Is anyone familar with a freeware tool(s) that will assist in the tracking of spoofed IP addresses? Any help or advice would be appreciated.
Printable View
Is anyone familar with a freeware tool(s) that will assist in the tracking of spoofed IP addresses? Any help or advice would be appreciated.
I've actually found that tcpdump to be very effective at picking and removing spoofed addresses. For a lab I spoofed some packets for a simple DoS in a classroom setting and when the students blocked the "spoofed" address, the actual source address appeared in the tcpdump packets (interestingly didn't appear in the Ethereal feed).
So... I'd recommend tcpdump as one tool for your kit. :)
Try google....
Also, -Cheers-
interesting Ms Mittens... what version of Ethreal and what OS was being used? I have used Ethreal to good ends tracking spoofed IPs here at work, and the same with tcpdump too.
Hrmmmm... either the most recent or the one before that. I was using RH8 at the time. I'll try to do some empirical research in class next semester to see if I can a) fully replicate it (to ensure something else wasn't happening) and b) to see how it might have been happening.
It is kinda neat stuff to see in mid-flight.
There are ways to track spoofed addresses but you'll need access to every router (hop) the packet has traveled through. So forget about tracing spoofed packets originating from the Internet (unless your ISP is willing to help). Just firewall them and forget about it ;)
Of course, the problem with "just firewall them" is that sometimes, you'll be blocking an address that is actually owned by someone you want to talk to. Just be careful, is all.
Not if you configure your firewall correctly.Quote:
Originally posted here by j3r
Of course, the problem with "just firewall them" is that sometimes, you'll be blocking an address that is actually owned by someone you want to talk to. Just be careful, is all.
An access-list or firewall policy should be configured to expect certain IP addresses from certain interfaces. For example, if your firewall gets a packet from it's external (Internet facing) interface with a source IP address of 10.x.x.x, then you can guarantee it is a spoofed packet and it should be dropped.
the type of spoofing you truly cannot prevent however is the type where the source IP address is changed for anonymity purposes, such as packets being generated from a packet generator such as hping or my personal favorite, rain.
While a do agree with MsMittens that the original IP address can be found from a sniffer trace in some cases, this a rarely the case with a "good" packet generator. Which is why I would agree more with SirDice's comments that there really is no good way to do it.
Mileage my vary but if you can 'telnet' into your router you can dump the routing table and connections. The web interface is pretty much setup for noobies. My phone company gets pissed when you use non-standard equipment. I wonder why ;)
Quote:
Login successful
-->
802.1x 802.1x port based authentication
ald Configuration commands for ald
autoprov
bridge Configure layer 2 bridge.
bridgevlan
classifier Packet classifier configuration commands
console Console access
dhcpclient DHCP client configuration commands
dhcpserver DHCP server configuration commands
diagnosticTest
dnsclient DNS client configuration commands
dnsrelay DNS relay configuration
emux Ethernet Switch Multiplex configuration commands
ethernet Commands to configure ethernet transports
firewall Firewall configuration commands
help Top level CLI help
igmp
imdebug Directly access the information model
ip Configure IP router
ipoa IP over ATM configuration
logger Log to a remote host using syslog
meter Packet metering configuration command
nat NAT configuration commands
pppoa PPP over ATM configuration
pppoe
radclient RADIUS Client Configuration commands
rfc1483 Commands to configure RFC1483 transports
scheduler Configuration commands for scheduler
security Security configuration commands not specific to NAT or firewall
snmp
sntpclient Simple Network Time Protocol Client commands
source Read a file of commands
system System administration commands
tftpc TFTP client commands
transports Transport configuration commands
upnp UPnP configuration commands
user User commands
webserver Webserver configuration commands
zipb Configure Dynamic ZIPB mode
-->
Uhhh this thing is 6 years old...Two of the posters in this thread total are still active from the original posts.