1

It's common sense that DNS query packet can be used to establish convert channels. But in my experiment of DNS query reflection, where I send out DNS queries with spoofed source IP and MAC address to primary DNS server, the victim machines don't receive any response from the DNS server.

Could it be that my spoofed packets are recognized and discarded by the hotspot? But I'm really confused how such recognition would be possible, given the forged MAC.

My experiment environment is a hotspot system over DD-WRT router.

StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
chenglong fu
  • 11
  • 3

1 Answers1

2

If you are spoofing an IP address that is outside the range of valid IP addresses in the subnet:

Ever since the plague of spoofed IP address attacks in the 1990s and early 2000s, the best current practice is to configure routers to block IP packets with source addresses that are not supposed to arrive through the interface through which they came. The hotspot or an upstream ISP router is probably applying such filtering.

If you are spoofing an IP address that is inside the range of valid IP addresses in the subnet:

Then the above BCP38 does not apply, but it is perfectly plausible for the hotspot to be keeping track of which IP addresses have been assigned to which MAC addresses by its integrated DHCP server and enforce a policy that only MAC addresses that have gone through the DHCP process are allowed to transfer (non-DHCP) traffic and then only using the IP addresses that they were assigned.

Celada
  • 656
  • 4
  • 9