IP Hijacking/Spoofing?

IP Hijacking/Spoofing?

Post by Christopher R. Carle » Tue, 21 Dec 1999 04:00:00



Hi:

I have learned about how a poorly configured firewall can be used to
spoof.  That is, a cracker sends a packet to the firewall with the
source IP of a host inside the firewall, the firewall then sends it out
as if it originated from within the firwall.

Questions:

If the source address is from inside the firewall, then why would any
activity that the packet triggered outside the firewall go back to the
cracker?  It would seem, that it would get sent back to the "source"
which is a host inside the firewall.  That host wouldn't know what the
hell it was, so what would it do?  Or am I missing something here?

All I can think of that I am missing is that the packet contains some
additional info that causes it's result to get sent back to the original
cracker.

Thus, the cracker must have put his IP address somewhere in the packet.
Thus, he can be traced, right?

Any experts on this, please explain if you can.

Lastly, what is IP hijacking?  How can it be avoided on a cable internet
connection?  How can spoofing attempts or hijacking attempts be
detected?

Thanks very much.

--
_______________________________
Christopher R. Carlen

<http://home.inreach.com/crobc>
My OS is Linux!

 
 
 

IP Hijacking/Spoofing?

Post by Mob-Rule » Wed, 22 Dec 1999 04:00:00



essay on how to EXACTLY do it but I will not.  What I will tell you is never
turn your computer off because as soon as you do a hijacker can grab your ip
and become you (ie CyXXXXXXX.city1.st.home.com).  Another less easy approach
shouldn't work with a good firewall and a Linux box.

I hope this sheds some light on the matter for you.


> Hi:

> I have learned about how a poorly configured firewall can be used to
> spoof.  That is, a cracker sends a packet to the firewall with the
> source IP of a host inside the firewall, the firewall then sends it out
> as if it originated from within the firwall.

> Questions:

> If the source address is from inside the firewall, then why would any
> activity that the packet triggered outside the firewall go back to the
> cracker?  It would seem, that it would get sent back to the "source"
> which is a host inside the firewall.  That host wouldn't know what the
> hell it was, so what would it do?  Or am I missing something here?

> All I can think of that I am missing is that the packet contains some
> additional info that causes it's result to get sent back to the original
> cracker.

> Thus, the cracker must have put his IP address somewhere in the packet.
> Thus, he can be traced, right?

> Any experts on this, please explain if you can.

> Lastly, what is IP hijacking?  How can it be avoided on a cable internet
> connection?  How can spoofing attempts or hijacking attempts be
> detected?

> Thanks very much.

> --
> _______________________________
> Christopher R. Carlen

> <http://home.inreach.com/crobc>
> My OS is Linux!


 
 
 

IP Hijacking/Spoofing?

Post by Brian P. Teagu » Wed, 22 Dec 1999 04:00:00


the only way i can think of for this to be possible (spoofing) would be
to configure a firewall without specifying source and destination
interfaces.  (a /very/ poorly configured firewall!)

assuming eth0 is on the LAN, and eth1 is visible to the rest of the
world (assuming this is a Linux firewall, of course!), a correctly
configured firewall would only forward packets with a source ip on the
LAN from eth0 to eth1, and not the other way around.

such a firewall configuration should avert spoofing.  (as far as i can
tell.)  as to how spoofing actually works, can't help you there.

-brian

 
 
 

IP Hijacking/Spoofing?

Post by Christopher R. Carle » Thu, 23 Dec 1999 04:00:00




> essay on how to EXACTLY do it but I will not.  What I will tell you is never
> turn your computer off because as soon as you do a hijacker can grab your ip
> and become you (ie CyXXXXXXX.city1.st.home.com).  Another less easy approach
> shouldn't work with a good firewall and a Linux box.

> I hope this sheds some light on the matter for you.


Simply put my hostname into the DHCP configuration for any computer, and
bring up the networking.  The only authentication used is hostname,
which I suppose if one doesn't know it (the cracker) they can sniff for
it.

However, ATT said they only get about 2 instances of IP hijacking per
month for the whole US.  Furthermore, the DHCP server logs the NIC
hardware addresses, so if you suspect you've been hijacked (pretty
obvious, as you will get an error if you try to connect) you call them
and they will string up the cracker by his toes.

