Very Computer

Hi:

I have learned about how a poorly configured firewall can be used to
spoof.  That is, a cracker sends a packet to the firewall with the
source IP of a host inside the firewall, the firewall then sends it out
as if it originated from within the firwall.

Questions:

If the source address is from inside the firewall, then why would any
activity that the packet triggered outside the firewall go back to the
cracker?  It would seem, that it would get sent back to the "source"
which is a host inside the firewall.  That host wouldn't know what the
hell it was, so what would it do?  Or am I missing something here?

All I can think of that I am missing is that the packet contains some
additional info that causes it's result to get sent back to the original
cracker.

Thus, the cracker must have put his IP address somewhere in the packet.
Thus, he can be traced, right?

Any experts on this, please explain if you can.

Lastly, what is IP hijacking?  How can it be avoided on a cable internet
connection?  How can spoofing attempts or hijacking attempts be
detected?

Thanks very much.

--
_______________________________
Christopher R. Carlen

<http://home.inreach.com/crobc>
My OS is Linux!

essay on how to EXACTLY do it but I will not.  What I will tell you is never
turn your computer off because as soon as you do a hijacker can grab your ip
and become you (ie CyXXXXXXX.city1.st.home.com).  Another less easy approach
shouldn't work with a good firewall and a Linux box.

I hope this sheds some light on the matter for you.

the only way i can think of for this to be possible (spoofing) would be
to configure a firewall without specifying source and destination
interfaces.  (a /very/ poorly configured firewall!)

assuming eth0 is on the LAN, and eth1 is visible to the rest of the
world (assuming this is a Linux firewall, of course!), a correctly
configured firewall would only forward packets with a source ip on the
LAN from eth0 to eth1, and not the other way around.

such a firewall configuration should avert spoofing.  (as far as i can
tell.)  as to how spoofing actually works, can't help you there.

-brian

Simply put my hostname into the DHCP configuration for any computer, and
bring up the networking.  The only authentication used is hostname,
which I suppose if one doesn't know it (the cracker) they can sniff for
it.

However, ATT said they only get about 2 instances of IP hijacking per
month for the whole US.  Furthermore, the DHCP server logs the NIC
hardware addresses, so if you suspect you've been hijacked (pretty
obvious, as you will get an error if you try to connect) you call them
and they will string up the cracker by his toes.

If they are on the level about how often this happens, it doesn't seem
like a terribly serious concern.

They did say there is no way to avoid other people from sniffing your
packets.

_______________________________
Christopher R. Carlen

<http://home.inreach.com/crobc>
My OS is Linux!

That is sorta right, and absoloutely right about the mac deal.  I have seen stuff
to fake mac's so if you use that they would have nowhere to look (how this works
is beyond me unless it is like ipmasq for macs :/ ).  I will say the rest they

half-truth.

Mac stuff?  I didn't write anything about Macs.  

Question:

Is this bunk:

Quote:> > Simply put my hostname into the DHCP configuration for any computer, and
> > bring up the networking.  The only authentication used is hostname

That is how someone can hijack your IP or not?

all yo have to do.  So, it makes sense that it is also all the guy down
the street has to do to use your account.

Question:

Is this bunk:

Quote:> > However, ATT said they only get about 2 instances of IP hijacking per
> > month for the whole US.  Furthermore, the DHCP server logs the NIC
> > hardware addresses, so if you suspect you've been hijacked (pretty
> > obvious, as you will get an error if you try to connect) you call them
> > and they will string up the cracker by his toes.

If so, what part is bunk?  ( made up the last phrases ).  But do you
*know* if they log hardware NIC addresses or not?  Do you know if
hijacks are more common than they said?

Question:

Is this bunk:

Quote:> > They did say there is no way to avoid other people from sniffing your
> > packets.

Will a firewall stop this?

Thanks.

_______________________
Christopher R. Carlen
Sr. Laser/Optical Tech.
Sandia National Labs

BUNK:  I tried that here no go.

Quote:

> > > However, ATT said they only get about 2 instances of IP hijacking per
> > > month for the whole US.  Furthermore, the DHCP server logs the NIC
> > > hardware addresses, so if you suspect you've been hijacked (pretty
> > > obvious, as you will get an error if you try to connect) you call them
> > > and they will string up the cracker by his toes.

> If so, what part is bunk?  ( made up the last phrases ).  But do you
> *know* if they log hardware NIC addresses or not?  Do you know if
> hijacks are more common than they said?

> Question:

> Is this bunk:

BUNK: IP HIJACKING IS NOT AS COMMON AS YOU WOULD THINK.  Here we have MANY subnets that
are completely full.  The subnet I was on went from 13 users to over 120 in 2.5 months
and I know of a few locally with over 200 on them.

Quote:

> > > They did say there is no way to avoid other people from sniffing your
> > > packets.

> Will a firewall stop this?

Firewall will not stop it.  It is the nature of ethernet on a shared network that is
unencrypted.

Quote:

> Thanks.

> _______________________
> Christopher R. Carlen
> Sr. Laser/Optical Tech.
> Sandia National Labs

Quote:

>> That is sorta right, and absoloutely right about the mac deal.  I have seen stuff
>> to fake mac's so if you use that they would have nowhere to look (how this works
>Mac stuff?  I didn't write anything about Macs.  

He meant MAC, not Mac :-)  "MAC" stands for "machine address",
which is the 6-byte unique id given to every ethernet card out
there.

Quote:>> > They did say there is no way to avoid other people from sniffing your
>> > packets.

>Will a firewall stop this?

No.  Your firewall can protect your inside hosts (and of course
traffic between them since it's on a different physical segment).
But traffic that leaves your home/office and heads out to the wide
world - well that's always open to sniffing from people in your
neighbourhood.