{"id":181882,"date":"2010-01-13T17:53:00","date_gmt":"2010-01-13T21:53:00","guid":{"rendered":"tag:blogger.com,1999:blog-7196788127833928948.post-2042279453012538415"},"modified":"2010-01-13T17:53:00","modified_gmt":"2010-01-13T21:53:00","slug":"ip-spoofing-attack-in-the-real-world","status":"publish","type":"post","link":"https:\/\/mereja.media\/index\/181882","title":{"rendered":"IP Spoofing Attack in the real world"},"content":{"rendered":"<p>The<a href=\"http:\/\/www.shortinfosec.net\/2009\/12\/summary-of-ip-spoofing.html\"> guest post on <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_0\">IP<\/span> Spoofing<\/a> was well visited and caused a lot of interest. One may expect that a lot of visitors actually thought that <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_1\">IP<\/span> spoofing is a great way to cause a bit of commotion and try out as hackers.<\/p>\n<p>The reality of the <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_2\">internet<\/span> is actually quite different. First of all, <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_3\">IP<\/span> spoofing has been around for decades, and has been the cause of a lot of quite nasty attacks to high profile targets.<\/p>\n<p><a onblur=\"try {parent.deselectBloggerImageGracefully();} catch(e) {}\" href=\"http:\/\/1.bp.blogspot.com\/_Hu1rpxRsqcU\/S0-AkmoZ0sI\/AAAAAAAAAds\/xSUzb9IzWDs\/s1600-h\/IP_Spoofing.jpg\"><img decoding=\"async\" style=\"margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 254px;\" src=\"http:\/\/1.bp.blogspot.com\/_Hu1rpxRsqcU\/S0-AkmoZ0sI\/AAAAAAAAAds\/xSUzb9IzWDs\/s320\/IP_Spoofing.jpg\" alt=\"\" id=\"BLOGGER_PHOTO_ID_5426697442338394818\" border=\"0\" \/><\/a><br \/><span style=\"font-weight: bold;\">Most serious <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_4\">ISP&#8217;s<\/span> do not want to be related to <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_5\">IP<\/span> spoofing attacks, and are implementing measures to contain <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_6\">IP<\/span> Spoofing attacks originating from their networks<\/span>.<\/p>\n<p>The containment measures are implemented on their firewalls and routers. The basic logic of this protection is this:<\/p>\n<ul>\n<li>A Firewall is aware of the networks to which it connects so it can control source addresses. For example, a demo firewall has 5 interfaces<\/li>\n<\/ul>\n<ol>\n<ul>\n<li>A connecting to network 10.1.1.x<\/li>\n<li>B connecting to network 10.2.1.x<\/li>\n<li>C connecting to network 10.3.1.x<\/li>\n<li>D connecting to network 10.4.1.x <\/li>\n<li>&#8216;outside&#8217; connecting to the rest of the world\/<span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_7\">internet<\/span><\/li>\n<\/ul>\n<\/ol>\n<blockquote><p>It is expected that any traffic coming on interface A will have a source address of 10.1.1.x. If it doesn&#8217;t, it&#8217;s most probably an <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_9\">IP<\/span> spoofing attack and will be dropped. The only interface that cannot apply such logic is the &#8216;outside&#8217; interface, since it connects the firewall to the rest of the <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_10\">internet<\/span>. But the outside interface can have another protection, which protects against &#8216;loop&#8217; <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_11\">IP<\/span> Spoofing attacks. That means that the &#8216;outside&#8217; interface cannot see incoming packets with source addresses from a network that is on any of the &#8216;inside&#8217; interfaces.<\/p><\/blockquote>\n<ul>\n<li>Routers have a bit more complex mechanism, since a router can have traffic from multiple networks arriving on any of it&#8217;s interfaces. They use <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_12\">uRPF<\/span> (<span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_13\">unicast<\/span> Reverse Path Forwarding) which analyzes whether the packet&#8217;s source address comes from a network that is known in the routing domain of the router.