Hacker Read

frannk · 2012-09-18 03:18:44+00:00

I tried to send a udp packet with fake source Ip(no evil, i am not a attacker;),but i was failed. I seems that the router of the datacenter censor the packets and drop it; who can taught me how to make it?

hoppla | karma 461 | avg karma 2.39 · | 2019-09-17 17:01:59+00:00

Cool, I used to do this by spoofing udp packets from 3.3.3.3 from the client to the servers public up, but was unreliable due to anti spoofing filter. This way is better

iforgotpassword | karma 7907 | avg karma 3.45 · | 2023-10-10 08:57:19

How do you verify the source address of the packet is legit?

jcadam | karma 6361 | avg karma 3.72 · | 2023-03-14 10:40:10

> hide behind linux proxy and set up packet dropping (can be done with nftables) random packets.

I used a similar method to simulate running our software on a government network when I worked in defense.

Timeouts and packets dropping all over the place. Government work sucks.

reply

delinka | karma 6608 | avg karma 2.8 · | 2016-05-21 15:45:45

Or you can craft packets all day long with any source address you like and dump them onto the network.

dboreham | karma 16160 | avg karma 2.32 · | 2017-12-13 13:04:45+00:00

Use a decent router that allows packet sniffing. There are various low cost options. I use Mikrotik for example.

codesushi42 | karma 1229 | avg karma 1.74 · | 2019-08-16 20:28:52+00:00

Huh? You simply capture the packets and crack offline.

pea-tear | karma 95 | avg karma 4.32 · | 2014-08-08 18:05:17

You can't drop the original traffic using the library. You could capture it, modify it and send it though. That + some iptables rules to drop the original traffic would be sufficient I guess.

imoff | karma 3 | avg karma 1.0 · | 2015-12-29 19:23:05+00:00

How do you guys trace the real packet sender of a packet with a spoofed IP address?

ilyt | karma 8981 | avg karma 1.98 · | 2023-07-27 15:19:40

You could probably via ebtables as they inspect ethernet frames directly. That can be used for example to not allow VMs on host to spoof mac addresses.

But easiest way is just don't allow app to run with permission to access raw socket. That's it.

The problem is really that there is no way to get UDP interface that also gives you mac address of the packet so raw sockets are only way to do it.

Similarly there is no interface to send ICMP packets other than raw sockets.

reply

fnord77 | karma 3305 | avg karma 1.75 · | 2019-08-30 23:09:52+00:00

thanks. I was imagining using wireshark and just getting garble

xyzzy123 | karma 5784 | avg karma 3.53 · | 2013-02-21 07:05:30

Well I did post the source port, which reduces the effort by a factor of tens of thousands... also, the up-thread did say "with a single fake RST or FIN packet"... which is why I mentioned window guessing...

Also, crap, I'm an idiot. Let me do that non-natted ;)

tcp 0 0 216.240.155.220:4007 60.225.131.226:43972 ESTABLISHED 18694/nc

reply

jws | karma 12672 | avg karma 5.01 · | 2008-12-24 17:32:31

I think it would be more clever to use an actual valid TCP connection and hide the data in the fragment sizes, timing, push flags, and other various legal flags and options available. This doesn't let you mask your source, but it allows two way communication.

zx2c4 | karma 6456 | avg karma 9.03 · | 2019-06-23 07:29:17+00:00

For an even cooler trick, check out pwnat, also from Samy: https://samy.pl/pwnat/

Server sends constant icmp pings with fixed payload to unreachable dead Internet IP. Client sends icmp time exceeded message to server containing original fixed ping subpayload, which the server NAT lets through because the payloads match as related traffic. Server then learns client IP and usual chownat udp hole punching tricks apply.

reply

X-Istence | karma 7122 | avg karma 2.59 · | 2013-02-09 11:14:43

Neat!

Although, I'd have done it differently. using some packet capture tools, fake replies with the various different IP addresses. That way you don't even have to run a physical router that bounces it back and forth.

reply

codexon | karma 3506 | avg karma 2.76 · | 2014-02-15 07:31:01+00:00

You can send spoofed packets from nearly every host.

However hosts like Ecatel are known to specifically allow their customers to send spoofed packets at full speed 24/7.

I think most hosts will notice heavy bandwidth usage, investigate, and then terminate your account. This is why people buy servers at Ecatel even if it is more expensive.

reply

lelanthran | karma 8258 | avg karma 2.18 · | 2024-06-06 16:47:36

> Could even go a lower level and use something like the TCP packets metadata as the encoding. Send data in the form of TTL variations across packets.

Even better: put it in the ICMP echo request; then you can also spoof the sending address if you wish.

Or encode it in a DNS request/response.

reply

ajsnigrutin | karma 11590 | avg karma 3.63 · | 2024-01-16 07:36:23

You can do this with a linux router and 'tc'

https://www.pico.net/kb/how-can-i-simulate-delayed-and-dropp...

(just a short example)

reply

justsomehnguy | karma 2268 | avg karma 0.79 · | 2023-09-08 16:25:21

Thanks!

Can you clarify, does that works on the forwarded packets? I assume it should, given the vuln in the scrubbing function, but it would help if that would be stated clearly.

reply

wnoise | karma 2772 | avg karma 2.54 · | 2012-09-18 05:07:58+00:00

You can't tell that incoming UDP is spoofed. The only filtering you can reliably do is outgoing.