If you try to use a public IP address at random, regardless of anything else, any return packets will end up on the wrong network at the wrong host, so you won't be able to have two-way comms. – Andy – 2010-06-12T11:11:07.940

@Andy, actually the transmitted packets are likely to get dropped themselves. The point is, you cannot convince the ISP network devices to use your choice of IP address. They will not accept it. – nik – 2010-06-12T11:47:23.343

@nik Totally! I focus on the return path because for me, whether or not your outgoing packet is dropped is a detail (maybe it will, maybe it won't); the fundamental reason you can't use an arbitrary IP address is that you break the routing system, which shows up on the return journey. – Andy – 2010-06-12T12:07:13.530

@Andy, Umm, the packet with this 'spoofed' source IP will be dropped -- So, analysis of return path is really just theoretical musing. Look at the ifconfig (or ipconfig on Windows) output of your Internet connected machine. You will see two more things associated with your IP address: a subnet mask and a default gateway ip address. Think about what you will setup as the default gateway if you were to change your IP address say from 'a.x.y.z' to 'b.x.y.z'. Changing it won't work. Now, think further on what that gateway machine will do to your changed-source-IP packet... – nik – 2010-06-12T12:45:53.663

@Nik Don't see the problem. Sure if you spoof as a.b.c.d/24 and access a.b.c.d+1/24 you'll have problems. But as long as the dest appears to be in a different subnet, the default gateway'll be used, and once we're at routers, only the dest addr is used no? (I don't get your problem with the gateway machine.) We can modify our subnet mask to make (nearly) all addresses appear to be on a different subnet. Or just configure our host to send all packets to the default gateway. That's why I feel it's details - it's absolutely impossible for the return packets to find you. Have I missed something? – Andy – 2010-06-12T14:19:33.163

@Andy, Can you try your experiments and tell us the results. Maybe, you can get another friend somewhere over phone and try to ping their public IP address, see if they can get these packets. Try first with your ISP provided IP address and then with all the changed forms you can think of. – nik – 2010-06-12T14:30:35.880

@Nik :) Don't put the onus on me to prove!! Still interested to hear what problem you foresaw when you said, 'think further on what that gateway machine will do to your changed-source-IP packet.' Do you see a theoretical problem with what I've described? Interested to hear back... – Andy – 2010-06-12T14:37:21.907

@Andy, as an ISP customer if you choose to use a different IP (even in the same subnet as your dynamically allocated address), you are likely to disrupt some other customer communication. The ISP is therefore expected to implement mechanisms that will disallow such a use (unlike your home network where you are free to try various IPs in the local-subnet). If however, you choose to use a different subnet, your machine will not be able to communicate with the designated default-gateway since it won't be in this new subnet. Hence, you will be unable to cross your default-gw in any case. – nik – 2010-06-12T18:18:40.320

@Andy, I think you are planning to change from Subnet-A IP to another Subnet-B IP without changing the default-gateway you are required to use. Your expectation seems to be that the default gateway will forward your packet if it is bound to some third network (Subnet-C) IP. This cannot work because your assigned default gateway in Subnet-A will not forward packets from an IP in some other subnet (Subnet-B in this case). In this sense, the router-as-a-whole-system does not use just the destination address. I hope this clarifies a bit more. – nik – 2010-06-12T18:33:03.457

@Nik Thanks for humouring me! Don't mean to be repetitive, but are any of these fundamental issues (eg. rfc xxxx says that a default gateway MUST check source IP address) or are they issues with typical setups? Maybe a better way to phrase the question is this: if I'm a malicious/investigative network engineer working on a backbone network, and I've got complete control over all hosts and routers in my AS, is it possible for me to send an IP packet successfully to a system in a different and remote AS? – Andy – 2010-06-12T19:06:17.303

@Andy, a gateway/router will forward IP packets across defined subnets. It will not receive an inbound packet if it does not belong to a subnet configured on the interface (Subnet-A in the above conversation). So, if you change source IP from Subnet-A to Subnet-B where the second subnet is not configured on your default gateway, it will reject those packets. – nik – 2010-06-13T03:45:45.523

As a 'malicious/investigative network engineer' you may be able to add specific subnet configurations in parts of your AS, however as soon as the packet crosses out of your domain-of-control, things will not work. – nik – 2010-06-13T03:48:12.180

Thanks Nik, that last bit ('as soon as the packet crosses...') is exactly what I was thinking about. So I'm on a tier 1 network and lots of packets whose source and destination are on remote networks traverse my network. How does the router just out of my control differentiate between valid packets from other networks, and rogue-spoof-addressed packets that claim to be from other networks, but actually came from my network? – Andy – 2010-06-15T09:21:49.680

Andy, you would have re-configured routers in your administration domain to allow this packet (malicious it may be, an 'illegal' path manually setup by the admin will make the router work with it). However, you cannot play with routers beyond your administrative domain. Since that router will not be rigged by you to carry the packet through, it will get dropped. The differentiating factor on each router interface is the configured subnets on that interface. It will not accept packet sources not matching that subnet. That is the change an admin can do within their domain but not beyond. – nik – 2010-06-15T11:30:47.740

Aha! Andy, you caught me :-) I err in my concepts with the above comment. The source subnet is NOT restricted. You can essentially spoof as a 'malicious/investigative network engineer' you CAN spoof a source IP and the packet will go to the desired destination IP. The return packet will however (as you describe earlier) go to the spoofed IP -- that is essentially how a smurf attack is done. Which is also the reason why your ISP will check your source IP :-). I was not attentive when you shifted from user-space to network-space. – nik – 2010-06-15T11:50:47.210

So, essentially, you can spoof a source IP anywhere on the Internet. However, all ISPs are aware of this weakness (and its potential DDoS consequences). Hence at the ISP Access point, you will always find a check for Source IP matching the allocated one. Unmatched packets will be dropped for safety. – nik – 2010-06-15T11:54:09.120

Thanks for mentioning the smurf attack! I hadn't considered that source spoofing could be used to do any harm (other than preventing yourself using any connection-oriented protocols)... I guess then ISPs will be very careful about this sort of thing. – Andy – 2010-06-15T12:44:02.780

My girlfriend will love that there's a technical term smurf amplifier! Love it;) – Andy – 2010-06-15T12:58:47.370

what is an "ip networks"? – ealeon – 2018-02-18T07:13:23.250

how would one "use" a publid network at random? you muanlly tell your computer NIC what ip address it has? – ealeon – 2018-02-18T07:14:41.487