Can You Spoof IP Packets? 211
nweaver writes "Spoofed IP packets are still believed to be a significant problem for the Internet. But are they? The Spoofer Project is attempting to measure the problem. Apparently, 80% of the IP addresses measured no longer support spoofing! Their methodology is simple: have users download a client which attempts to spoof packets to the monitor. Using these packets, they can determine the filter rules. So everyone, download the client and help!"
Oh yes! (Score:5, Funny)
Re:Oh yes! (Score:5, Funny)
Re:Oh yes! (Score:3, Funny)
Re:Oh yes! (Score:3, Funny)
seriously, a month from now we're going to find out that this was really some sort of security study to determine the true power of the herd mentality on Slashdot
Re:Oh yes! (Score:5, Informative)
Re:Oh yes! (Score:2)
Re:Oh yes! (Score:2)
# tar -z ...
tar: z: unknown option
tar: usage tar [-]{txruc}[eONvVwAfblhm{op}][0-7[lmh]] [tapefile] [blocksize] [[-C directory] file]
The CD I used to install this machine is dated 2004.... some UNIX vendors prefer 'backward compatible' to 'modern technology'...
Re:Oh yes! (Score:2)
Umm how is a Unix vendor not *adding* -z support being backward compatible?
Comment removed (Score:4, Insightful)
XD (Score:2)
ps -ef vs ps aux is just a SysV vs. BSD thing.
Of course on Solaris the aux thing might make sense if you had
But I learned on Solaris and I use ps -ef. Which is the way-we-do-things-now (TM).
Re:Oh yes! (Score:2)
i used to get a good chuckle when i would quiz our consultants with a problem on a random box and they gave up after they didn't know how to untar a gzipped file without gnu tar. some where smart a
Re:Oh yes! (Score:2)
How did he unpack the gnu tar distribution? *grin*
Re:Oh yes! (Score:2)
How did he unpack the gnu tar distribution? *grin*
As you should know, GNU Tar comes in a gzipped shell archive, so tar is not needed for unpacking it. He had to know how to use gunzip though...
Re:Oh yes! (Score:2)
Re:Oh yes! (Score:2)
Re:Oh yes! (Score:3, Funny)
Re:Oh yes! (Score:2, Funny)
Re:Oh yes! (Score:2)
Oh yes! Everyone download this executable from known IP Spoofers and run it. It won't root your system, we promise...
Umm, they do provide the source. That gives you the option of downloading the code, auditing it yourself (harving that done by someone you trust) and then using it. That's far better than what you get with many of these "security" suites that won't give you the source code. So, what's the problem?
Re:Oh yes! (Score:4, Funny)
Re:Oh yes! (Score:2)
Re:Oh yes! (Score:2, Insightful)
Yay! (Score:5, Funny)
In related news.... (Score:5, Funny)
A full-blown investigation is under way to put an end to Weird Al's wild spoofing. Rap legend Coolio has pledged his support in these investigations.
Weird Al was unavailable for comment, but his assistant did pass along his official response, which was, "Mecha lecha hi, Mecha hiny hiny ho."
More at 11.
Re:In related news.... (Score:2)
Wasn't this from PeeWee's playhouse?
Yes. Yes, I can (Score:5, Funny)
Nevermind...
Sounds dangerous (Score:5, Insightful)
2. Post a story to Slashdot with a link to the software on an MIT server and ask people to run it on their internal networks and send the data back to the author.
3. ???
4. Profit and say to yourself, "suckers"
Maybe I'm too paranoid. But this is a good example of how social engineering can be used to get you into places you shouldn't be. I guess the source cod
e is provided. How many people will really read it?
Re:Sounds dangerous (Score:3, Funny)
No buts, YES, YOU ARE TOO PARANOID!
Then again, you probably think I am one of them programmers now typing up this cover-up reply.
You'll be spoofed!! (Score:3, Funny)
Re:Sounds dangerous (Score:3, Informative)
You should be paranoid in these days, and yes, the source code is provided. There is 1090 lines of source code including the Makefile, so I don't think it would take that much time to read it trough.
To answer the question how many people will really read it, I answer that I won't compile nor run it before I have read it.
Re:Sounds dangerous (Score:2)
Use SELinux (was Re:Sounds dangerous) (Score:4, Informative)
Re:Use SELinux (was Re:Sounds dangerous) (Score:2)
Fools! (Score:3, Insightful)
UTSL (Score:3, Informative)
Seriously, they provide source. It's a small program, you can browse it and get the gist of what it's doing in fairly short order. You can change it any way you want, and recompile. beautiful, isn't it?
The program doesn't have a particular license attached though, I would assume that the intention is that it be licensed under the MIT license. Mighht want to check that before packaging it for Debian.
-Dom
Re:Sounds dangerous (Score:3, Informative)
Re:Sounds dangerous (Score:3, Insightful)
Re:Sounds dangerous (Score:5, Informative)
Re:Sounds dangerous (Score:3, Informative)
Re:Sounds dangerous (Score:2)
The question is how many people will compile the source code themselves and compare the binaries?
