Can you 'fake' an IP address?

Walter Dnes waltdnes-SLHPyeZ9y/tg9hUCZPvPmw at public.gmane.org
Wed Mar 14 04:08:05 UTC 2012 

On Tue, Mar 13, 2012 at 11:33:55PM +1000, Robert Brockway wrote

> Hi Thomas.  It is possible.  It's called IP spoofing.  In general it is 
> difficult to do successfully.  One way TCP connections protect against 
> spoofing is to make their connection sequence numbers difficult to 
> predict.
> 
> Many years ago the method used to generate TCP sequence numbers in the BSD 
> network code was found to be much more easily predicted that previously 
> thought.  Anyone using BSD network code was potentially vulnerable.  That 
> turned out to be pretty much everyone and over a period of weeks/months 
> every susceptible OS had its networking code patched to fix the problem.
> 
> One problem with IP spoofing is that the responding system will respond to 
> the system being spoofed, not the one doing the spoofing (after all, that 
> is who it thinks it is talking to).  So the spoofing system must either:
> 
> (a) not need response packets to do its evil work
> (b) intercept the responses to do its evil work
> (c) guess the responses and respond blindly, to do its evil work
> 
> Spoofing can be generally defeated by appropriately strong cryptographic 
> signing of data (at L3, L4 or even higher).
> 
> Spoofing is a big topic as the chances of success and impact vary a lot 
> depending on what the baddie is doing and what they are trying to achieve.
> 
> There is a lot of info available online on this interesting topic.

  On an anti-spam newsgroup, years ago, there was a spammer strategy
explained.  Back before the days of botnets, spammers had to use their
own connections, which would get taken down after a couple of days.

  It required...
* a broadband ISP account that does not do egress filtering.  You do not
  want to lose this account
* a throwaway dialup account (they were cheap back then), preferably
  billed to a compromised credit card
* a spamming program with sophisticated IP stack management

  The way it worked was...
* connect the broadband account, e.g. IP address 10.0.0.1 (mock example)
* connect the dialup account, e.g. IP address 192.168.0.1 (mock example)
* use the broadband account to do the spamming, but fake outgoing IP
  address to match the dialup
* the dialup account receives the 3-way-handshakes, and they can be
  acknowledged properly

  The destination mailservers would see a "dialup account" spewing spam
at 500 or 600 kbits/sec.  It would often begin Friday evening.  When the
dialup ISP received reports of spam, and the employees came in on Monday,
they would remove the offending dialup account sometime during Monday.
The dialup account was burned, but the valuable broadband account was
never implicated.

-- 
Walter Dnes <waltdnes-SLHPyeZ9y/tg9hUCZPvPmw at public.gmane.org>
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists

More information about the Legacy mailing list