A Short Note on IP Spoofing
After you read “Who is Hacking Me? ~A Glance into The Log~“, the observant will notice that I base upon my findings from IP address, which immediately brings upon the topic of IP Spoofing.
What if people are deliberately messing with my honeypot with spoofed IP addresses? Will my results be unreliable?
True, IP can be spoofed. However, with respect to extranet, if communication is required, a connection is expecting packets forward and back and thus it is not feasible to spoof the IP ( remember IP packets need to know where to route back. ). Now, think even about TCP sequence randomization, etc. The case is different in intranet however, where you can cause the routers to route the whole address space (e.g. 192.168.0.0/16) to yourself.
A lot of the automated attacks onto your computers expect you to reconnect back to the host that hosts the payload.
A seasoned hacker would use a few compromised hosts as hops – much more realistic. For botnets, it is the same. Unless it is an organized targeted attack, the abundance of IP makes it less necessary to have IP spoofing. Why spoof?
===
Reference / 參考 / 参考 / さんこう / Referencia / Referenz / Справка :
IP Spoofing : An Introduction – http://www.securityfocus.com/infocus/1674
Over 1 Million Potential Victims of Botnet Cyber Crime – http://www.fbi.gov/pressrel/pressrel07/botnet061307.htm
English
Recent Comments