[NTLUG:Discuss] Re: How does 'ip address spoofing work'?
David
david at hayes-family.org
Sat Jul 5 21:14:40 CDT 2003
On Sat, Jul 05, 2003 at 01:00:41PM -0500, Jack Snodgrass wrote:
> something I hadn't thought of.... I checked several of
> the IP Addresses on Goggle. These IP Addresses are
> public proxy servers. So... the hacker just sends his
> request through the proxy server and hides his tracks
> even more.
Your probably more on target here. Your log records are showing URLs
requested. That can't happen until the third packet of a TCP
session -- SYN; SYN-ACK; then first data packet. For you to see URLs
in your log files, you know that there must have been a bidirectional
exchange of packets. That's exceedingly difficult to do while
spoofing the source address. In fact, it can't be done, unless the
system doing the spoofing is somewhere along the route your packets
are taking.
If the goal were a simple denial-of-service, mere packet flooding with
spoofed addresses would work. The fact that the attacker is
attempting to get a reply suggests that they are trying to guess
passwords.
--
David Hayes
david at hayes-family.org
More information about the Discuss
mailing list