Hello, I''ve recently become interested in mechanisms of weeding out and tracking down the source of rouge network nodes sending bad data via spoofed packets for the purpose of subverting the network (I''m taking a social issues/network security class at college). From what I understand of the TCP/IP protocol and raw sockets, it is possible to manufacture packets whose "source" field doesn''t point back to the originating node on a network. I was wondering what would happen if one were to initiate a HTTP GET request on a webserver using such spoofed packets. Will the server try to send the requested data to the spoofed IP? Or does modern network hardware attempt to weed out packets like these (how?). If the server is bombarded with spoofed GET requests with different source IP addresses, does it just spew unrequested data at those addresses, or are there ways to detect and prevent such attacks? I''d like to write a series of small sample programs that illustrate the relative ease with which network mayhem like this can be perpetrated for a paper I''m writing on the issue. I was wondering if anyone might know where I could find 1) good information on raw sockets (maybe with some code snippets) and 2) information about how easily is to track down originators of bad packets in a network - technical papers would be prefered to popular sciencey articles, but any pointers would be appreciated. Thanks!

I''m just as interested in the details as you are. With some luck someone here might know some resources or know-how. A networking forum though might yield more answers though.

> I was wondering what would happen if one were to initiate
> a HTTP GET request on a webserver using such spoofed packets.

Before you even get to the HTTP packet contents, TCP nodes exchange connection packets to establish a connection first. That exchange needs a valid return IP in order for the TCP link to become valid and the HTTP protocol to begin. This is where much of the DoS attacks originate (also known as a 'SYN attack' from the packet name). If you confuse the remote TCP port into thinking the net is congested while processing the connection SYN-ACK packet, then that port stays open for a long period as it stays in a semi-opened state. Do this a few thousand times and you effectively jam the remote server as it runs out of ressources.

Both Windows and Linux provide protection against DoS using a combination of port open limits, retry timeouts, and retry number limits.

Another way would be to send thousands of connection requests to an equal number of remote hosts with the return IP pointing to the target of your attack. That target machine will get thousands of SYN-ACK packets for which it never got the SYN for, effectively jamming its network card. It works well for a small PC in a remote location, but larger corporate systems need an OC48 or better connection, an unlikely event. Hackers that did succeeded (I have 'Mafia Boy' in mind here) used computer worms to infiltrate thousands of machine and tell them to send spoof packets at a preset time.

-cb

Ref: Thomas Lee and Joseph Davies, "Microsoft Windows 2000 TCP/IP Protocols and Services Technical References", Microsoft Press, 199, pp.266-269.

[edited by - cbenoi1 on August 19, 2003 3:27:43 PM]