Question about IP spoofing?

[HackerzMaster]

Hi, I heard alot about IP spoofing, and sometimes used it, but i want to know how it really works, does it just change the source IP in all the packets sent, but how can the reply packets come back to you? does it involve kinda hack/trick?
Details plz.

--thanks

[Tiger Shark]

The packets won't come back to you... they will be routed appropriately.

But there are ways you can use that like "idle hosting". When you spoof the IP to the idle host you can then check that host to see if it received any packets thus allowing you to scan a third party without giving away your IP.

[SirDice]

http://www.iss.net/security_center/a...ng/default.htm
http://www.securityfocus.com/infocus/1674

[Opus00]

My slant on this is most people misunderstand this vulnerability/attack because of the name. Most assume you spoof and your computer assumes the identity of the remote computer (A). In reality it is a hijack.

You are guessing or predicting the sequence number of the host(A) that established (SYN) connection with another host(B) and hijacking that session by sending the returning sequence number(SYN/ACK), the key is to DoS host A so it can not respond with the SYN/ACK to host B before you can. The attack is only good for that single session and allows you to inject a packets (could contain a command that executes something).

Once the remote host(B) replies(which is sent to host A) to the packet with and ACK or what not, which goes to host A not your computer, you are unable to respond and the connection is eventually reset.

This scenario is mainly if the remote computer is on the same subnet as you and you are able to sniff/capture some of the packets to start the spoofing predictions. There are ways to do it across the internet which is more difficult but not totally impossible.

In a nutshell

[edit]

sorry for the double post, the second has been removed, not sure how it happend. I think it happens if I wait to long after typing response and hitting "post"

[/edit]

[Digoy]

Packets have headers which contain information about the packet, what information is contained depends on what kind of packet it is. I assume you want to know about spoofing IP packets as opposed to ethernet but the principle is the same, just at a different layer.

Within an IPv4 header two of the fields are source address and destination address, which hold the source from which the packet oriented and the destination the packet is traveling to respectively. Now to spoof a packet you would need to modify the source address and as you point out this would mean that the server you are communicating with would always reply to the spoofed address and you would not receive any of the replies. Therefore spoofing IP address for a connection oriented protocol such as tcp would mean you could not establish a connection to a server - so you couldnt do things like browse the web using a spoofed address. - you could do things like launch a SYN flood attack on a webserver since this would not require a connection to be established.

Other protocols such as UDP are connectionless and do not receive acknowledgements from the server that they connect to - thus spoofing an ip address under these circumstances is not really an issue and you can never garauntee that UDP packets or packets from any other other connectionless protocol are not spoofed.

I can think of a few ways round th issue of not being able to establish a connection with a spoofed IP address but they would be a bit tricky to implement.

[House929]

While this is a topic you could goten the answer simply by doing a google search. I will lend my memory to you for a second.

This was written by ankit fadia a couple years ago. If I remember correctly it actually explains the entire process and how to pull it off.

http://neworder.box.sk/news/3825

[Nokia]

Within an IPv4 header two of the fields are source address and destination address, which hold the source from which the packet oriented and the destination the packet is traveling to respectively. Now to spoof a packet you would need to modify the source address and as you point out this would mean that the server you are communicating with would always reply to the spoofed address and you would not receive any of the replies. Therefore spoofing IP address for a connection oriented protocol such as tcp would mean you could not establish a connection to a server - so you couldnt do things like browse the web using a spoofed address. - you could do things like launch a SYN flood attack on a webserver since this would not require a connection to be established.

True in a way - but packets usually pass through a switch before the get to the WS. Most switches have ARP caches - which can be poisoned...........

I have a tutorial that i wrote a long time ago - I will put it back up in the tutorial section for a short while so you can read about this if you like.

[Nokia]

Have temp posted it here:
http://www.antionline.com/showthread...hreadid=274435
its the second half that may interest you.

[NateDoggzDotNU]

Wow, today is indeed a great day! I have always wanted a clear answer on how IP "spoofing" worked. Sometimes Google is full of useless information that takes too much time to sort through. Thanks for the link.

[Digoy]

True in a way - but packets usually pass through a switch before the get to the WS. Most switches have ARP caches - which can be poisoned...........

Yeah ARP poisoning would work to an extent, the extent being you could only spoof an address within your network (i.e. one you owned) otherwise the traffic wouldnt be routed back to you and would be lost somewhere. However there is nothing stopping you using machines dotted around the world (one being at the spoofed IP address, or at least at an address where you can catch the data) to relay data back to you. It just gets a bit messy.