Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

Can You Spoof IP Packets? 211

nweaver writes "Spoofed IP packets are still believed to be a significant problem for the Internet. But are they? The Spoofer Project is attempting to measure the problem. Apparently, 80% of the IP addresses measured no longer support spoofing! Their methodology is simple: have users download a client which attempts to spoof packets to the monitor. Using these packets, they can determine the filter rules. So everyone, download the client and help!"
This discussion has been archived. No new comments can be posted.

Can You Spoof IP Packets?

Comments Filter:
  • Oh yes! (Score:5, Funny)

    by aardwolf64 (160070) on Tuesday May 02, 2006 @03:41PM (#15248252) Homepage
    Oh yes! Everyone download this executable from known IP Spoofers and run it. It won't root your system, we promise...
    • Re:Oh yes! (Score:5, Funny)

      by gEvil (beta) (945888) on Tuesday May 02, 2006 @03:46PM (#15248292)
      Well, at least your system would be rooted by people from MIT. It's comforting to know that you've been rooted by some of the best...
      • Re:Oh yes! (Score:3, Funny)

        by muftak (636261)
        makes a change from us lot rooting MIT :)
      • Re:Oh yes! (Score:3, Funny)

        by Pollardito (781263)
        this is the part where we find out the hard way that some hackers have bought mlt.edu isn't it?

        seriously, a month from now we're going to find out that this was really some sort of security study to determine the true power of the herd mentality on Slashdot
    • Re:Oh yes! (Score:3, Funny)

      by Anonymous Coward
      Don't worry, the posted the md5 hashes of the binaries. As long as the match up, you can rest assured you are safe.
    • Oh yes! Everyone download this executable from known IP Spoofers and run it. It won't root your system, we promise...

      Umm, they do provide the source. That gives you the option of downloading the code, auditing it yourself (harving that done by someone you trust) and then using it. That's far better than what you get with many of these "security" suites that won't give you the source code. So, what's the problem?

    • Re:Oh yes! (Score:4, Funny)

      by Duds (100634) <dudley&enterspace,org> on Tuesday May 02, 2006 @04:04PM (#15248445) Homepage Journal
      It's irrelevent anyway, you're already broadcasting your ip address.
    • But your ISP may cut off your access if they run something to detect spoofed packets.
  • Yay! (Score:5, Funny)

    by Renraku (518261) on Tuesday May 02, 2006 @03:41PM (#15248253) Homepage
    Even you can help the next generation of scammers find an ISP to call home!
    • by Mayhem178 (920970) on Tuesday May 02, 2006 @04:23PM (#15248640)
      ...the other 20% of spoofable IP addresses are reported to be in the possession of Weird Al Yankovic, who, according to US Attorney General Alberto R. Gonzales, is capable of spoofing damn near anything.

      A full-blown investigation is under way to put an end to Weird Al's wild spoofing. Rap legend Coolio has pledged his support in these investigations.

      Weird Al was unavailable for comment, but his assistant did pass along his official response, which was, "Mecha lecha hi, Mecha hiny hiny ho."

      More at 11.
      • Weird Al was unavailable for comment, but his assistant did pass along his official response, which was, "Mecha lecha hi, Mecha hiny hiny ho."

        Wasn't this from PeeWee's playhouse?
  • by no reason to be here (218628) on Tuesday May 02, 2006 @03:42PM (#15248259) Homepage
    Oh wait. This isn't an "Ask Slashdot"?

    Nevermind...
  • Sounds dangerous (Score:5, Insightful)

    by suso (153703) * on Tuesday May 02, 2006 @03:42PM (#15248260) Homepage Journal
    1. Write a piece of software claiming to help monitor spoofed IP packets but really it does something more sinister.
    2. Post a story to Slashdot with a link to the software on an MIT server and ask people to run it on their internal networks and send the data back to the author.
    3. ???
    4. Profit and say to yourself, "suckers"

    Maybe I'm too paranoid. But this is a good example of how social engineering can be used to get you into places you shouldn't be. I guess the source cod
    e is provided. How many people will really read it?
    • by Anonymous Coward
      Maybe I'm too paranoid. But

      No buts, YES, YOU ARE TOO PARANOID!

