Firewall Wizards mailing list archives

Re: IP Spoofing and counter measures

From: Ryan Russell <ryan () securityfocus com>
Date: Sat, 10 Mar 2001 19:33:40 -0700 (MST)

On Wed, 7 Mar 2001, Tib wrote:

Second (and the meat of the matter): Does anyone know of any good documentation
or literature on IP spoofing and if/how it can be unspoofed, traced back
properly, or otherwise countered?


There's no "unspoof", unless there happens to be secondary evidence in the
packets (i.e. some protocols will "leak" original source addresses in the
data portion of the packets.  Don't count on being able to take advantage
of this hardly ever.)

As for tracing back, that's possible, but really hard if it's outside your
own network.  When you want to trace back a spoofed packet, you have to go
router-by-router, set up monitoring to match just the traffic you want,
see what interface it came in on, and check with the router(s) that are
attached to that interface.  You have to have to be in constant
communications with the Internet provider the whole time, feeding them
what packets to look for, telling them if they are still coming.  And you
have to re-explain the whole deal when you cross ISP boundaries, and deal
with that ISP.

Most ISPs will (should) require some sort of case number from law
enforcement before they will give you this kind of info and cooperation.
Frankly, don't expect them to jump for you unless you've got an FBI agent
on the line with you the entire time.

Again, this is for when it's across the Internet.  If it's on your private
WAN, for example, and you control all the routers, then you can do it
yourself.  I've done it before for a WAN that was at most 8 routers wide
at the widest point.  The packets were of predictable format (fixed source
IP in most cases.)  It usually took me between 15 minutes and an hour to
trace back, depending on how often the packet were showing up.  It would
be much harder if the source addresses were changing constantly, and the
volume of traffic were low, and the destination IP was often used by many
machines.

In short, it's a real bitch.

There have been any number of proposals for how to make the process more
automatic/unneccessary/easier, etc.. since about February of last year.
Strange coincidence, that, since the problem has been known for like 15
years.  Still, I personnaly am not seeing any actual change in anything
that makes spoofing less effective yet.

                                        Ryan

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Managed Security Metrics Mike Smith (Mar 05)
- Re: Managed Security Metrics R. DuFresne (Mar 05)
- Re: Managed Security Metrics shawn . moyer (Mar 05)
  - Re: Managed Security Metrics R. DuFresne (Mar 06)
  - Message not available
    - Re: Managed Security Metrics Marcus J. Ranum (Mar 06)
- IP Spoofing and counter measures Tib (Mar 09)
  - Re: IP Spoofing and counter measures Ryan Russell (Mar 11)
- <Possible follow-ups>
- RE: Managed Security Metrics Bob . Eichler (Mar 05)
- RE: Managed Security Metrics Mike Smith (Mar 05)
  - Re: Managed Security Metrics Adam Shostack (Mar 06)
  - RE: Managed Security Metrics R. DuFresne (Mar 06)
    - Re: Managed Security Metrics shawn . moyer (Mar 06)
- RE: Managed Security Metrics Mike Smith (Mar 06)
  - Re: Managed Security Metrics Adam Shostack (Mar 09)
  - RE: Managed Security Metrics R. DuFresne (Mar 09)
- RE: Managed Security Metrics Crumrine, Gary L (Mar 07)
- Re: Managed Security Metrics Jack McCarthy (Mar 07)