Packets to my monitor, eh? (Score:5, Funny)
But my monitor does not have an ethernet port! Can I send packets into my DVI port?
I think I speak for most of us when I say... (Score:5, Insightful)
Seriously, why would I want to participate in this?
Comment removed (Score:5, Interesting)
Re:I think I speak for most of us when I say... (Score:3, Insightful)
Re: (Score:3, Interesting)
Re:I think I speak for most of us when I say... (Score:2)
Linux version doesn't run (Score:2)
Not.
Re:Linux version doesn't run (Score:2)
Not.
You could see if it runs under Wine
Spoofage (Score:5, Funny)
Warning (Score:5, Informative)
Great way to destroy the project (Score:3, Funny)
If you TRULY want to know... (Score:5, Insightful)
or
Do the same thing by rigging a second computer, also known as a network monitor. Set up a Linux box...and monitor & control all the ports & packets being delivered to your network, and if you do your homework - you will "know" if that application you just downloaded and executed...truly is honest...and "doesn't phone home...like E.T"... he he he..
Live and learn kids.
Re:If you TRULY want to know... (Score:5, Informative)
Re:If you TRULY want to know... (Score:2)
Re:If you TRULY want to know... (Score:2)
If you are more paranoid and are not familiar with C then you could take measures such as using software like tripwire tha
It's true (Score:5, Funny)
So it must be true.
Re:It's true (Score:2)
Re:It's true (Score:2)
That's like me saying everyone should upgrade to 64bit and install at least 8GB of ram so that your system has enough disk cache to keep up with very large hard drives that will be coming out. And in 5 years when everyone is running 64bit with at least 8GB of ram, some retard like you can defend me on Slashdot. "Maybe the reason everyone doesn't h
Re:It's true (Score:2)
Hey, Slashdot is full of retards, so come five years from now, you'll have nothing to worry about.
Re:It's true (Score:2)
Didn't Microsoft silently remove parts of the raw socket support in Windows XP service pack 2? But let's face it. Raw sockets isn't probably a feature most of the people need on their machines... Whether it is Windows, Linux or something else.
Re:It's true (Score:2)
one good way to look at this, i guess... is that zombies wont be running around with spoofed IPs... oh wait, zombies are usually the ones that never update to the latest service packs anyways. *doh*
Re:It's true (Score:2)
Re:It's true (Score:3, Insightful)
So it must be true.
I really hope that is sarcasm. Yes, it must be. However some of the other replies are not, which worries me slightly as people don't seem to realise Gibson is the guy behind Spin Rite. Spin Rite, people. Think of that next time you read some of his "advice".
Re:It's true (Score:2)
Spoofing has not been a problem for years (Score:5, Insightful)
Re:Spoofing has not been a problem for years (Score:2)
Re:Spoofing has not been a problem for years (Score:2, Informative)
This is much easier said than done. Cf.:
http://www.lasr.cs.ucla.edu/save/save_to_infocom.
http://www.lasr.cs.ucla.edu/classes/239_1.spring0
Re:Spoofing has not been a problem for years (Score:2)
Cisco routers still accept and pass spoofed packets happily along.
Umm, just type ip verify unicast reverse-path (in any IOS 12.0 or later).
Just tested it against a VXR, works just fine.
http://www.cisco.com/univercd/cc/td/doc/product/so ftware/ios122/122cgcr/fsecur_c/fothersf/scfrpf.htm [cisco.com]
Spoofed UDP packets (Score:3, Interesting)
Re:Spoofed UDP packets (Score:3, Interesting)
I think it's a real shame development has stopped, as it had the potential to be as fast as any other P2P network, and completely anonymous for the sender. All without requiring extensive communities and webs of trust to decide who to allow full access to your encrypted P2P VPN.
As to the retransmit problems listed on your site, you should really use the Gnutella model, but broadcasting ACKs in
Re:heh, memories (Score:2)
Slashdotted spoofing server? (Score:3, Insightful)
Re:Slashdotted spoofing server? (Score:2)
On slackware 9.1 I get this
root@obfusticated:~#
>> Spoofing Tester v0.4
>> Rob Beverly
>> More information: http://spoofer.csail.mit.edu/ [mit.edu]
>>
>> Source 5 non-spoofed packets...
Broken pipe
tracert shows a load of packets between here and fyodor.emailtester.net (18.26.0.235)
strace shows it stopping at
write(3, "DISTAN
Re:Slashdotted spoofing server? (Score:2)
waste of time (Score:3)
Re:waste of time (Score:2)
Re:waste of time (Score:2)
Re:waste of time (Score:2)
Try tenets, as in a belief (Score:3, Funny)
Obvious ? (Score:4, Insightful)
80% of the IP addresses measured no longer support spoofing!
Given the move to broadband with home routers and NAT it seems obvious that spoofing capable networks are on the decline.
Re:Obvious ? (Score:2)
Given the move to broadband with home routers and NAT it seems obvious that spoofing capable networks are on the decline.
I am behind a NAT, got exactly (and expected) the results you described. So I decided to directly connect & test this. Same results. My ISP has egress filtering in place. I still get spoofed packets showing up in the firewall log from the net, but not at the level I did a year ago.
