LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for July 2, 2009

RealtimeKit and the audio problem

VFAT patent avoidance and patent workarounds

LWN.net Weekly Edition for June 25, 2009

Apache attacked by a "slow loris"

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

DNS hacking: Blacklisting source IP address

DNS hacking: Blacklisting source IP address

Posted Aug 15, 2008 20:42 UTC (Fri) by giraffedata (subscriber, #1954)
In reply to: Some stupid ideas by darwish07
Parent article: Details of the DNS flaw revealed

This is UDP, The attacker source IP address can be changed when every new packet is sent without affecting the end result.

The source IP address is not UDP; it's basic IP. The attacker can't simply choose the source IP address because whoever routes his IP packet into the Internet will not accept it if its source IP address is someone else's (and the attacker isn't trusted as a router for that someone).

You have to pull off a pretty high level hack of the Internet before you can spoof a source IP address.

(Log in to post comments)

DNS hacking: Blacklisting source IP address

Posted Aug 16, 2008 8:21 UTC (Sat) by dlang (subscriber, #313) [Link] 

actually, there are large chunks of the Internet that do not check the source IP when routing
the packets.

and once you get a hop or so from the source (real or forged) this is nessasary becouse the
routers could be dealing with packets from just about anywhere.

in theory every company/personal router and every ISP border router (both to the customers and
to other ISPs) has such filters.

in practice relativly few of them do.

this is even true of the major international peering points. every year or so you hear of a
country that got knocked off the Internet due to mistakes that someone makes with BGP routing
configuration. these useually get detected and fixed within a short time and so don't make the
news, but every once in a while the outage lasts long enough to get attention.

I've been at the recieving end of enough forged attacks to know that it's definantly possible.

although I'll admit that with botnets getting as large as they are, forged packets are not
used as much as they used to be.

DNS hacking: Blacklisting source IP address

Posted Aug 23, 2008 12:06 UTC (Sat) by darwish07 (subscriber, #49520) [Link]

Yes, I agree. but what I meant is that UDP puts less restrictions on the sender IP address.

IP forging can happen more easily with UDP since no handshake or any kind of replies are needed. Only the forged packet is enough.

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds