September 5th, 2001, 02:17 AM
Network Security Misconceptions: Chapter 1: IP Spoofing
During the last few weeks of us chatting on irc.antionline.com, in #Antionline, there has been a lot of "debate" about IP Spoofing in today's Internet. Some less intelligent people boast about having "Spoofers" for mIRC and Windows in general, while other seasoned vets sit back and laugh at thier expense.
So, tonight, I'm here going to set the record straight in my first in a series of posts I plan on disproving common Internet Misconceptions.
To begin, for those who are new to this, "Spoofing" is the slang term given to technique of changing's one's IP to another IP to "make believe" they are from a system they are not on.
This all started back, way back, probably in the early '90s was when it was big, when a vulnerable name service daemon was released on UNIX systems. With this version of BIND, it was possible to inject code into the memory space of a running name server with the fake authoritative record, and PTR record of a fake domain so that when a connection was made from this server, the fake IP would show up on the destination system up a query of the vulnerable nameserver. This was the most popular method of "spoofing".
You can't do it anymore.
The problemw as fixed with later releases of the name server software. You also had to have root (super user) access to exec run the exploit code, and with all that, you ALSO had to be using a name server that had authoritative access AND control over the reverse resolution of thier domain names.
The second most reliable method that people used to use was that of TCP Sequence number prediction. Every TCP connection makes a 3 way handshake when making the connection.
First, a SYN(synchronous) packet is sent from your machine to the destination, requesting a connection. Second, a SYN/ACK(acknowledgment) packet is sent from that system to yours requesting a connection, and acknowledging your attempt at a connection. Last, your machine returns an ACK packet to complete the conneciton between the machines.
The way this was exploited, was when a user, prior to attempting the connection, would scan the system and by the results of the scan, would know the sequence numbers that are used during a TCP connection. With this knowledge, a "spoofer" would then forge the source IP of the TCP SYN packet, and send it to the destination. Upon receipt of this forged packet, the destination would send it to the "fake" address. Thus you would think that the connection couldn't be established because it didn't receive that SYN/ACK packet, but, because of the prior scan, we could "guess" or predict what that packet's information was going to be, and thus, complete the connection on our own witht the "fake" address, even though we didn't get that SYN/ACK packet back and it's lost in space somewhere.
So, basically, both of those methods are non-practiced because either they are no longer vulnerable, or measures have been taken to make them more difficult to obtain.
So, hopefully that clears up a little of the misconception of *most people* CANNOT IP spoof anymore.
If you have any questions, or want to continue this discussion, reach me and others like me, on irc.antionline.com, #Antionline, or e-mail me at: firstname.lastname@example.org
Jason Parker - http://www.o-negative.net
o-Negative: Information Network