it.

Of course, the $EVIL_HACKER could either arp-spoof $VICTIM, or
otherwise deny them service, thus making the possiblity of 
a response from $VICTIM to the $IMTA's outbound traffic in your
blind-spoofed session impossible for the duration of the 

At that point, pretty much the only thing that's going to tip
you off that it was spoofed traffic would be a check of the
TTLs for appropriateness, or a hop-by-hop traceback of the
potential routes between $VICTIM and $IMTA, and that assumes
you know what routes were possible between two endpoints at
a given time, and have logging data from each router, with which
one could demonstrate with certainty that the packets could not
have originated from $VICTIM, as they did not use any valid 
transit between $VICTIM and $IMTA.

If, however, $VICTIM is live and dropping the packets from $IMTA
on the floor from your blind-spoof, there's going to be at least
some confusion as to whether $VICTIM actually initiated the 
traffic, because you'll see half the session clearly, along
normal transit routes.  I'd wager the agerave net tech would 
suspect logging problems or other such glitches before suspecting
a blind-spoof in such cases, unless they were specifically
looking for a blind-spoof.

Mark C. Langston         VP, SAGE Certification       Sr. SysAdmin
mark at bitshift.org        http://www.sagecert.org   Project Phoenix
Systems & Network Admin        By and For           SETI Institute
http://bitshift.org       Systems Administrators     mark at seti.org

More information about the svlug mailing list