IP Spoofing Question.

[FredFred]

Hopefully this is a hard enough question for the Highly Technical forum. If not please don?t flame me?. too much.

Here is the hypothetical situation:

Meet Bob and Sue. Both Bob and Sue work in the same complex with a large network (large company, campus, etc). Sue and Bob used to go out with each other and the breakup was not a nice one. One day Bob received several hundred dollars worth of stuff from vendors he typically buys from. Unfortunately, Bob did not order this merchandise and it was charged to his credit card. On investigation with the vendors they give him the IP address of a computer at work (work has all static IPs and centurion protection that resets computers after every reboot). Bob asks security to play the security tape of the machine that the IP was registered to. The tape shows Sue at the computer at the times of the purchases. However the back of the screen is away from the camera so you cannot see what she is doing on the computer. However, server logs on the proxy server confirm that the only IP address to visit any of the sites was the IP of Sue?s computer. Bob accuses Sue because she knew his credit card info as well as vendor logon information from when they were together. Sue says that Bob is setting her up by spoofing her IP address.

Now my question:

This is how I understand IP spoofing works. When a machine spoofs another IP the spoofing machine keeps its IP but when a server/website asks for identification instead of giving its true IP it gives it the fake one. And because of this, when some one tries to make a connection of some sort to the IP that is being spoofed, the connection will be make with the computer with the IP NOT the computer spoofing the IP.

Easier.
1. Can you spoof an IP on a network with a proxy server and will the proxy server log the IP of the spoof or the original IP of the machine when accessing websites?

Harder.
2. When a computer wants to order something from an online retailer it tries to make a connection in SSL. Now if your spoofing with the website with SSL isn?t the website trying to make a connection to the machine with the IP your spoofing and not that of the attacking machine? Or is what is Sue saying true, that Bob spoofed her IP and made the orders.

Dumb @$$ factor.
3. Or have I completely mistaken how IP spoofing takes place?


Thank you for your patients and please let me know what you think. Poor hypothetical Bob is going through hell.

 

[dayg]

I like to know as well. In addition, what are some of the tools or softwares one can use to spoof? Thanks.

 

[rbhawcroft]

you have a congruent date and time for the machine and order and video, so what is the problem? just sack her and sue her.

she sounds like such a dumba3s that she wouldnt know about spoofing.

i doubt bob would either.

all I know is that you need a machine with raw sockets which means that it has to be XP, Unix , or I think NT OS's. You need a programme that inserts a fake IP address into the IP of the initial TCP request packet. So if you have a proxy server that logs a static IP address, then no matter what IP address Bobs machine emits data on, the return data would go to the IP address machine listed with the proxy servers register of the network. In other words Bob could emit data with her IP address, but if all the networks machines had fixed IP addresses then the return data would go to her machine, period. If the proxy server returns data to the emmitting machine regardless of checking where that IP address is supposed to be then yes he could spoof her IP address.
I am assuming you are talking about the pC in Bobs office and not a hot desking environment. In a hot desking environment then it is whoever was on the particular machine at the time, assuming the IP address wasnt faked. In an office environment then she is on camera in his office.
Lets say then that she logged onto your server at her own desk, and then used his details to purchase the goods. It comes down to whether if he faked the IP address whether the data would have been routed back to him so he could talk with the vendors server. If your webserver routs the data to whever emits it then her story if feasible - but bs - and if the server verifies that the machine is emmitting with the correct IP address then her story of made up. Frankly I cant see how if you have a firewall, and a secure internet server that he could do this, the firewall would have to be bs to allow people to assign random IP addresses. One way you can verify it is to take her rig to his office plug it in the wall and see if it works. Then you could have IP addresses moved around the office at least, however i would have thought that there was more than that to check that a computer was correspondent to the computer registered to the IP address it was using.

 

[rbhawcroft]

there is a good DOS type article here: grc.com

 

[Shalmanese]

I was of the understanding that it was relativly hard to spoof IP addys in TCP/IP becuase it relys on sync frames and back and forth communication which would mean you would have to tap THEIR traffic as well. With UDP it becomes a lot simpler.

