Ethereal-users: [Ethereal-users] Re: Ethereal-users digest, Vol 1 #380 - 5 msgs

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Nathan Boettcher <swighost@xxxxxxxx>
Date: Tue, 11 Sep 2001 00:25:54 -0500
Okay, I see the point isn't getting across.  I am looking at the event that
someone is spoofing or redirecting through a proxy and the information IS
going back to the source.  I am thinking in terms of scanning, not
attacking or using it for a DOS or anything.  I know that's the primary use
of it.  One person replied and said that spoofing was taking the origional
and throwing it in with a bunch of others but that's not always the case. 
Take Nmap for example.  It amy be a not-so-general example, but we'll use
it anyway.  Every time you use a decoy ip it will show up as that specific
ip.  It won't change each time as if someone were throwing it in a group of
ips.  So, there has to be a way for information to travel back to the
originating host.  Where is that info and how does one get it? That's the
question to be answered.  My GUESS, and that's why I am asking you all, is
that it's contained somewhere in the packets.  But I don't know exactly how
all packets are constructed(even ones constructed by hand) but I do know
there has to be some way for the info to get back to the originating host. 

A proxy may be completely different in the sense that it might be using a
table or something in which case a traceroute might actually work, so lets
just stick to spoofing.  

-Nathan


-------
> It is quite easy to put a packet out with the wrong 
> IP information.  With a bit more access to the Ethernet
> driver, it is quite easy to put an arbitrary hardware
> source address.  Putting this into a forceful DOS attack
> is described in a number of places.
> 
> Packets are no harder to forge than business cards.  
------- 
> Actually, there is no practical way to trace those packets. A spoofed =
> attack
> generally doesn=92t care about return packets; it=92s primarily a blind =
> attack.
> It=92s usually a denial-of-service (DOS) attack intended to bring down =
> a site.
> The attacker isn=92t looking for =93legal (that is, the normal =
> packet-then-ack
> traffic)=94 traffic. They=92re simply interested in killing a =
> resource/site.
 
> Theoretically, if the attack was continuing, one could talk to each =
> carrier,
> who might be able to tell where it=92s coming from, but that=92s =
> certainly not
> feasible in real life.
-------
Nathan Boettcher
swighost@xxxxxxxx

"Windows: A 32-bit patch to a 16-bit graphical interface based on an 8-bit
operating system origionally encoded for a 4-bit processor written by a
2-bit company that can't stand 1-bit of competition."