From: seditiosus (seditiosus@gmail.com)
Date: Fri Jan 14 2005 - 13:26:55 EST
Correct me if I am wrong, but, I understand that the MAC address is
left unchanged and can be used to identify the source.
> On Fri, 14 Jan 2005 14:09:40 +0000, Nazareno Vicente Feito
> <nvfeito@advancedsl.com.ar> wrote:
> > On Friday 14 January 2005 06:06 am, Faisal Khan wrote:
> > > Folks,
> > >
> > > Two quick questions.
> > >
> > > When IP (Source) addresses are spoofed, is there no way of determining (a)
> > > that the IP Source Addresses is spoofed and not the genuine one (b) to be
> > > able to determine the actual IP address that is sending DoS packets?
> > >
> > > Somehow I get the feeling I'm SOL when trying to find out the
> > > "genuine/actual" source IP address.
> > >
> > > If this is the case, then pretty much we all are helpless with DoS/DDoS
> > > attacks - considering one can write a script/program to keep incrementing
> > > or randomly assigning spoofed source addresses in the DoS packets being
> > > sent out.
> > >
> > > Faisal
> >
> > I can't think of a way of reversing the process, the experiments I've done
> > with spoofed ip's have been done in C using raw sockets, some folks tried
> > with python, the language is indiferent, but what you do is alter the header
> > of the packet, and tell the kernel of the OS that there's no need to add a
> > header to the packet you're sending, then the kernel just place the packet on
> > the net with the data you filled in.
> > The main thing of a spoofed ip packet it's that you can fill the fields with
> > any info you want (of course it's important the checksum matches, this is one
> > way you could know if the packet is spoofed, and if it's not and the checksum
> > does not match, there's an error, so one way or another you should get rid of
> > the packet), check this with ethereal or another protocol analyzer.
> > In theory it should be no way of knowing what's the real source address (It's
> > not like an smtp 'spoof' that you play with some rcpt to/mail from commands
> > and you have the email headers added by the MTA), if you think about it a
> > little bit, we're indeed helpless with DoS/DDoS attacks, if by that you mean
> > syn floods and that kind of stuff, and if you dig deeper, you'll find out
> > that if the operating system is in charge of stamping the ip address to a
> > packet and the OS itself it's sufficiently flexible to let you do that from
> > userspace, this is not considered a flaw, but a gift, the main problem is
> > that not all people is this gift the way they should.
> >
> > --
> >
> > Saludos.
> > Nazareno Vicente Feito
> >
>
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:13 EDT