Tools for tracking spoofed IP addresses
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Tools for tracking spoofed IP addresses

  1. #1
    Junior Member
    Join Date
    Nov 2003
    Posts
    2

    Tools for tracking spoofed IP addresses

    Is anyone familar with a freeware tool(s) that will assist in the tracking of spoofed IP addresses? Any help or advice would be appreciated.
    Share on Google+

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    I've actually found that tcpdump to be very effective at picking and removing spoofed addresses. For a lab I spoofed some packets for a simple DoS in a classroom setting and when the students blocked the "spoofed" address, the actual source address appeared in the tcpdump packets (interestingly didn't appear in the Ethereal feed).

    So... I'd recommend tcpdump as one tool for your kit.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage
    Share on Google+

  3. #3
    Try google....

    Also, -Cheers-
    Share on Google+

  4. #4
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    interesting Ms Mittens... what version of Ethreal and what OS was being used? I have used Ethreal to good ends tracking spoofed IPs here at work, and the same with tcpdump too.

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.
    Share on Google+

  5. #5
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Hrmmmm... either the most recent or the one before that. I was using RH8 at the time. I'll try to do some empirical research in class next semester to see if I can a) fully replicate it (to ensure something else wasn't happening) and b) to see how it might have been happening.

    It is kinda neat stuff to see in mid-flight.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage
    Share on Google+

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    There are ways to track spoofed addresses but you'll need access to every router (hop) the packet has traveled through. So forget about tracing spoofed packets originating from the Internet (unless your ISP is willing to help). Just firewall them and forget about it
    Oliver's Law:
    Experience is something you don't get until just after you need it.
    Share on Google+

  7. #7
    Senior Member
    Join Date
    Jul 2003
    Posts
    114
    Of course, the problem with "just firewall them" is that sometimes, you'll be blocking an address that is actually owned by someone you want to talk to. Just be careful, is all.
    Share on Google+

  8. #8
    Senior Member
    Join Date
    Jan 2002
    Posts
    458
    Originally posted here by j3r
    Of course, the problem with "just firewall them" is that sometimes, you'll be blocking an address that is actually owned by someone you want to talk to. Just be careful, is all.
    Not if you configure your firewall correctly.

    An access-list or firewall policy should be configured to expect certain IP addresses from certain interfaces. For example, if your firewall gets a packet from it's external (Internet facing) interface with a source IP address of 10.x.x.x, then you can guarantee it is a spoofed packet and it should be dropped.

    the type of spoofing you truly cannot prevent however is the type where the source IP address is changed for anonymity purposes, such as packets being generated from a packet generator such as hping or my personal favorite, rain.

    While a do agree with MsMittens that the original IP address can be found from a sniffer trace in some cases, this a rarely the case with a "good" packet generator. Which is why I would agree more with SirDice's comments that there really is no good way to do it.
    Share on Google+

  9. #9
    Banned
    Join Date
    Nov 2002
    Posts
    677
    Mileage my vary but if you can 'telnet' into your router you can dump the routing table and connections. The web interface is pretty much setup for noobies. My phone company gets pissed when you use non-standard equipment. I wonder why

    Login successful

    -->
    802.1x 802.1x port based authentication
    ald Configuration commands for ald
    autoprov
    bridge Configure layer 2 bridge.
    bridgevlan
    classifier Packet classifier configuration commands
    console Console access
    dhcpclient DHCP client configuration commands
    dhcpserver DHCP server configuration commands
    diagnosticTest
    dnsclient DNS client configuration commands
    dnsrelay DNS relay configuration
    emux Ethernet Switch Multiplex configuration commands
    ethernet Commands to configure ethernet transports
    firewall Firewall configuration commands
    help Top level CLI help
    igmp
    imdebug Directly access the information model
    ip Configure IP router
    ipoa IP over ATM configuration
    logger Log to a remote host using syslog
    meter Packet metering configuration command
    nat NAT configuration commands
    pppoa PPP over ATM configuration
    pppoe
    radclient RADIUS Client Configuration commands
    rfc1483 Commands to configure RFC1483 transports
    scheduler Configuration commands for scheduler
    security Security configuration commands not specific to NAT or firewall
    snmp
    sntpclient Simple Network Time Protocol Client commands
    source Read a file of commands
    system System administration commands
    tftpc TFTP client commands
    transports Transport configuration commands
    upnp UPnP configuration commands
    user User commands
    webserver Webserver configuration commands
    zipb Configure Dynamic ZIPB mode
    -->
    Share on Google+

  10. #10
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Uhhh this thing is 6 years old...Two of the posters in this thread total are still active from the original posts.
    Kill the lights, let the candles burn behind the pumpkins’ mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux
    Share on Google+

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •