A couple of amplifications: On Sun, 2003-03-16 at 20:51, Priscilla Oppenheimer wrote: > Alan Stone wrote: > > > > Hi.. Group > > > > I always heard of those hacker spoof a IP and hack other people > > system. Does spoof IP mean they are changing their source IP > > so that they pass thru firewall? If yes, may I know what tool > > can they use in order to change their source IP .. > To change your address, use the TCP/IP Control Panel or equivalent in the > operating system that you are using.
More commonly (in my experience) people (skr1pt k1dd3z) use some stupid program on a UNIX computer that writes to the network on a raw socket. This way the administrator of the system doesn't have to know (as long as the user has root - required for raw sockets). > You probably won't get through any firewalls, though. Firewalls make sure an > outsider isn't using an inside address. Routers ensure this too. It can be > easily accomplished with a simple access list. Those ACLs are far less common in enterprises than one would hope. Routers should do ingress filtering, but if the attacker chooses just a random address, it won't be in the filter list. Most of the packet floods I've been on the business end of have been completely random addresses. In fact, some of them pick a random address per packet. On networks that do ingress filtering, the user may only have to pick an address in the network's range, which will often still disguise his true identity. > Even before firewalls and routers watched for this, IP spoofing didn't mean > you could hack much unless you had additional hacking abilities. You had to > spoof the IP address of a trusted host and you had to be running software > that didn't care that you didn't see any replies. The replies go to the > legitimate holder of the IP address. Another scenario is the above-mentioned packet flood attack, which still happens every day to somebody. Outside of SYN floods, this is usually done with non-TCP datagrams, and the sender never reallly cares about responses. A special case of this is the smurf attack - the attacker writes the address of the victim host into the source address field and sends a big directed-broadcast ping to a big network. Each host on the network sends a big response to the victim, chewing up most/all of its bandwidth. As Priscilla pointed out, hijacking attacks are pretty difficult these days, given the ISN randomization and ingress filtering that many firewalls and routers tend to do. It's usually easier to just exploit a security hole directly. -sd Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65572&t=65559 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
