normally the anti-spoof network and mask are: LOOPBACK="127.0.0.0/8" CLASS_A="10.0.0.0/8" CLASS_B="172.16.0.0/12" CLASS_C="192.168.0.0/16" CLASS_D_MULTICAST="224.0.0.0/4" CLASS_E_RESERVED_NET="240.0.0.0/5" if you receive an incoming packet from someone of this network probably the packet are spoofed.
On Fri, 24 Sep 2004 14:02:35 +0200, Riccardo Tortorici <[EMAIL PROTECTED]> wrote: > Imagine your fw with this rule (192.168.10.0 is supposed to be your > network): > iptables -A INPUT -s ! 192.168.10.0/24 -j DROP #aka deny all IP > #addresses except the > #ones of your network > doing the spoof the attacker can elude this rule, since your system > thinks it's coming from inside. > You can solve this issue using rp_filter (you are expecting to receive > packet with a certain source address network on a network interface but > you got a different IP so DROP) > Regarding your second question is: NO, you can't obtain the real IP > address. > > bye > > > Niclas Englund wrote: > > Thanks for the answer. > > But why does he wants to act like he belongs to my network??? Can i get his > > real IP-adress? If i dident have this firewall would my router think that > > he belongs to my network??? > > > > > > -----Original Message----- > > From: Riccardo Tortorici <[EMAIL PROTECTED]> > > To: [email protected] > > Date: Fri, 24 Sep 2004 13:19:46 +0200 > > Subject: Re: Spoofing > > > > You said it! This is spoofing, someone send to your IP, packets with the > > unexistent ip in the "Source IP Address" field in the packet's header, > > guessing the IP address exists in your network. That's it.. > > > > Niclas Englund wrote: > > > >>I got this from my mail from my firewall "Message: IP Spoofing Source: > >>192.168.0.101, 2240 Destination:X.X.XX, 6882 (from WAN Inbound)" there my > >>XXXX is my ip. How could this be possible??? non of my computer has this > >>ip-adress. > >>/Niclas > >> > >> > > > > > > -- > - Riccardo Tortorici - > Linux Registered User #365170 > Count yourself @ http://counter.li.org/ ! > -- > HTML email can be dangerous, is not always readable, wastes bandwidth > and is simply not necessary please don't send them to me! > If you don't know what I'm talking about please read this: > > http://www.georgedillon.com/web/netiquette.shtml#charity > > -- > Email.it, the professional e-mail, gratis per te: http://www.email.it/f > > Sponsor: > Il Cinema a casa Tua!: film e dvd a meno di 10 Euro! Clicca e scopri tutti i > titoli > Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=2755&d=24-9 > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
