OSDev.org

The Place to Start for Operating System Developers
It is currently Mon Mar 18, 2024 10:34 pm

All times are UTC - 6 hours




Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: TCP IPV4 Source IP Address
PostPosted: Sat Jan 14, 2023 5:37 pm 
Offline
Member
Member

Joined: Fri Feb 11, 2022 4:55 am
Posts: 435
Location: behind the keyboard
I was recently looking into the TCP protocol and I noticed that it has a Source Address Field, does that give the sender the possibility to trick the receiver to think that the packet was sent from another IP Address than the sender's IP ? I think no because it will be so dangerous.


Top
 Profile  
 
 Post subject: Re: TCP IPV4 Source IP Address
PostPosted: Sat Jan 14, 2023 5:47 pm 
Offline
Member
Member
User avatar

Joined: Fri Sep 03, 2021 5:20 pm
Posts: 91
It does, that's why there is an attack called IP spoofing. But there are ways to mitigate that (even if not solve completely). Otherwise the internet would be a much messier place than it already is.

That could even be used to get some old enterprise grade firewalls (like Nokia ones, been there) to completely go nuts and freeze, if you attempted to spoof a return packet with a destination address originating outside the network.

_________________
Writing a bootloader in under 15 minutes: https://www.youtube.com/watch?v=0E0FKjvTA0M


Top
 Profile  
 
 Post subject: Re: TCP IPV4 Source IP Address
PostPosted: Sat Jan 14, 2023 5:55 pm 
Offline
Member
Member

Joined: Fri Feb 11, 2022 4:55 am
Posts: 435
Location: behind the keyboard
Because it remembered me of a guy I knew in the past who was scamming people's paypal's and he asked me about this IP thing (to logging in paypal with the scammed guy's IP and skip mobile check) and I thought this was impossible or it needs some special router, and he said that he was monthly paying a website to do that for him.


Top
 Profile  
 
 Post subject: Re: TCP IPV4 Source IP Address
PostPosted: Sat Jan 14, 2023 6:05 pm 
Offline
Member
Member
User avatar

Joined: Fri Sep 03, 2021 5:20 pm
Posts: 91
AFAIK The ways you can do IP spoofing are very limited. There are more protections in place, for instance. And some ISPs do check and filter out IP spoofing attempts originating on their customers. Also, the way routing is done prevents much of that from happening. I suspect it's probably easier to do IP spoofing in internal networks than on the internet, and even on the internet you may not get very far other than trying to spoof IP addresses from customers on the same ISP as you.

_________________
Writing a bootloader in under 15 minutes: https://www.youtube.com/watch?v=0E0FKjvTA0M


Top
 Profile  
 
 Post subject: Re: TCP IPV4 Source IP Address
PostPosted: Sun Jan 15, 2023 2:47 pm 
Offline
Member
Member

Joined: Wed Aug 30, 2017 8:24 am
Posts: 1590
devc1 wrote:
Because it remembered me of a guy I knew in the past who was scamming people's paypal's and he asked me about this IP thing (to logging in paypal with the scammed guy's IP and skip mobile check) and I thought this was impossible or it needs some special router, and he said that he was monthly paying a website to do that for him.

Well, you will not be able to create a TCP connection by spoofing the source IP address.

When you send an IP packet to some destination, nobody cares about the source address field. Only at the destination, that field is used to return the response. So then the source becomes the destination. But of course, the spoofed address is not equal to your actual address (or else there would be no point), and so the return route will be different, and the response will come to a different machine. In case of TCP, if you send a SYN packet with a spoofed source address, the server will answer with its SYN-ACK to the spoofed address, which is not in the right state at that point and will answer with RST. That won't really do any harm.

What your friend did more likely comes down to guessing the correct cookie for the PayPal login. You see, PayPal is a web service, and on the web, you are logged in to a site if you have the right cookie to be logged in. So if I can guess your cookie, I can take over your session. Maybe your friend found a way to guess those.

With source IP spoofing, there are two things you definitely can do: For one, there is SYN flooding. That means sending out an infinite series of SYN packets with a random source IP address to some destination. When the server receives a SYN packet, it has to allocate a bit of memory to handle the incoming connection. This flood exhausts the resources for that (any finite limit can be exceeded) and thus causes the server to be unreachable. And the random source IP addresses mean that no firewall along the way can filter out these packets and still allow legitimate packets through. Workaround here: Syncookies.

For two, you can attack another site with UDP services that return larger responses than requests (e.g. DNSSEC). Then you can just keep sending the same request to some server with a spoofed source IP address, and it keeps sending its larger responses to the spoofed address, thus taking up that other address's bandwidth. This can also cause denial of service. The target of the attack cannot filter out the unwanted packets, since by the time they reach the firewall, the damage has already been done.

_________________
Carpe diem!


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC - 6 hours


Who is online

Users browsing this forum: No registered users and 13 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group