 

[rbhawcroft]

you need to post this on a more focused net admin forum, but surely isnt there a way of telling what programmes have been installed on each machine and when, it would be a 50KB programme at most i imagine. the bottom line, is that if she didnt do it she would have said so, and left it at that, why couter slur, esp if it turns out sth else happened altogether?

 

[bizmark]

IP spoofing of packets would result in the same thing that you hypothesized: the packets would be routed back to the (possibly hypothetical) IP that was spoofed. You'd never be able to make a web connection using a spoofed IP in the packets. Read the articles on GRC.com.... this is basically what happens, if you don't feel like reading 15 pages of text I know this is probably oversimplified, but it illustrates the problem and the way that IP spoofing (in packets) works. (It is also possible to spoof stuff like return-address and originating-IP in an email header.)

In order to initiate a 'connection' (necessary for any two-way traffic), there's a thing called a 3-way handshake. It goes like this: Client sends 'SYN' (synchronization) packet to server; server sends 'SYN/ACK' (synchronization and acknowledgement) packet back to client; client replies with its own 'ACK' packet. And then a 'connection' is established.... the server knows that the client is actually there, and it has said 'ok, I'm waiting for you to send me more stuff -- tell me what you want me to do' (send a web page, etc.). IP spoofing only really works for things like DOS attacks, where no 'connection' is ever established. You could NOT complete a web transaction (or even load a single web page) using a spoofed IP.

Let's say that there is one server and two client machines on the entire internet. The clients are labeled 1 and 2. Somebody at Client 1 starts sending traffic to the server, with the IP spoofed to say "2" instead of "1" (this would be the initial SYN packet). The server sends SYN/ACK packets back, but it sends them to Client 2 instead of Client 1. Client 2 just drops these packets, because these are SYN/ACK packets and they make no sense to Client 2, because Client 2 never sent out a SYN packet to begin with. So the server keeps sending these SYN/ACK packets at regular intervals, waiting for a response from Client 2, until the connection times out (30 seconds maybe?). But the server is utilizing precious resources to send these SYN/ACK packets and waiting for the ACK packet back. So multiply this times a few thousand spoofed IP's and the server is using all of its resources waiting for packets that will never come. Valid users have no way of connecting to the server.

 

[rbhawcroft]

so bizmark what you are saying is that, via two dial ups or whatever you couldnt load a page usinng an IP spoofed, that is clear, what this guy wants to know is what happens at the router level on his company's web server? does the page load to the IP Spoofing computer or to the 'legit' IP computer, and is some kind of IP/ Ethernet Port directory used to verify the IP address is at the port it shold be at?

 

[Rainsford]

Originally posted by: rbhawcroft
so bizmark what you are saying is that, via two dial ups or whatever you couldnt load a page usinng an IP spoofed, that is clear, what this guy wants to know is what happens at the router level on his company's web server? does the page load to the IP Spoofing computer or to the 'legit' IP computer, and is some kind of IP/ Ethernet Port directory used to verify the IP address is at the port it shold be at?

You could not load a page just using a spoofed IP because none of the routers in between the spoofer and the server would know to route the packed back to the "real" IP instead of the spoofed one. If the packet you sent out contained your IP in any way, then there's not a whole lot of point in spoofing, is there?

As far as verifying if an IP is "real" or not, there are a variety of ways. Check out the latest DoS article on GRC.com (don't remember which one exactly). He talks about this neat idea to verify that an IP is real before dealing with it in any way. Basically it involves encrypting the source IP of the first SYN packet and including this informaiton in the returned ACK packet. Then the source has to reply with the 3rd part of the handshake, the SYN/ACK packet. The encrypted form of the IP is in there, and if this sequence isn't completed then the server discards the connection. Since the source has no way of knowing the encrypted form of the spoofed IP unless it gets it from the server (which it can't because it can't get the returned ACK packet). This is pretty much the same thing as SYN cookies (look it up on google). It really only works for connection based protocols (so I don't think it would work for UDP).