On Sunday 07 September 2003 08:18 pm, rikona wrote: > BP> There will be some type of router or routers between me and the > BP> system and all have to maintain the same routing address > BP> instructions or the packets drop to the wrong place. > > Agreed that there will be intermediate routers. Let's say, for > simplicity, there's your comp A, with the virus trying to spoof. This > is connected to intermediate router B (directly on the net, NOT within > any ISP), which in turn goes to victim computer C. Comp A is sending > on spoof IP and listening on spoof IP.
The problem is that you are connecting to router B with an IP originating from Net C (target computer). Router B is supposed to get the packets and route traffic to computer C and return the replies back to comp A (on Net range A) for the return trip but the spoofed IP is owned by range C which is internal to those routers. Routers maintain two network tables, external routes and internal routes. Most routers will only actively route traffic for internal routes, external route traffic is just passed back to authoritative routers for that range. IOW, why would I use my own horsepower to route traffic to internal routes on someone else's net range? Answer mostly is I wouldn't, I just identify the major range and route to the authoritative source on that range and let it route to it's internal addresses. So, I just pass on external traffic and only actively route internal traffic to individual targets. When the request comes in from Computer/Net Range A, spoofing IP/Net range C, I am going to pass the request to routers on net range C, without any routing tables or info at all. I don't need to tell the router at range C how to route traffic to its internal network and even if I felt I did, it mostly would refuse to acknowledge any such info, it is authoritative for its own net range. Net Range C's router will route the request and the reply traffic internally. Because my connection has not compromised router at Net range C, the traffic and replies get routed internally and never return to computer A. Even if Router B, in the middle, was compromised, and I could somehow tell it to create tables for internal ranges at net range C, it probably doesn't store or pass on routing tables for Net Range C because that is not an internal network for it, so even if I compromised it, it would do no good since the traffic will still get lost along the way. BTW, all routers on the Net, by definition, are within some type of ISP. Not all may be commerical ISP's but they are all major net service providers of some sort or else they wouldn't be maintaining a presence on the net. That is true whether you own a backbone or a subset of a backbone which is where most ISP's would fall. Even the big guys like UUNET are ultimately ISP's, some are just bigger than others and sell services to different types of customers. For this to work, I not only have to spoof to router B but I also have to get the router at Network C to update its own internal routing tables to send traffic out of its internal network routes to an external address at my location. What I am saying is that the chance of finding two such open routers is fairly slim. Even if they are open, ultimately, I would need some type of network translation effect to translate internal net IP's on range C to computer A to route traffic back and forth. If we add in the real possibility that we need to pass through more than one or two major net ranges to route the traffic and I need to compromise each and every one, I think that the chances become astronomical. > > BP> No foreign router that is correctly configured is going to accept > BP> updates from non-authoritative computers. > > Agreed. A sends out packets to C. Router B accepts the spoof IP > address from comp A, gets the address of C (from an authoritative > source), and forwards the packet to C. C replies back to B. Now here's > the key. Router B has already cached the spoof IP and can send back to > comp A based on its cache, not on a new lookup. When B gets the reply > packet, it forwards it back to A. A sends another packet to B, with > replies still following the same route, and so on. See my reply above. Router B does not store routing tables for internal traffic on a foreign net range. There is no reason for it to do so. It simply passes the traffic to an authoritative router. The only way for this to work would be to compromise the entire router and that would only work for the one router that you attack. You could send traffic out and back in using the spoofed IP's but you would be cut off and unable to connect to any other network. IOW, I could send traffic out and get returns from Router B but since the traffic goes out and gets immediately routed back to Comp A, with no connect to Comp C, what good does it do. I can spoof IP's on my local network all day long, does me no good if external servers never buy the spoof or send traffic back to me. > In part, I bring up this idea because some of the routes I have > watched seem to stay intact for a while, suggesting that caching of > routes is a possibility. I would expect that they stay cached for quite a while, it makes sense to only update when you receive an authoritative source update and otherwise, keep the tables the same. .... > I was thinking more along the lines of the zombies that the virus > writer already has under his control. A good hacker might have 5000 > machines to use as he wishes, with the list constantly changing. A > single, known open relay will get blocked quickly. > > I'm still not sure we are talking about the same idea, though - sure > wish I could describe it better. This does happen and is used for DDOS attacks on sites but I still don't see what we have been talking about with spoofing IP's having any bearing on zombie machines. -- Bryan Phinney Software Test Engineer
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com