Firewall Wizards mailing list archives
Re: IP Spoofing and counter measures
From: Ryan Russell <ryan () securityfocus com>
Date: Sat, 10 Mar 2001 19:33:40 -0700 (MST)
On Wed, 7 Mar 2001, Tib wrote:
Second (and the meat of the matter): Does anyone know of any good documentation or literature on IP spoofing and if/how it can be unspoofed, traced back properly, or otherwise countered?
There's no "unspoof", unless there happens to be secondary evidence in the packets (i.e. some protocols will "leak" original source addresses in the data portion of the packets. Don't count on being able to take advantage of this hardly ever.) As for tracing back, that's possible, but really hard if it's outside your own network. When you want to trace back a spoofed packet, you have to go router-by-router, set up monitoring to match just the traffic you want, see what interface it came in on, and check with the router(s) that are attached to that interface. You have to have to be in constant communications with the Internet provider the whole time, feeding them what packets to look for, telling them if they are still coming. And you have to re-explain the whole deal when you cross ISP boundaries, and deal with that ISP. Most ISPs will (should) require some sort of case number from law enforcement before they will give you this kind of info and cooperation. Frankly, don't expect them to jump for you unless you've got an FBI agent on the line with you the entire time. Again, this is for when it's across the Internet. If it's on your private WAN, for example, and you control all the routers, then you can do it yourself. I've done it before for a WAN that was at most 8 routers wide at the widest point. The packets were of predictable format (fixed source IP in most cases.) It usually took me between 15 minutes and an hour to trace back, depending on how often the packet were showing up. It would be much harder if the source addresses were changing constantly, and the volume of traffic were low, and the destination IP was often used by many machines. In short, it's a real bitch. There have been any number of proposals for how to make the process more automatic/unneccessary/easier, etc.. since about February of last year. Strange coincidence, that, since the problem has been known for like 15 years. Still, I personnaly am not seeing any actual change in anything that makes spoofing less effective yet. Ryan _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Managed Security Metrics Mike Smith (Mar 05)
- Re: Managed Security Metrics R. DuFresne (Mar 05)
- Re: Managed Security Metrics shawn . moyer (Mar 05)
- Re: Managed Security Metrics R. DuFresne (Mar 06)
- Message not available
- Re: Managed Security Metrics Marcus J. Ranum (Mar 06)
- IP Spoofing and counter measures Tib (Mar 09)
- Re: IP Spoofing and counter measures Ryan Russell (Mar 11)
- <Possible follow-ups>
- RE: Managed Security Metrics Bob . Eichler (Mar 05)
- RE: Managed Security Metrics Mike Smith (Mar 05)
- Re: Managed Security Metrics Adam Shostack (Mar 06)
- RE: Managed Security Metrics R. DuFresne (Mar 06)
- Re: Managed Security Metrics shawn . moyer (Mar 06)
- RE: Managed Security Metrics Mike Smith (Mar 06)
- Re: Managed Security Metrics Adam Shostack (Mar 09)
- RE: Managed Security Metrics R. DuFresne (Mar 09)
- RE: Managed Security Metrics Crumrine, Gary L (Mar 07)
- Re: Managed Security Metrics Jack McCarthy (Mar 07)