On Thu, 19 Aug 2004, Arnt Gulbrandsen wrote:
Nate Leon writes:
I am not an IP expert, so I defer to those on this list who have such
expertise. It seems like folks on this list are not so concerned
about spammers/fraudsters spoofing IP addresses, and that brings me
some comfort. :) I believe the success of Sender-ID assumes spammers
cannot spoof IP Addresses.
To a limited extent, it is easy. If you are on a company lan, and it has
say, a /24, it is trivial to become the other addresses in the /24. If you
are on colo, it is often easy to become another IP in the colo. Some
ISPs take some countermeasures to prevent this, others don't.
If you are on DSL, it is frequently trivial to become any other IP in the
DSL net. Some providers have countermeasures. Others don't. Even the
countermeasures frequently allow stolen PPOE accounts to be used on any
DSL port in the lata, if you also know the ethernet MAC address. DSL is
like one big lan with a single virtual switch.
Things are worse for cable because sniffing is easier.
I understand this is not easy to do. My concern is the degree of
difficulty/expense it takes to do so.
It requires injecting routes into the main BGP net.
It does not require this. This is just one way.
Every notable ISP can do that, and can let some of its customers do
that. Say 20,000 organizations in all have the ability to do that.
Actually the AS numbers are past 30000 now.
e.g. how difficult is it for the spammer to get the whole transaction
into a single packet so they can ignore return messages (blind
attack), forge the packet's source address, get it through firewalls
and routers that don't verify the source address, guess the sequence
number, etc...
Can't be done using any TCP common implementation.
Spoofing can be done with some implementations that have predictable
sequence numbers. Linux is hard. BSD is hard. But some other things are
quite predictable in sequence numbers. But this sort of security is also
much improved from what it was in, say, the early 90s.
Spoofing can also be done easily if you can sniff packets in the path to
the real address. In that case, you can see the return packets, and get
the sequence number directly. This was easy back to the days when the
backbone links ran on thick ethernet down the basement halls of some
prestigious universities. However, physical security is much better these
days than it used to be.
Cable operators also have difficult problem with sniffing.
Or will it just be easier for them to write viruses/worms which carry
spam-bots as their payload?!
Quite likely, IMHO.
The easier things happen more frequently than the harder things. Sending
email with a virus is much easier and than TCP spoofing, and the outcome
is the same: an infected machine. Frequently, the control channels are
just passworded IRC channels, with passwords and channels obtained from
the infected machine. It is not hard for law enforcement to track down
virus operators when they have an inclination. Sometimes it is not
impossible for regular people to get in contact with the virus operators
though the IRC control channels. See http://grc.com/dos/grcdos.htm for a
detailed analysis.
One doesn't frequently see TCP spoofing, however. Its just too hard, and
there is no gain over not spoofing for abusers.
To stop spam and ddos attacks, one needs to work on better accountability
in IRC, not in SMTP. Of course, if that happened, they would switch to
jabber, I suppose.
--Dean