Packet Marking for Traceback of Illegal Content Distribution
Robert Hajime Lanning
lanning at monsoonwind.com
Thu Apr 15 23:35:31 PDT 2004
<quote who="richard childers / kg6hac">
> "To defend against spam and viruses or to stop illegal file sharing, an
> organization must be able to identify the originator of the offending
> messages. However, spammers, pirates and hackers most often use
> incorrect, disguised or false addresses on their messages or data
> packets to deter trace back. Such spoofed addresses are illegal in the
> U.S. but so far, effective.
Ah, but, how many spams/viruses have spoofed IP addresses?
I have yet to receive a spam/virus that contains, or was sent from, a spoofed
IP address.
I have spams that have spoofed/forged "Received:" headers, but the IP address
that connected to my mailserver is real enough.
They really need to do some research on this. The only way to have a spoofed
IP address make a full TCP connection (to send an email, or to send a file)
is to (1) be at the right router between points A and B, or (2) grab the
route for the "spoofed" IP address.
Now, you can do DoS attacks with spoofed addresses, as you usually do not need
any of the return traffic.
And as Rich said, it relies on every administrator configuring their border
routers correctly. Then again, if all the ISP's maintained propper
anti-spoofing ACLs, at their borders, spoofing would not be a problem. No
need for any new protocols, or modifications to protocols.
This really sounds like somebody had an idea, and is now looking for a problem
it can solve.
--
END OF LINE
-MCP
More information about the Baylisa
mailing list