-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > -----Original Message----- > From: Dee Harrod [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, November 27, 2001 12:18 PM > To: SecurityBasics > Subject: Spoofing question? > > > How does spoofing work? > > If I change the source address of my outbound packet, > how do I get the response? How does it get back to me?
Usually, it doesn't get back to you. There are some ways around this, like being on the same segment as the IP you're spoofing and then using some layer 2 trickery (arp poisoning). If you can sniff the response, you're golden. If you can't, then that's where IP spoofing attacks get tricky, and is where TCP sequence number prediction come in. Some TCP stacks have predictable TCP sequence numbers. So to establish a blind spoofed connection, you spoof your source address for the initial SYN packet, DoS the actual IP you're spoofing to prohibit it from processing the SYN-ACK response and sending a RST, then use TCP prediction methods to try to guess the proper sequence number for the final ACK packet. Hope this helps.. - -- Jon Erickson Cryptologist and Security Designer Caspian 415.974.7081 D49B 4561 1078 0A72 DDF3 7250 8EF4 4681 587E 41DD 1728748 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPAaL3470RoFYfkHdEQKTpACg4H/G9Q2mNKnZrLYIdrhu8y+y+lYAniYP Ru4tuAde9mMZyd4mVTriwbhf =RYsV -----END PGP SIGNATURE-----