23

So I'm just poking around the TCP/IP protocol using a Ruby library called PacketFu, and it seems to me that in each packet, it is possible to set all of the following

  • Source IP
  • Destination IP
  • Source MAC Address
  • Destination MAC Address

and a whole bunch of other things.

Here is my question:

What prevents me from sniffing a network, getting someone else's ip/MAC address, and then sending packets out pretending to be them, and running around the internet blaming all of my wrongdoings (assuming I'm acting maliciously) on the owner of the credentials I'm using?

OneChillDude
  • 411
  • 2
  • 10

1 Answers1

29

The common, low-level attackers (i.e. people in their home) cannot efficiently spoof their IP address for TCP connection because they will not receive answers. Remember that IP routes packets based on the destination address, so if you send a packet with a fake source address, it may still reach the destination. Some routers may be offended at seeing a packet with an "impossible" source address, in the same way that when you see a friend coming back from holidays with a heavy sun tan, and he claims he was in Great Britain, then you don't really believe him. However, chances are that the packet will go and reach its destination.

Any answer, however, will go to the alleged source address, not the real one. The attacker won't see the responses, and thus must work blindly. This is challenging for TCP, because of the three-way handshake: for the connection to be established, the client must be able to send back to the server an "ACK" packet containing the sequence number that the server sent back in its "SYN+ACK". That sequence number is chosen randomly, as a 32-bit integer; modern operating systems now use reasonably strong (unpredictable) random number generators (see RFC 1948). This implies that our spoofing attacker has only one chance in about 4 billions to get it right.

The bottom-line is that when a TCP connection is actually established, then the server has some rather strong guarantee that whoever it is talking to can see the packets sent by the server to the alleged client IP address. Therefore, faking your IP address for TCP connections is possible only if you are very close to the alleged IP address owner (on the same subnetwork / WiFi access point), or if you have control of a router in the path between the server and the alleged IP address. The latter case means that you are a rather serious attacker, not just any script kiddie in his basement.

MAC addresses are purely local: they don't matter, and are not transmitted, beyond the local subnetwork. A remote server won't see it. Changing your MAC address is useful only to fool local switches and access points which employ MAC filtering.

Community
  • 1
Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • +1 nice answer. Can you elaborate on "The latter case means that you are a rather serious attacker"? It sounds like this is basically equivalent to using a simple proxy, but you seem to be implying something more tech-savvy than that. – asteri Apr 17 '14 at 19:32
  • 1
    When you use a proxy, you are not using a fake IP address -- you are using the real IP address of the machine which does the proxying work for you. Here, we are talking about an attacker who could take the control of an infrastructure router and can see IP packets destined for a whole network (not the one where the attacker has his own machine). This is more power than is available to the bulk of amateur attackers. – Tom Leek Apr 17 '14 at 19:52
  • Tom, one more question. From reading your post, I got the sense that it is possible to masquerade as someone else on your subnet undetected. Correct? – OneChillDude Apr 17 '14 at 22:37
  • In a subnet/local network you can do more or less whatever you want (depending on network of course). Of course, on a local the macs get a bit more importance. – zozo Apr 18 '14 at 08:16