<\/li>\n<\/ul>\n<p>So in reality, most <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_14\">IP<\/span> spoofing attempts will be destroyed on the <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_15\">ISP&#8217;s<\/span> network. But these protection measures are not perfect, and there are networks which are still not controlling <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_16\">IP<\/span> spoofing. <span style=\"font-style: italic;\">An aspiring hacker can do significant damage at networks<\/span><span style=\"font-weight: bold; font-style: italic;\"> <\/span><span style=\"font-style: italic;\">such as<\/span><span style=\"font-weight: bold;\"><span style=\"font-style: italic;\">:<\/span><br \/><\/span><\/p>\n<ul>\n<li><span style=\"font-weight: bold;\">University networks <\/span>&#8211; apart from the large universities with dedicated IT staff, the <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_17\">netadmins<\/span> of most universities are the teaching assistants of computer science. And they don&#8217;t really make much of an effort to control the traffic on the network as long as the university&#8217;s servers and staff systems are protected. Universities are quite often Autonomous Systems, so an <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_18\">IP<\/span> Spoofing attack originating from an unprotected network will travel on the Internet backbone.<\/li>\n<li><span style=\"font-weight: bold;\">Smaller company networks <\/span>&#8211; these networks are usually maintained by the &#8216;one man band&#8217; sysadmin, who really has too much on his\/<span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_19\">her&#8217;s<\/span> plate to think about spoofing protection. The silver lining in such environment is that these companies are just a small user of a <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_20\">ISP<\/span>, who is very capable of blocking the <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_21\">IP<\/span> Spoofing attack originating from the small company network.<\/li>\n<li><span style=\"font-weight: bold;\"><span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_22\">ISP&#8217;s<\/span> in developing countries <\/span>&#8211; much like small company networks, manned by personnel who is not properly trained, understaffed and overworked. And the bad news is that these <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_23\">ISP&#8217;s<\/span> are also Autonomous Systems, so <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_24\">IP<\/span> Spoofing attacks originating there will most probably get out.<\/li>\n<\/ul>\n<p>Please note that this article is not an invitation to start wreaking havoc on these networks, on the contrary, it should serve as a reminder for their <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_25\">netadmins<\/span> to implement the available and quite simple protection measures.<\/p>\n<p>Talkback and comments are most welcome<\/p>\n<p>Related posts<br \/><a href=\"http:\/\/www.shortinfosec.net\/2009\/12\/summary-of-ip-spoofing.html\">Summary of IP Spoofing<\/a><br \/><a href=\"http:\/\/www.shortinfosec.net\/2009\/12\/corporate-guest-wlan-best-place-for.html\">Corporate Guest WLAN &#8211; The best place for Eavesdropping to Interesting Traffic<\/a><br \/><a href=\"http:\/\/www.shortinfosec.net\/2008\/04\/5-rules-to-home-wi-fi-security.html\">5 Rules to Home Wi-Fi Security<\/a><br \/><a href=\"http:\/\/www.shortinfosec.net\/2008\/07\/example-bypassing-wifi-mac-address.html\">Example &#8211; Bypassing WiFi MAC Address Restriction<\/a><br \/><a href=\"http:\/\/www.shortinfosec.net\/2008\/07\/obtaining-valid-mac-address-to-bypass.html\">Obtaining a valid MAC address to bypass WiFi MAC Restriction<\/a><\/p>\n<div class=\"blogger-post-footer\"><img width='1' height='1' src='https:\/\/blogger.googleusercontent.com\/tracker\/7196788127833928948-2042279453012538415?l=www.shortinfosec.net' alt='' \/><\/div>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/feeds.feedburner.com\/~r\/shortinfosec\/~4\/A0Ar3J1h9bM\" height=\"1\" width=\"1\"\/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The guest post on IP Spoofing was well visited and caused a lot of interest. One may expect that a lot of visitors actually thought that IP spoofing is a great way to cause a bit of commotion and try out as hackers. The reality of the internet is actually quite different. First of all, [&hellip;]<\/p>\n","protected":false},"author":5679,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-181882","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/posts\/181882","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/users\/5679"}],"replies":[{"embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/comments?post=181882"}],"version-history":[{"count":0,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/posts\/181882\/revisions"}],"wp:attachment":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/media?parent=181882"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/categories?post=181882"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/tags?post=181882"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}