Re: Spoofing

To: debian-firewall@lists.debian.org
Subject: Re: Spoofing
From: Andrea Dalle Vacche <andrea.dallevacche@gmail.com>
Date: Fri, 24 Sep 2004 14:16:30 +0200
Message-id: <[🔎] 92cf786a04092405165666bda@mail.gmail.com>
Reply-to: Andrea Dalle Vacche <andrea.dallevacche@gmail.com>
In-reply-to: <[🔎] 41540CDB.8000506@email.it>
References: <[🔎] 1096025963.4093c1a0niclas.englund@home.se> <[🔎] 41540CDB.8000506@email.it>

normally the anti-spoof network and mask are:
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
if you receive an incoming packet from someone of this network
probably the packet are spoofed.


On Fri, 24 Sep 2004 14:02:35 +0200, Riccardo Tortorici
<riccardo.tortorici@email.it> wrote:
> Imagine your fw with this rule (192.168.10.0 is supposed to be your
> network):
> iptables -A INPUT -s ! 192.168.10.0/24 -j DROP #aka deny all IP
>        #addresses except the                                                           #ones of your network
> doing the spoof the attacker can elude this rule, since your system
> thinks it's coming from inside.
> You can solve this issue using rp_filter (you are expecting to receive
> packet with a certain source address network on a network interface but
>   you got a different IP so DROP)
> Regarding your second question is: NO, you can't obtain the real IP
> address.
> 
> bye
> 
> 
> Niclas Englund wrote:
> > Thanks for the answer.
> > But why does he wants to act like he belongs to my network??? Can i get his real IP-adress? If i dident have this firewall would my router think that he belongs to my network???
> >
> >
> > -----Original Message-----
> > From: Riccardo Tortorici <riccardo.tortorici@email.it>
> > To: debian-firewall@lists.debian.org
> > Date: Fri, 24 Sep 2004 13:19:46 +0200
> > Subject: Re: Spoofing
> >
> > You said it! This is spoofing, someone send to your IP, packets with the
> > unexistent ip in the "Source IP Address" field in the packet's header,
> > guessing the IP address exists in your network. That's it..
> >
> > Niclas Englund wrote:
> >
> >>I got this from my mail from my firewall "Message: IP Spoofing Source: 192.168.0.101, 2240 Destination:X.X.XX, 6882 (from WAN Inbound)" there my XXXX is my ip. How could this be possible??? non of my computer has this ip-adress.
> >>/Niclas
> >>
> >>
> >
> >
> 
> --
> - Riccardo Tortorici -
> Linux Registered User #365170
> Count yourself @ http://counter.li.org/ !
> --
> HTML email can be dangerous, is not always readable, wastes bandwidth
> and is simply not necessary please don't send them to me!
> If you don't know what I'm talking about please read this:
> 
> http://www.georgedillon.com/web/netiquette.shtml#charity
> 
>  --
>  Email.it, the professional e-mail, gratis per te: http://www.email.it/f
> 
>  Sponsor:
>  Il Cinema a casa Tua!: film e dvd a meno di 10 Euro! Clicca e scopri tutti i titoli
>  Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=2755&d=24-9
> 
> 
> 
> 
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
>

Reply to:

Follow-Ups:
- Re: Spoofing
  - From: Andrew Porter <andy@defsdoor.demon.co.uk>

References:
- Re: Re: Spoofing
  - From: "Niclas Englund" <niclas.englund@home.se>
- Re: Spoofing
  - From: Riccardo Tortorici <riccardo.tortorici@email.it>

Prev by Date: Re: Spoofing
Next by Date: Re: Spoofing
Previous by thread: Re: Spoofing
Next by thread: Re: Spoofing
Index(es):
- Date
- Thread