If they are on the level about how often this happens, it doesn't seem
like a terribly serious concern.

They did say there is no way to avoid other people from sniffing your
packets.

_______________________________
Christopher R. Carlen

<http://home.inreach.com/crobc>
My OS is Linux!

 
 
 

IP Hijacking/Spoofing?

Post by Mob-Rule » Fri, 24 Dec 1999 04:00:00


That is sorta right, and absoloutely right about the mac deal.  I have seen stuff
to fake mac's so if you use that they would have nowhere to look (how this works
is beyond me unless it is like ipmasq for macs :/ ).  I will say the rest they

half-truth.



> > essay on how to EXACTLY do it but I will not.  What I will tell you is never
> > turn your computer off because as soon as you do a hijacker can grab your ip
> > and become you (ie CyXXXXXXX.city1.st.home.com).  Another less easy approach
> > shouldn't work with a good firewall and a Linux box.

> > I hope this sheds some light on the matter for you.


> Simply put my hostname into the DHCP configuration for any computer, and
> bring up the networking.  The only authentication used is hostname,
> which I suppose if one doesn't know it (the cracker) they can sniff for
> it.

> However, ATT said they only get about 2 instances of IP hijacking per
> month for the whole US.  Furthermore, the DHCP server logs the NIC
> hardware addresses, so if you suspect you've been hijacked (pretty
> obvious, as you will get an error if you try to connect) you call them
> and they will string up the cracker by his toes.

> If they are on the level about how often this happens, it doesn't seem
> like a terribly serious concern.

> They did say there is no way to avoid other people from sniffing your
> packets.

> _______________________________
> Christopher R. Carlen

> <http://home.inreach.com/crobc>
> My OS is Linux!

 
 
 

IP Hijacking/Spoofing?

Post by Christopher R. Carle » Fri, 24 Dec 1999 04:00:00



> That is sorta right, and absoloutely right about the mac deal.  I have seen stuff
> to fake mac's so if you use that they would have nowhere to look (how this works
> is beyond me unless it is like ipmasq for macs :/ ).  I will say the rest they

> half-truth.

Mac stuff?  I didn't write anything about Macs.  

Question:

Is this bunk:

Quote:> > Simply put my hostname into the DHCP configuration for any computer, and
> > bring up the networking.  The only authentication used is hostname

That is how someone can hijack your IP or not?


all yo have to do.  So, it makes sense that it is also all the guy down
the street has to do to use your account.

Question:

Is this bunk:

Quote:> > However, ATT said they only get about 2 instances of IP hijacking per
> > month for the whole US.  Furthermore, the DHCP server logs the NIC
> > hardware addresses, so if you suspect you've been hijacked (pretty
> > obvious, as you will get an error if you try to connect) you call them
> > and they will string up the cracker by his toes.

If so, what part is bunk?  ( made up the last phrases ).  But do you
*know* if they log hardware NIC addresses or not?  Do you know if
hijacks are more common than they said?

Question:

Is this bunk:

Quote:> > They did say there is no way to avoid other people from sniffing your
> > packets.

Will a firewall stop this?

Thanks.

_______________________
Christopher R. Carlen
Sr. Laser/Optical Tech.
Sandia National Labs

 
 
 

IP Hijacking/Spoofing?

Post by Mob-Rule » Sat, 25 Dec 1999 04:00:00




> > That is sorta right, and absoloutely right about the mac deal.  I have seen stuff
> > to fake mac's so if you use that they would have nowhere to look (how this works
> > is beyond me unless it is like ipmasq for macs :/ ).  I will say the rest they

> > half-truth.

> Mac stuff?  I didn't write anything about Macs.

> Question:

> Is this bunk:

> > > Simply put my hostname into the DHCP configuration for any computer, and
> > > bring up the networking.  The only authentication used is hostname
> BUNK: They have to be offline and if your static like here DHCP is worthless.

> That is how someone can hijack your IP or not?


> all yo have to do.  So, it makes sense that it is also all the guy down
> the street has to do to use your account.

> Question:

> Is this bunk:.

BUNK:  I tried that here no go.

