|
Home > Archive > CCNA > October 2003 > IP spoofing question
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IP spoofing question
|
|
| DSComputers 2003-10-13, 9:02 pm |
| I guess this would be the most appropriate forum for this, even though I am studying for security+
I don't understand how IP spoofing is possible and I figure it is because I don't have a solid enough understanding of routing and details of tcp/ip.
For a super simplified example...
computer1 directly connected to e0 on router1. Computer2 directly connected to e1 on router1.
Computer1 - 192.168.10.2
router1 e0 - 198.168.10.1
router1 e1 - 192.168.20.1
computer2 - 192.168.20.2
all 255.255.255.0
Router has no access lists configured or anything, so everything can do anything it wants.
Ok, so computer1 wants to send spoofed packets to computer2.
Computer1 can ping computer2 no problem.
If computer1 sends a ping packet to computer2 with a spoofed from address of 192.168.30.2 to make it respond to itself rather than back to computer1, how would router1 know what to do with the packet from computer1, or how could it communicate at all?
 hope that made some sence.
TIA! | |
| OHCCNP2003 2003-10-13, 11:36 pm |
| Sounds like you are talking about non-blind spoofing, which is the term used for an attack that takes place when the attacker is on the same subnet as the victim. Using a packet sniffer, the sequence and acknowledgement numbers can be sniffed, which eliminates the difficulty of calculating them accurately. In this particular type of attack, the goal would be session hijacking. Basically you would corrupt the data stream of an established connection, then reconnect using the correct sequence numbers from the attacking machine.
You can protect against this type of attack by setting up your router or firewall to deny packets from outside your network that claim to have a source address from inside your network. In other words, access lists. Also use the global command no ip source-route. You can obviously also use encryption to protect against this type of attack. Check out the CERT advisory on this subject at:
http://www.cert.org/advisories/CA-1996-21.html | |
| DSComputers 2003-10-16, 2:34 pm |
| Well that makes sence, but the part that is still confusing me is this:
"Currently, the best method is to install a filtering router that restricts the input to your external interface (known as an input filter) by not allowing a packet through if it has a source address from your internal network. In addition, you should filter outgoing packets that have a source address different from your internal network to prevent a source IP spoofing attack from originating from your site. "
I understand what they are saying, but don't get why it has to be done. I would think the router wouldn't know how to handle a packet with a source address from a different network. | |
| Demijohn 2003-10-16, 3:27 pm |
| Routing has 2 basic components, making the routing decision, and switching the packets from input to output. The routing decision basically involves examining the destination address and choosing between available routes.
Any other functions (filtering, address translation etc.) are not routing functions, so you have to configure them in addition to configuring the basic routing functions. | |
| OHCCNP2003 2003-10-16, 10:17 pm |
| That is the basic function of routers, to examine incoming packets, determine if the destination address exists in it's routing table, and if so switch the packet over to the proper interface to forward it out. If the router can't find a match in the routing table and no gateway of last resort has been specified, then the router will send an ICMP host unreachable message back to the source of the packet. One thing you mentioned in an earlier post makes me curious. I am not knowledgable about CompTIA certifications, but it seems to me that a good understanding of TCP/IP routed protocols would be a prerequisite for any security course. | |
| DSComputers 2003-10-19, 1:00 am |
| I guess I'm just having trouble explaining what I don't understand.
Say you've got broadband at home, their dhcp servers assign addresses to all their clients. If you statically assign yourself something from a range of a different network, you won't be able to connect.
So what is the difference between having a different ip address on your computer and spoofing the from address in the packets you are attempting to send?
I guess my question was really how do you get to the router, rather than what would the router do with the packets once they get there. | |
| OHCCNP2003 2003-10-19, 11:49 am |
| On your cable mode scenario, most broadband users place something between their home network and the Internet. These hardware devices generally serve as DHCP servers, allowing you to specify a diffrent internal address, with the IP address of the hardware device being used as the default gateway to the ISPs network. Maybe you are confused about the difference between public and private IP addresses. Do a search on Network Address Translation, or NAT.
Your example is using three seperate Class C address ranges, but using the same subnet. Presumably it is attempting to show an attack from the inside, either non-blind or man in the middle. From inside the network, finding a path to the router shouldn't be a problem. Simply viewing the IP configuration on your machine will show you the route that is taken for traffic outside your subnet. From the outside, you would be looking at a DoS type of attack, in which you spoof source IP addresses to make tracing and stopping the DoS as difficult as possible, or DDos. Do a search on IP header and port scanner / TCP port scanner. |
|
|
|
|