      Then again, you probably think I am one of them programmers now typing up this cover-up reply.

    • It's a collaboration between Slashdot and MIT to finally get adware on Linux machines.

    • Re:Sounds dangerous (Score:3, Informative)

      by Fulkkari (603331)

      You should be paranoid in these days, and yes, the source code is provided. There is 1090 lines of source code including the Makefile, so I don't think it would take that much time to read it trough.

      To answer the question how many people will really read it, I answer that I won't compile nor run it before I have read it.

      • Yeah, but how do we know that these same folks didn't write the compiler, and have hidden code in the compiler to only be output when it receives this source code as input? Hmm? [acm.org]
    • by giminy (94188) on Tuesday May 02, 2006 @04:14PM (#15248555) Homepage Journal
      Create an selinux policy to ensure that this software doesn't do anything weird. Give it no access to your filesystem (it shouldn't need it) and ability to use libnet (or whatever it uses to generate the packets). Voilla, paranoia (mostly) gone.
      • well, if you're really paranoid you could run it inside a virtual machine... and snoop on the packets themselves yourself.
        • Fools! (Score:3, Insightful)

          by suso (153703) *
          Hey, the point is that you're already giving it access to your network through root access on your machine so that you can generate special packets. Its not much of a step from that to sniffing your network for packets. And the big deal is that the program is sniffing or scanning your network from INSIDE your network, behind DMZ firewalls, etc. Using SELinux or virtual machines won't necessarily protect you and I wasn't refering to a local machine exploit in my original post.
    • UTSL (Score:3, Informative)

      by Dom2 (838)
      Use The Source, Luke

      Seriously, they provide source. It's a small program, you can browse it and get the gist of what it's doing in fairly short order. You can change it any way you want, and recompile. beautiful, isn't it?

      The program doesn't have a particular license attached though, I would assume that the intention is that it be licensed under the MIT license. Mighht want to check that before packaging it for Debian.

      -Dom

    • Re:Sounds dangerous (Score:3, Informative)

      by Surt (22457)
      Source code is provided, but will anyone bother to check that the compiled result matches the binary provided?
    • I guess the source code is provided. How many people will really read it?

      The question is how many people will compile the source code themselves and compare the binaries?
  • by ip_freely_2000 (577249) on Tuesday May 02, 2006 @03:42PM (#15248264)
    "have users download a client which attempts to spoof packets to the monitor"

    But my monitor does not have an ethernet port! Can I send packets into my DVI port?
  • ...No.

    Seriously, why would I want to participate in this?
    • by squiggleslash (241428) on Tuesday May 02, 2006 @04:43PM (#15248811) Homepage Journal
      I'm having difficulty figuring it out too.

      IP spoofing isn't even a bad thing. There's a work-around that allows two hosts hidden behind NAT gateways to communicate directly with one another by having them both spoof a cooperating proxy. (It goes something like: Host A establishes a UDP link with the proxy, Host B establishes a UDP link with a proxy, Proxy then gives A enough information to allow it to spoof packets as Proxy and send them directly to B, and proxy gives B the information needed to spoof packets from Proxy to A.)

      This is useful in some P2P applications, notably VoIP.

      This is going to break if spoofing some how gets prevented completely, and from what I can figure out, that's what the above system is treating as some kind of "hole" that needs to be fixed.

      • It is a hole that needs to be plugged. Any trick you can do with spoofing, you can do without. Yes, it's more work. You could argue that it's easier to run your P2P applications without a firewall since you don't have to go to all that extra trouble to set up the firewall. It's more work, but, you can bet that I'm darned well going to go to the trouble to configure my firewall instead of shutting it off. IP spoofing isn't as dangerous, but, it definitely has its security problems. Overall people are b
        • Any trick you can do with spoofing, you can do without

          No, you can't.

          You could argue that it's easier to run your P2P applications without a firewall since you don't have to go to all that extra trouble to set up the firewall.

