[NTLUG:Discuss] How does 'ip address spoofing work'?
Kelledin
kelledin+NTLUG at skarpsey.dyndns.org
Sat Jul 5 12:42:23 CDT 2003
On Saturday 05 July 2003 10:44 am, Jack Snodgrass wrote:
> One of my web server is under a DOS attack right now.
> The error log shows that it's coming from 180 different
> IP Addresses.
Like Kipton pointed out, you're probably actually suffering from
a DDoS (distributed denial of service) attack. Some script
kiddie has robots at his command on some ninescore machines
(most of which don't belong to him), and he's given them a
signal to hammer your server in a coordinated fashion. Very
neighborly.
As for IP address spoofing, it's quite simple how it works,
once you understand that when a remote system sends data to your
system, it's up to that remote system to tell you what its IP
address is. Lying about its IP address is trivial; it often
just involves modifying a four- or six-byte field in a packet
header and regenerating the packet checksum. Consistently and
accurately detecting when a remote system does this is well nigh
impossible.
If you have a firewall box doing nothing but packet
NAT/forwarding between your net and the outside world, you can
actually turn on the rp_filter feature; this will mitigate IP
spoofing somewhat:
if [ -r /proc/sys/net/ipv4/conf/all/rp_filter ]; then
echo "Enabling rp_filter"
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
fi
This should be done in the system init scripts before you bring
up any network interfaces.
--
Kelledin
"If a server crashes in a server farm and no one pings it, does
it still cost four figures to fix?"
More information about the Discuss
mailing list