Hello Vik, What the attacker does is not allowing the Kernel to fill in the IP datagram from the packet he's spoofing, and filling it by himself/herself. How can (s)he do that? Well, the best way I know, and probably is the way that land.c (that you mention) uses (I do do not know the source of that program) is creating a RAW socket. Then using a function called setsocketop() enabling the option IP_HDRINCL which allows you to include your own IP Header. This way it's you that create the all the IPheader including IP Source Address.
For further information give a look at raw(7) man page. Regards, P. Abrantes On Sat, 9 Nov 2002 13:10:11 -0700 "Vik Evans" <[EMAIL PROTECTED]> wrote: > My question is this: how does an attacker accomplish modifying a packet and > sending it; such as in a land.c attack - how does he modify the packet to > reflect the victim's source and destination IP and then send it onto the > wire? > > -----Original Message----- > From: Fuchs Bernhard [mailto:Bernhard.Fuchs@;itellium.com] > Sent: Tuesday, November 05, 2002 5:58 AM > To: 'vijay vikram shreenivos'; [EMAIL PROTECTED] > Subject: AW: Smurf ,land attacks > > > Hi there! > > with "IP spoofing" you give a different source address to the packet. the > address is different to your real address. You do this for cloaking your > scan or if company A scans company B and spoofes the address of company c. > so company b thinks it is company c scanning them! o.k.? but company a will > not get any results back! this is mostly to cloak your own scan. > > Smurf is a DoS-Attack (denial of service) > You Amplifi your ping through a big network. You ping a subnet like > x.x.x.255 with an SPOOFED IP-Adress and every computer on that big net > responses to the poor little machine that has the IP-Adress. Think of class > B subnet with a few hosts reply to a ADSL connected machine... 1500kb > download and 196 kb upload :-) > > land attack is a TCP SYN packet that has the ip address and port number for > the source set to the same as the ip address and port number for the > destination. the server connects to itself. > > > any comments? > > by the way, google knows it too :-) > > Mit freundlichen Grüßen/ sincerely yours > > > Bernhard Fuchs > Junior System-Engineer > IT-Infrastruktur > > ITELLIUM > Systems & Services GmbH > Fürther Straße 205 > 90429 Nürnberg > > Tel.: +49-911-14-27321 > Fax: +49-911-14-22016 > mailto:bernhard.fuchs@;itellium.com > http://www.itellium.com > > This email is confidential. If you are not the intended recipient, you must > not disclose or use the information contained in it. If you have received > this mail in error, please tell us immediately by return email and delete > the document. E-mails to and from the company are monitored for operational > reasons and in accordance with lawful business practices. The contents of > this email are those of the individual and do not necessarily represent the > views of the company. The company accepts no responsibility once an e-mail > and any attachments is sent. > > > > -----Ursprüngliche Nachricht----- > Von: vijay vikram shreenivos [mailto:karpagamekapali@;rediffmail.com] > Gesendet: Samstag, 2. November 2002 08:15 > An: [EMAIL PROTECTED] > Betreff: Smurf ,land attacks > > > Hi list, > > > Can someone give the EXACT differences btw > > SMURF > LAND > and IP soofing attacks. > > karpagamekapalidurgau > __________________________________________________________ > Give your Company an email address like > ravi @ ravi-exports.com. Sign up for Rediffmail Pro today! > Know more. http://www.rediffmailpro.com/signup/ > >