          The example I gave had nothing to do with firewalls. It's about NAT. NAT's a technology that means multiple devices can share a single Internet connection. Getting multiple IPs isn't an option for most households, nor is dedicating the entire connection to one machine always prac

    • Well, it's *kind of* interesting, espcially if you peek at the source first. Probably the most interesting thing to me is the pie chart here [mit.edu] which shows Linux at about 22% of the participants vs. 5% for OSX and 6% for BSD. Anyhow, there's nothing malicious in the source code, wouldn't run something unknown without looking, greping, and compiling it myself first.
  • On my patched FC3 boxes I get an error after trying to run the Linux client. "Server terminated prematurely". Now I'm going to download and run the Windows cient.

    Not.
    • On my patched FC3 boxes I get an error after trying to run the Linux client. "Server terminated prematurely". Now I'm going to download and run the Windows cient.

      Not.


      You could see if it runs under Wine :)
  • Spoofage (Score:5, Funny)

    by iXiXi (659985) on Tuesday May 02, 2006 @03:45PM (#15248281)
    My packets have spoof all over them ! Anyone have a tissue?
  • Warning (Score:5, Informative)

    by Kwiik (655591) on Tuesday May 02, 2006 @03:46PM (#15248288) Homepage
    This took out my wireless network on XP Home SP2 using Microsoft's wireless zero configuration tool for the software side of it. During the spoof portion of the test, all network connectivity halted and immediately reported that the wireless connection had disconnected.
  • by isaacklinger (966649) on Tuesday May 02, 2006 @03:49PM (#15248311)
    Getting too many connections from slashdotters...?
  • by MindPrison (864299) on Tuesday May 02, 2006 @03:50PM (#15248330) Journal
    ...you can use a network packet monitor, and there's two ways to get your hands on such a device - the cheap...and the expensive way, the expensive way being the safest one (A hardware network monitor = hardware device to look and monitor what's going in/out of your ethernet connection directly connected to your "whatever" device)

    or

    Do the same thing by rigging a second computer, also known as a network monitor. Set up a Linux box...and monitor & control all the ports & packets being delivered to your network, and if you do your homework - you will "know" if that application you just downloaded and executed...truly is honest...and "doesn't phone home...like E.T"... he he he..
    Live and learn kids.
  • It's true (Score:5, Funny)

    by rudy_wayne (414635) on Tuesday May 02, 2006 @03:52PM (#15248349)
    Nearly 5 years ago, the great and all knowing Steve Gibson [grc.com] predicted that the raw sockets in Windows XP would allow packet spoofing that would bring down the internet with unstoppable DOS attacks.

    So it must be true.

    • He also said that the way to avoid it was for ISPs to start implementing egress filtering to prevent spoofed packets from making their way onto the Intarweb at large. So if the problem isn't all that severe, perhaps it's because the ISPs actually took his advice.
      • People had been recommending that for years so why should he be able to "discover" a problem and get credit for recommending a solution that everyone knew about.

        That's like me saying everyone should upgrade to 64bit and install at least 8GB of ram so that your system has enough disk cache to keep up with very large hard drives that will be coming out. And in 5 years when everyone is running 64bit with at least 8GB of ram, some retard like you can defend me on Slashdot. "Maybe the reason everyone doesn't h
        • some retard like you can defend me on Slashdot

          Hey, Slashdot is full of retards, so come five years from now, you'll have nothing to worry about.

    • Didn't Microsoft silently remove parts of the raw socket support in Windows XP service pack 2? But let's face it. Raw sockets isn't probably a feature most of the people need on their machines... Whether it is Windows, Linux or something else.

