Can you 'fake' an IP address?

Alejandro Imass aimass-EzYyMjUkBrFWk0Htik3J/w at public.gmane.org
Tue Mar 13 18:09:37 UTC 2012 

On Tue, Mar 13, 2012 at 9:33 AM, Robert Brockway
<robert-5LEc/6Zm6xCUd8a0hrldnti2O/JbrIOy at public.gmane.org> wrote:
> On Mon, 12 Mar 2012, Thomas Milne wrote:
>
>> I swear I had read in discussions on here before that it was
>> impossible to 'fake' an IP address. You could hide behind someone

[...]

> Spoofing can be generally defeated by appropriately strong cryptographic
> signing of data (at L3, L4 or even higher).
>

Not at all. 99.999999% of users are so stupid they will type or click
YES _every single time_. I conducted a private study in a high-profile
govt / police scenario. And ALL the users clicked YES to my spoofed
Ethercap HTTPS certs. The certs look identical and users assume it's
some network glitch. They are so used to proxy configuration errors
and bad internal IT service that they just assume it's a technical
problem.

All in all we demonstrated by taking control of the main Linux-based
firewall, a single point of all trafiic, we could posses everyone's
passwords with something as simple as Ethercap. I mean folks, this was
using amateur demo-style ethercap stuff.

> Spoofing is a big topic as the chances of success and impact vary a lot
> depending on what the baddie is doing and what they are trying to achieve.

Yes. The real threat is not from outside crackers, it's 90% from the
inside, usually working in concert with the outside. I honestly don't
know of any real successful spoofing at a public IP level, except for
those cases that the crackers have taken possession of a router and
you happen to be in their path. As Robert is pointing out, if the
connections are SSL you will also need to spoof the certs and have
someone stupid assert to continue.

In my experience 99% of attacks are inside jobs, weak passwords and
weak Web-based application software. Most everything else is very
rare. I mean the threat is out there, but it's not as easy as many
people think. The most important factor is the cost/benefit factor,
and that to me is the key thing to look for.



-- 
Alejandro Imass
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists

More information about the Legacy mailing list