Time to make the donuts...
Have they tried . . . (Score:2, Funny)
Re:Have they tried . . . (Score:2, Funny)
I felt it prudent to follow the RFC's and set said evil bit. So now I have a DoS tool with the evil bit...
If spoofing is no longer valid, then someone has a hell of a lot of explaining to do as to why this tool works so well...
I'll download only if: (Score:5, Funny)
1. a free lollipop.
2. a car ride deep in the forest
The usefulness of this measurement is questionable (Score:5, Informative)
The project basically is saying that home users cannot spoof IPs to their measurement server. That's well and good, but useless.
Home users no longer need to spoof IPs to hide the source of the attack (as in days past). Home users now are simply trojan/zombie boxes that are hiding the true source of the attack by using their own IP -- no spoofing required. Back when zombies were not a problem, attackers used spoofing to hide their true location; it is no longer required now that boxes can be 0wned with relative ease.
I don't see the point of this project.
Unique? (Score:5, Funny)
Yes, but how many of those are unique IPs?
Yeah right (Score:3, Insightful)
I like my broadband too much to participate in anything that even LOOKS bad to the security idiots watching my cable modem.
Re:Yeah right (Score:2)
The guys upstairs would be mighty unhappy if the residence MSCE decided that 1/4 of all their subscribers were hackers that needed their contracts terminated for port-scanning some public servers...
wow (Score:4, Funny)
What's the point? (Score:3, Insightful)
The massive DDoS attacks generally come from botnets that do not need to bother spoofing their source IP. Also, anyone who relies on IP address alone (especially with "connectionless" protocols like IP/ICMP/UDP) for their security needs is just begging for problems because they're trusting a network that is not trustworthy. Seems to me it would be far easier to discourage the practice of trusting an untrustworthy network -- the black hats seem useful for this purpose -- than it would be to check each and every individual subnet for whether they will pass spoofed packets.
Given this, what does it matter whether I can spoof UDP/ICMP packets? What service or what architecture that is widely used today is so brain-dead that it does not require a password or strong encryption or some other form of security and/or authentication that would ensure that spoofing the IP address does not constitute a successful attack?
All of this would have been great ten years ago but today, the DDoS kiddies and spam botnets are enabled by the unwillingness to value security on the part of too many Windows users with broadband connections, combined with Microsoft's inability or unwillingness to market a secure-by-default OS. I say "market" here because I am assuming that with the resources at their disposal, Microsoft could create an extremely secure OS, if they really wanted to. Just look at what the OpenBSD team has done with far fewer resources available to them.
And yes, I see that as a responsibility of Microsoft's since their fortunes are largely built by mass-marketing a technical product to the non-technical, "I just want it to work with zero effort" crowd (and apparently this type of can't-be-bothered-to-learn-anything user wants it to be the first thing in this life ever observed to do so, other than entropy). If Windows were marketed exclusively to computer security specialists then I would not blame Microsoft if extremely insecure configurations kept happening.
So anyway, somebody please explain to me how it will matter one way or the other whether 0% of all internet users can spoof or whether 100% of them can spoof.
Re:What's the point? (Score:2)
NFS.
Despite the numerous one-off network filesystem projects out there, none of them have caught-on (I believe that's mainly because of licensing) so NFS continues to be used extensively.
People are trying to tack-on different forms of aut
Windows security and spoofing (Score:2)
On *nix systems, you must run the spoofer as root (in order to create the raw socket) with no arguments, e.g.
#
On Windows, simply double-click on the spoofer executable after downloading.
Classic.
Doesn't run under XP SP2 (Score:2)
No such thing as "spoofable addresses" (Score:2)
Re:No such thing as "spoofable addresses" (Score:2)
Re:No such thing as "spoofable addresses" (Score:2)
Well, yes. That's the whole point of the project: to see how widespread proper filtering rules are.
A problem? (Score:2)
Well whoever own the 34/8 subnet, they are getting used as a source for some spoofed packets Im seeing on my router trying to access a high number port. Almost looks like a scan for a Trojan.
But then again, are they really being spoofed? Who can say for sure. Im still keeping in mind that that has been a part of my firewall ruleset for over 6 years, and April of this year was the first month I saw them from that address/port.
Take a look [iana.org] at who owns that netblock.
Got Root?! (Score:5, Funny)
Blockquoth the poster:
On *nix systems, you must run the spoofer as root (in order to create
the raw socket) with no arguments, e.g.
#
Ahahahahahahah! You're kidding, right?
Re:IE? (Score:4, Informative)
Re:IE? Scary Source Code (Score:2)
#ifdef _WIN32
snprintf(buf, SMALLBUF*2, "c:\\progra~1\\intern~1\\iexplore http://s/report.php?sessionkey=%25s [s]\n",
REPORT_HOST, sessionkey);
system(buf);
winpause("Press Enter to Exit.");
#endif
Wow. It's been a while since I've seen a hard coded path to an executable compiled in a win32 pr
Re:Spoof _IP_ packets? (Score:2)
You are correct. The actual title should be:
"Help me win the bet, I can get at least two thousand users to download and install a root kit by posting an article to slashdot."