      • If you try to run the windows version of the test, it specifically states that it wont work on "recent service packs", and then fails, suggesting to run it on "another OS".

        one good way to look at this, i guess... is that zombies wont be running around with spoofed IPs... oh wait, zombies are usually the ones that never update to the latest service packs anyways. *doh*
        • Not only that, there are still hacked drivers which will allow it. While *you* may have a qualm about knowingly installing hacked drivers on your computer, rest assured that a cracker won't.
    • Re:It's true (Score:3, Insightful)

      by Obi-w00t (943426)
      Nearly 5 years ago, the great and all knowing Steve Gibson predicted that the raw sockets in Windows XP would allow packet spoofing that would bring down the internet with unstoppable DOS attacks.


      So it must be true.

      I really hope that is sarcasm. Yes, it must be. However some of the other replies are not, which worries me slightly as people don't seem to realise Gibson is the guy behind Spin Rite. Spin Rite, people. Think of that next time you read some of his "advice".

      • Spin Rite [grcsucks.com] was a great scam. Gibson posited that hard disk magnets weakened over time, so that they would eventually fail. Spin Rite would "correct" them by creating mistakes (indirectly) and then fixing them. Sigh.
  • by Zarhan (415465) on Tuesday May 02, 2006 @03:57PM (#15248384)
    ...every self-respecting network operator has RPF (or some other antispoof-ingressfilter) enabled at the edge. Gone are the days of spoofing, just like respecting IP packet's loose/strict source routing options and other similar exploits :)
  • Spoofed UDP packets (Score:3, Interesting)

    by caluml (551744) <slashdot@spamg o e s h ere.calum.org> on Tuesday May 02, 2006 @04:00PM (#15248410) Homepage
    Spoofed packets were the idea behind an anonymous P2P network I envisaged, and designed a few years ago. udpp2p.sf.net [sf.net], if you're interested. Man, that was ropey code. (I didn't write any of it, by the way!)
    • by evilviper (135110)
      I've plugged the project a few times here on /. before, as I had a very similar myself long before udpp2p existed.

      I think it's a real shame development has stopped, as it had the potential to be as fast as any other P2P network, and completely anonymous for the sender. All without requiring extensive communities and webs of trust to decide who to allow full access to your encrypted P2P VPN.

      As to the retransmit problems listed on your site, you should really use the Gnutella model, but broadcasting ACKs in
  • by caluml (551744) <slashdot@spamg o e s h ere.calum.org> on Tuesday May 02, 2006 @04:04PM (#15248444) Homepage
    I think that the server that the client connects to is having a few problems. We've slashdotted a spoofing TCP server.
    arse spoofer-0.4 # ./spoofer
    >> Spoofing Tester v0.4
    >> Rob Beverly <rbeverly at mit dot edu>
    >> More information: http://spoofer.csail.mit.edu/
    >>
    ** server terminated prematurely** server terminated prematurely>> Source 5 non-spoofed packets...
    >> Source 5 spoofed packets (IP: 1.2.3.4)...
    >> Source 5 spoofed packets (IP: 172.16.1.100)...
    >> Source 5 spoofed packets (IP: 6.1.2.3)...
    Broken pipe
    arse spoofer-0.4 #
    • I happen to be working on a box thats about to get reinstalled so I broke my usually rule of allways monitoring what new software does in a virtual machine first.

      On slackware 9.1 I get this

      root@obfusticated:~# ./spoofer
      >> Spoofing Tester v0.4
      >> Rob Beverly
      >> More information: http://spoofer.csail.mit.edu/ [mit.edu]
      >>
      >> Source 5 non-spoofed packets...
      Broken pipe

      tracert shows a load of packets between here and fyodor.emailtester.net (18.26.0.235)

      strace shows it stopping at
      write(3, "DISTAN
    • Gad. I get this now.
      http://spoofer.csail.mit.edu/report.php?sessionkey =forbidden
      Which displays:
      Sorry, hosts are forbidden from sending more than 3 spoofing reports per week in order to prevent abuse.
      Look here, MIT. If your software is going to crash each time, you can't count that as a proper "count".
  • by frovingslosh (582462) on Tuesday May 02, 2006 @04:07PM (#15248484)
    The win versionh is less than useless. Doesn't work on Win98. When I tried it under XP it ran, but in a command shell and then tried to start IE. Well, IE will never get past my firewalls, and I couldn't tell much from the giberish the stupid client printed out (the final html link it gave me was useless).
    • 98 doesn't even have the ability to spoof packets so it's not a big shocker the app doesn't work. Your firewall blocked it's attempt to send information back to the source... Sounds like a pebcak to me.
      • I think you missed the point - I permitted the application to send packets through the firewall - it seemed to send them fine. But then it opened IE - which is an action that I will not tolerate on my system. When IE tried to go to the web page it was blocked dead in it's tracks (as I told the firewall to always do, no exceptions). Any application that uses IE is one that I don't want on my system, and if I had been warned about this behaviour I would have never tried to run the program.
  • He's talking about the tenants of the Internet architecture in his introduction... should I assume he means the electrons, or the switches?
  • Obvious ? (Score:4, Insightful)

    by Martin Spamer (244245) on Tuesday May 02, 2006 @04:15PM (#15248564) Homepage Journal

    80% of the IP addresses measured no longer support spoofing!

    Given the move to broadband with home routers and NAT it seems obvious that spoofing capable networks are on the decline.
    • 80% of the IP addresses measured no longer support spoofing!

      Given the move to broadband with home routers and NAT it seems obvious that spoofing capable networks are on the decline.

      I am behind a NAT, got exactly (and expected) the results you described. So I decided to directly connect & test this. Same results. My ISP has egress filtering in place. I still get spoofed packets showing up in the firewall log from the net, but not at the level I did a year ago.

      Time to make the donuts...

  • Are the spoofed packets' evil bits set to 1?
    • Not long after Fyodor put out the freebie chapter for how to own a continent, I looked into the process of spoofing a full TCP connection.

      I felt it prudent to follow the RFC's and set said evil bit. So now I have a DoS tool with the evil bit...

      If spoofing is no longer valid, then someone has a hell of a lot of explaining to do as to why this tool works so well...
  • by psbrogna (611644) on Tuesday May 02, 2006 @04:21PM (#15248613)
    These additional demands are met:
    1. a free lollipop.
    2. a car ride deep in the forest
  • by saikatguha266 (688325) on Tuesday May 02, 2006 @04:23PM (#15248635) Homepage
    The questions is not can an IP be spoofed (yes, it can always be spoofed from somewhere), but rather from where can it be spoofed and to where can it be spoofed to. You can spoof any IP address to another box on your local ethernet segment -- there are no routers en route that can drop the packet. You probably cannot spoof an IP to someone on the other side of the world, but your ISP or your ISP's ISP can. In fact, you can spoof any IP to almost everywhere if you have a connection to one of the few core Internet routers.

    The project basically is saying that home users cannot spoof IPs to their measurement server. That's well and good, but useless.

    Home users no longer need to spoof IPs to hide the source of the attack (as in days past). Home users now are simply trojan/zombie boxes that are hiding the true source of the attack by using their own IP -- no spoofing required. Back when zombies were not a problem, attackers used spoofing to hide their true location; it is no longer required now that boxes can be 0wned with relative ease.

    I don't see the point of this project.
  • Unique? (Score:5, Funny)

    by iminplaya (723125) <iminplaya.gmail@com> on Tuesday May 02, 2006 @04:26PM (#15248655) Journal
    Apparently, 80% of the IP addresses measured no longer support spoofing!

    Yes, but how many of those are unique IPs?
  • Yeah right (Score:3, Insightful)

    by jafiwam (310805) on Tuesday May 02, 2006 @04:38PM (#15248771) Homepage Journal
    So I can get my ISP pissed at me and watching what I do because attempting to spoof packets is something "hackers" do.

    I like my broadband too much to participate in anything that even LOOKS bad to the security idiots watching my cable modem.
    • On the contrary. Anything benign, which has is now widely viewed as "hacking" by the minimum-wage fools at large, is something we should get HUGE NUMBERS of people to do, all at once.

