3

I have read some articles about IP spoofing. Briefly speaking, IP-spoofing means the attacker uses a fake IP address in the IP header, to pretend this IP packet is sent by another machine.

The attacker can use it to do something like Denial-of-Service attack (with other advance tech) ... and hide the real source IP address.

In those articles, it also mentioned that the attacker can't see any reply packet, because those reply packages will be sent to the spoofed IP address.

My question is, if the fake IP address is in the same network (under the same collision domain) where the the attacker sends spoofed packets, will the attacker get the reply packets?

Thank you.

davidb
  • 4,285
  • 3
  • 19
  • 31
柯鴻儀
  • 137
  • 1
  • 10

4 Answers4

4

It relies on how far you go in spoofing. When you only spoof the ip address but not the mac address the original host will get the answer.

If you did not only spoof the ip address but also the mac address it can happen that you also receive the answer. This is because the switch(es) on your LAN do map mac addresses to physical ports. This means you can "by accident" cause what is called port stealing by also spoofing the mac address. This happens when the switch sees that the mac address which is assigned to the spoofed ip address appears on your port. The switch then changes its CAM table and assigns the spoofed mac address to your port.

Port stealing will only work on when you send spoofed packets continously which does not seem to be the case. So when it happens it will only work for a very short time until the mac address is assigned back to the right port in the CAM table.

davidb
  • 4,285
  • 3
  • 19
  • 31
2

The IP still resolves to the MAC stored in your targets ARP table and that is the address if the local network. So yes, you don't see the replies until you poison the ARP cache of your target.

Zonk
  • 458
  • 2
  • 6
1

Within a collision domain there is no filtering on the wire. So the reply will be delivered to the attackers NIC.

Normally the attackers NIC would drop such packets without passing them to the host but if the attacker puts thier nic in "promiscuous mode" they will get the response.

P.S. if you actually meant broadcast domain rather than collision domain see davidb's answer.

Peter Green
  • 4,918
  • 1
  • 21
  • 26
1

The response intended for a node in a network is always received by all nodes in that network, it is just that NICs are designed to discard the packet if the destination MAC address does not match its own. This default behavior can be overridden by putting the NIC in promiscuous mode (if supported by the NIC). This will make the NIC not discard the packet (in the physical layer) and send pass it to uppper layer. You can run your own program like TCPDUMP or WireShark in the upper layers to capture and analyze those packets.

sid-m
  • 111
  • 2