Quote:

> > > However, ATT said they only get about 2 instances of IP hijacking per
> > > month for the whole US.  Furthermore, the DHCP server logs the NIC
> > > hardware addresses, so if you suspect you've been hijacked (pretty
> > > obvious, as you will get an error if you try to connect) you call them
> > > and they will string up the cracker by his toes.

> If so, what part is bunk?  ( made up the last phrases ).  But do you
> *know* if they log hardware NIC addresses or not?  Do you know if
> hijacks are more common than they said?

> Question:

> Is this bunk:

BUNK: IP HIJACKING IS NOT AS COMMON AS YOU WOULD THINK.  Here we have MANY subnets that
are completely full.  The subnet I was on went from 13 users to over 120 in 2.5 months
and I know of a few locally with over 200 on them.

Quote:

> > > They did say there is no way to avoid other people from sniffing your
> > > packets.

> Will a firewall stop this?

Firewall will not stop it.  It is the nature of ethernet on a shared network that is
unencrypted.

- Show quoted text -

Quote:

> Thanks.

> _______________________
> Christopher R. Carlen
> Sr. Laser/Optical Tech.
> Sandia National Labs

 
 
 

IP Hijacking/Spoofing?

Post by Sitaram Chamar » Sat, 25 Dec 1999 04:00:00



Quote:

>> That is sorta right, and absoloutely right about the mac deal.  I have seen stuff
>> to fake mac's so if you use that they would have nowhere to look (how this works
>Mac stuff?  I didn't write anything about Macs.  

He meant MAC, not Mac :-)  "MAC" stands for "machine address",
which is the 6-byte unique id given to every ethernet card out
there.

Quote:>> > They did say there is no way to avoid other people from sniffing your
>> > packets.

>Will a firewall stop this?

No.  Your firewall can protect your inside hosts (and of course
traffic between them since it's on a different physical segment).
But traffic that leaves your home/office and heads out to the wide
world - well that's always open to sniffing from people in your
neighbourhood.
 
 
 

1. IP-Spoofing / MAC-Adress Spoofing / arp requests

Hello All..

I've got today something very strange. I could determine where the trash
came from and why.
Our topoligy looks like localnet --- router --- "routernet" --- firewall
--- internet

The things I figured out were:
the packets below were not seen at the firewall or the routernet. but
when i plugged the internet uplink out the "scan" stopped.
I figured the MAC adress of the ip 13.10.15.10 out, but the MAC adress
was form a computer in the localnet with a "normal" non-routable DHCP
IP.. No strange programs were in progress there..

I've recognized the hole thing with a heavy traffic load on our network
equipment. With tcpdump i catched the packets. It looked for me like an
scan of our net. The scan began at 7.0.0.0 until 10.0.x.x and then the
hole thing stopped.

...
13:07:32.623597 eth0 M arp who-has 9.254.46.40 tell 13.10.15.10
13:07:32.623665 eth0 M arp who-has 9.254.46.41 tell 13.10.15.10
13:07:32.623734 eth0 M arp who-has 9.254.46.42 tell 13.10.15.10
13:07:32.623801 eth0 M arp who-has 9.254.46.43 tell 13.10.15.10
13:07:32.623869 eth0 M arp who-has 9.254.46.44 tell 13.10.15.10
13:07:32.623937 eth0 M arp who-has 9.254.46.45 tell 13.10.15.10
...

Our firewall didn't recognized anything, i've setted it up with very
restricted ipchains and doing logging with snort/logchecker. At active
attacks the source IP's were blocked for an amount of time.

With our old firewall we had a brake in with ip-spoofing, after that we
change to better hardware and other firewall-concepts.

Has anyone any idea what that was? Has anyone saw something like that?
Are there any information about MAC adress spoofing on the web?

thanks for your response,

greetings

michi

2. Forkbombing

3. how to do ip spoofing with ip tables..

4. How do you upgrade IPTABLES to 1.2.8 ?

5. Hijacking the IP stack

6. Device Driver that accesses Kernel memory

7. IP spoofing protection

8. Process Flags 40001

9. IP spoofing and firewall software

10. IP spoofing

11. ip spoofing (Slackware 7.1)

12. Apache security and IP spoofing

13. spoof ip address?