Page 1 of 1

TCP IPV4 Source IP Address

Posted: Sat Jan 14, 2023 5:37 pm
by devc1
I was recently looking into the TCP protocol and I noticed that it has a Source Address Field, does that give the sender the possibility to trick the receiver to think that the packet was sent from another IP Address than the sender's IP ? I think no because it will be so dangerous.

Re: TCP IPV4 Source IP Address

Posted: Sat Jan 14, 2023 5:47 pm
by BigBuda
It does, that's why there is an attack called IP spoofing. But there are ways to mitigate that (even if not solve completely). Otherwise the internet would be a much messier place than it already is.

That could even be used to get some old enterprise grade firewalls (like Nokia ones, been there) to completely go nuts and freeze, if you attempted to spoof a return packet with a destination address originating outside the network.

Re: TCP IPV4 Source IP Address

Posted: Sat Jan 14, 2023 5:55 pm
by devc1
Because it remembered me of a guy I knew in the past who was scamming people's paypal's and he asked me about this IP thing (to logging in paypal with the scammed guy's IP and skip mobile check) and I thought this was impossible or it needs some special router, and he said that he was monthly paying a website to do that for him.

Re: TCP IPV4 Source IP Address

Posted: Sat Jan 14, 2023 6:05 pm
by BigBuda
AFAIK The ways you can do IP spoofing are very limited. There are more protections in place, for instance. And some ISPs do check and filter out IP spoofing attempts originating on their customers. Also, the way routing is done prevents much of that from happening. I suspect it's probably easier to do IP spoofing in internal networks than on the internet, and even on the internet you may not get very far other than trying to spoof IP addresses from customers on the same ISP as you.

Re: TCP IPV4 Source IP Address

Posted: Sun Jan 15, 2023 2:47 pm
by nullplan
devc1 wrote:Because it remembered me of a guy I knew in the past who was scamming people's paypal's and he asked me about this IP thing (to logging in paypal with the scammed guy's IP and skip mobile check) and I thought this was impossible or it needs some special router, and he said that he was monthly paying a website to do that for him.
Well, you will not be able to create a TCP connection by spoofing the source IP address.

When you send an IP packet to some destination, nobody cares about the source address field. Only at the destination, that field is used to return the response. So then the source becomes the destination. But of course, the spoofed address is not equal to your actual address (or else there would be no point), and so the return route will be different, and the response will come to a different machine. In case of TCP, if you send a SYN packet with a spoofed source address, the server will answer with its SYN-ACK to the spoofed address, which is not in the right state at that point and will answer with RST. That won't really do any harm.

What your friend did more likely comes down to guessing the correct cookie for the PayPal login. You see, PayPal is a web service, and on the web, you are logged in to a site if you have the right cookie to be logged in. So if I can guess your cookie, I can take over your session. Maybe your friend found a way to guess those.

With source IP spoofing, there are two things you definitely can do: For one, there is SYN flooding. That means sending out an infinite series of SYN packets with a random source IP address to some destination. When the server receives a SYN packet, it has to allocate a bit of memory to handle the incoming connection. This flood exhausts the resources for that (any finite limit can be exceeded) and thus causes the server to be unreachable. And the random source IP addresses mean that no firewall along the way can filter out these packets and still allow legitimate packets through. Workaround here: Syncookies.

For two, you can attack another site with UDP services that return larger responses than requests (e.g. DNSSEC). Then you can just keep sending the same request to some server with a spoofed source IP address, and it keeps sending its larger responses to the spoofed address, thus taking up that other address's bandwidth. This can also cause denial of service. The target of the attack cannot filter out the unwanted packets, since by the time they reach the firewall, the damage has already been done.