Hello Bryan, Sunday, September 7, 2003, 6:53:13 PM, you wrote:
BP> On Sunday 07 September 2003 08:18 pm, rikona wrote: >> Agreed that there will be intermediate routers. Let's say, for >> simplicity, there's your comp A, with the virus trying to spoof. >> This is connected to intermediate router B (directly on the net, >> NOT within any ISP), which in turn goes to victim computer C. Comp >> A is sending on spoof IP and listening on spoof IP. BP> The problem is that you are connecting to router B with an IP originating from BP> Net C (target computer). Perhaps I'm beginning to see where we are not communicating. Let me add to the above comp D. Comp D is actually the 'spoof' address, but in my scenario comp D does not get involved. I'm connecting from A, trying to look like it's from address D instead, but using the perfectly legitimate address of comp C (the target computer). Router B gets the packets from "address D" (spoofed) and to address C. Suppose router B caches the return direction back to A, in preparation for a reply back to A from C, instead of handing it over to still another router for the return. This would seem to be more efficient. BP> When the request comes in from Computer/Net Range A, spoofing BP> IP/Net range C, I am going to pass the request to routers on net BP> range C, The link from B to C is legitimate and would be handled as any other traffic, in my scenario. It looks as though D would have to be in the range of B to work, though, if I am understanding you correctly. This might only work by using the return cache of the first router, B. Anything beyond B is just like normal legitimate traffic. BP> Router B does not store routing tables for internal traffic on a BP> foreign net range. Let us suppose address A and D are 'internal' to router B. Would B cache the (incorrect) route back to A, based on what it receives, or would it do a lookup? Caching would seem to be more efficient. BP> I can spoof IP's on my local network all day long, does me no good BP> if external servers never buy the spoof or send traffic back to BP> me. Let us assume that the spoof address in in our 'local' range. Would the replies come back to the wrong computer because the router cached the wrong 'wire'? BP> I would expect that they stay cached for quite a while, it makes BP> sense to only update when you receive an authoritative source BP> update and otherwise, keep the tables the same. It was this cache idea that generated the scenario. Depends on what is cached - the actual return path (incorrect) or a brand new lookup path. >> I was thinking more along the lines of the zombies that the virus >> writer already has under his control. A good hacker might have 5000 >> machines to use as he wishes, with the list constantly changing. A >> single, known open relay will get blocked quickly. BP> This does happen and is used for DDOS attacks on sites but I still BP> don't see what we have been talking about with spoofing IP's BP> having any bearing on zombie machines. It doesn't, directly - it was addressing the side comment of how much intelligence a virus needed to have, and the issue of using a single blocked open proxy. Slightly different topic. :-) I appreciate your patience in going through this. I might learn more about network security too. Thanks. -- rikona mailto:[EMAIL PROTECTED]
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
