February 26th, 2002, 12:30 AM
Heres your tutor.... Is this the one you asked for?
During the last few weeks of us chatting on irc.antionline.com, in #Antionline, there has been a lot of "debate" about IP Spoofing in today's Internet. Some less intelligent people boast about having "Spoofers" for mIRC and Windows in general, while other seasoned vets sit back and laugh at thier expense.
So, tonight, I'm here going to set the record straight in my first in a series of posts I plan on disproving common Internet Misconceptions.
To begin, for those who are new to this, "Spoofing" is the slang term given to technique of changing's one's IP to another IP to "make believe" they are from a system they are not on.
This all started back, way back, probably in the early '90s was when it was big, when a vulnerable name service daemon was released on UNIX systems. With this version of BIND, it was possible to inject code into the memory space of a running name server with the fake authoritative record, and PTR record of a fake domain so that when a connection was made from this server, the fake IP would show up on the destination system up a query of the vulnerable nameserver. This was the most popular method of "spoofing".
You can't do it anymore.
The problemw as fixed with later releases of the name server software. You also had to have root (super user) access to exec run the exploit code, and with all that, you ALSO had to be using a name server that had authoritative access AND control over the reverse resolution of thier domain names.
The second most reliable method that people used to use was that of TCP Sequence number prediction. Every TCP connection makes a 3 way handshake when making the connection.
First, a SYN(synchronous) packet is sent from your machine to the destination, requesting a connection. Second, a SYN/ACK(acknowledgment) packet is sent from that system to yours requesting a connection, and acknowledging your attempt at a connection. Last, your machine returns an ACK packet to complete the conneciton between the machines.
The way this was exploited, was when a user, prior to attempting the connection, would scan the system and by the results of the scan, would know the sequence numbers that are used during a TCP connection. With this knowledge, a "spoofer" would then forge the source IP of the TCP SYN packet, and send it to the destination. Upon receipt of this forged packet, the destination would send it to the "fake" address. Thus you would think that the connection couldn't be established because it didn't receive that SYN/ACK packet, but, because of the prior scan, we could "guess" or predict what that packet's information was going to be, and thus, complete the connection on our own witht the "fake" address, even though we didn't get that SYN/ACK packet back and it's lost in space somewhere.
So, basically, both of those methods are non-practiced because either they are no longer vulnerable, or measures have been taken to make them more difficult to obtain.
So, hopefully that clears up a little of the misconception of *most people* CANNOT IP spoof anymore.
February 26th, 2002, 12:57 PM
I think he made a post about this before, I would be grateful to see the likes of jparker and many IRC people who rarely post giving more input.
Basically they have a wealth of info and if you havent checked it out, go now!
February 26th, 2002, 01:11 PM
well theres always using port redirects or using a proxy of some sort.. but thats not really spoofing i suppose
[shadow]i have a herd of 1337 sheep[/shadow]
Worth should be judged on quality... Not apperance... Anyone can sell you **** inside a pretty box.. The only real gift then is the box..