tags:

views:

71

answers:

1
+1  Q: 

Handshake with spoofed IP

I noticed some legit connection is like this:

6221 29.880628 5.4.3.2   1.2.3.4 TCP 61235 > cbt [SYN] Seq=0 Win=8192 Len=0 MSS=1452 SACK_PERM=1
6222 29.880646 1.2.3.4  5.4.3.2 TCP cbt > 61235 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 SACK_PERM=1
6240 29.984383 5.4.3.2  1.2.3.4 TCP 61235 > cbt [ACK] Seq=1 Ack=1 Win=65340 Len=0
6241 29.989707 5.4.3.2  1.2.3.4 TCP 61235 > cbt [PSH, ACK] Seq=1 Ack=1 Win=65340 Len=267

So, at least in my case, if legit is always like this:

Client (Syn,Seq=0)
Server (Syn/Ack, Seq=0, Ack1)
Client (Ack, Seq=1, Ack1)

Seemed weak to me in regards of being possible to spoof and able to raise the socket up to the application. (of course spoofed IP must be down in order to avoid the RST)

So I tested sending a SYN with spoofed IP and then send the ACK.

The SYN arrives, but the ack gets like ignored til sometime.

After the spoofed SYN, the server sends 3 SYN/ACK (with no reply, of course). After some seconds if I re-send the ack, it will receive but with some error.

Is it possible to handshake with a spoofed IP in this scenario? Seems to be, but im doing something wrong..

+1  A: 

No, it is not possible.

The problem is when the server sends back the SYN-ACK -- because it sends it back to the spoofed ip, which would not match the actual originator of the message.

Specifically, what you describe (faking the ACK) is a TCP sequence prediction attack which is well known and is countered in pretty much every OS nowadays.

Billy ONeal  2010-09-17 17:09:07
Ok but the SYN/ACK would be sent to the spoofed IP, which, in this example, is supposed to be down. So it would not reply back with a RST. Then after sending the SYN, I just send the ACK in sequence from the same spoofed IP. Regarding the Sequence prediction, the legit connections I noticed are not using random sequence numbers until handshake is done, so why not?
Filipe  2010-09-17 17:16:42
@Filipe: If the other host is going to be down, then the target machine is going to get Destination Host Unreachable replies for it's `SYN-ACK` packet, and then you're back where you started.
Billy ONeal  2010-09-17 17:25:06
Ah, that may be it then. I am using wireshark, but I am not sure why it does not show this ICMP packet. So it is sent from the "farest" router?
Filipe  2010-09-17 18:10:57
It's sent from some router in the network, yes.
Billy ONeal  2010-09-17 20:05:21

related questions

any good tool for makefile generation?
How do you pass a function as a parameter in C?
Where should a veteran C programmer start in order to master Java ?
Any good book on best practice and guidelines in developing a SDK in C?
How do you determine the size of a file in C?
Decoding printf statements in C (Printf Primer)
Shift operator in C
How to avoid redefining VERSION, PACKAGE, etc.
Alpha blending sprites in Nintendo DS Homebrew
When should I use type abstraction in embedded systems
How to implement continuations?
What are the barriers to understanding pointers and what can be done to overcome them?
Anyone have experience creating a shared library in MATLAB?
String.indexOf function in C
Passing multidimensional arrays as function arguments in C
C/C++ library for reading MIDI signals from a USB MIDI device
Choosing a static code analysis tool
How do you printf an unsigned long long int?
Good STL-like library for C.
Rockbox audio format
Why am I getting a malloc: double free error with realloc()?
Should I learn C?
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
How to use the C socket API in C++ on z/OS