      The guys upstairs would be mighty unhappy if the residence MSCE decided that 1/4 of all their subscribers were hackers that needed their contracts terminated for port-scanning some public servers...
  • wow (Score:4, Funny)

    by stinky wizzleteats (552063) on Tuesday May 02, 2006 @04:39PM (#15248774) Homepage Journal
    Why don't we do something less invasive, like snmpwalk every address on the Internet?
  • What's the point? (Score:3, Insightful)

    by causality (777677) on Tuesday May 02, 2006 @05:15PM (#15249054)
    There's one thing I seem to be missing in all of the comments here: what's the point of this exactly?

    The massive DDoS attacks generally come from botnets that do not need to bother spoofing their source IP. Also, anyone who relies on IP address alone (especially with "connectionless" protocols like IP/ICMP/UDP) for their security needs is just begging for problems because they're trusting a network that is not trustworthy. Seems to me it would be far easier to discourage the practice of trusting an untrustworthy network -- the black hats seem useful for this purpose -- than it would be to check each and every individual subnet for whether they will pass spoofed packets.

    Given this, what does it matter whether I can spoof UDP/ICMP packets? What service or what architecture that is widely used today is so brain-dead that it does not require a password or strong encryption or some other form of security and/or authentication that would ensure that spoofing the IP address does not constitute a successful attack?

    All of this would have been great ten years ago but today, the DDoS kiddies and spam botnets are enabled by the unwillingness to value security on the part of too many Windows users with broadband connections, combined with Microsoft's inability or unwillingness to market a secure-by-default OS. I say "market" here because I am assuming that with the resources at their disposal, Microsoft could create an extremely secure OS, if they really wanted to. Just look at what the OpenBSD team has done with far fewer resources available to them.

    And yes, I see that as a responsibility of Microsoft's since their fortunes are largely built by mass-marketing a technical product to the non-technical, "I just want it to work with zero effort" crowd (and apparently this type of can't-be-bothered-to-learn-anything user wants it to be the first thing in this life ever observed to do so, other than entropy). If Windows were marketed exclusively to computer security specialists then I would not blame Microsoft if extremely insecure configurations kept happening.

    So anyway, somebody please explain to me how it will matter one way or the other whether 0% of all internet users can spoof or whether 100% of them can spoof.
    • What service or what architecture that is widely used today is so brain-dead that it does not require a password or strong encryption or some other form of security and/or authentication that would ensure that spoofing the IP address does not constitute a successful attack?

      NFS.

      Despite the numerous one-off network filesystem projects out there, none of them have caught-on (I believe that's mainly because of licensing) so NFS continues to be used extensively.

      People are trying to tack-on different forms of aut

  • From TFA:

    On *nix systems, you must run the spoofer as root (in order to create the raw socket) with no arguments, e.g.
          # ./spoofer
    On Windows, simply double-click on the spoofer executable after downloading.


    Classic.
  • This won't work under Windows XP SP2, apparently, so don't waste your time if that's what you have. Ummmm.... Not that I'm running XP... I'm a linux guy. Yeah... A friend told me. That's what happened...
  • Addresses that can be spoofed are completely dependant on each ISPs filter rules. No ISP should allow you to use an address they don't own unless you have a BGP peer relationship with them and can show that your ASN has been assigned those addresses.
  • Well whoever own the 34/8 subnet, they are getting used as a source for some spoofed packets Im seeing on my router trying to access a high number port. Almost looks like a scan for a Trojan.

    But then again, are they really being spoofed? Who can say for sure. Im still keeping in mind that that has been a part of my firewall ruleset for over 6 years, and April of this year was the first month I saw them from that address/port.

    Take a look [iana.org] at who owns that netblock.

  • Got Root?! (Score:5, Funny)

    by 955301 (209856) on Tuesday May 02, 2006 @11:20PM (#15251161) Journal

    Blockquoth the poster:

    On *nix systems, you must run the spoofer as root (in order to create
    the raw socket) with no arguments, e.g.
          # ./spoofer

    Ahahahahahahah! You're kidding, right?

"In the face of entropy and nothingness, you kind of have to pretend it's not there if you want to keep writing good code." -- Karl Lehenbauer

Working...