In message <54b34a12.4000...@tnetconsulting.net>, Grant Taylor writes: > On 01/11/2015 07:42 PM, Mark Andrews wrote: > > Just because you can only identify one of the two remotes doesn't > > mean that you can't report the addresses. It is involved in the > > communication stream. > > It is very difficult to make a case that the host with the spoofed IP > address is attacking you when it is not even sending any traffic to you.
It is accepting the reply traffic and forwarding it to the originator. It is directly involved. > The ISP will very likely not see ANY traffic originating from spoofed > IP destined to your server. They will see the reply traffic and will see the acks increasing etc. > So what you do know is effectively useless. > > > Actually it is coming from where you think it is coming from, just > > not directly. > > No, not quite. > > 1 - Spammer (A) sends packets to server (B) spoofing the source address > of the relay (C). > (A spoofed as) C -> B > 2 - Server (B) replies to relay (C) > B -> C > 3 - Relay (C) sends packets to spammer (A). > C -> A > > Notice how the relay (C) is never sending packets -to- the server (B). > The traffic is NOT coming from the relay (C). > > This is not a case of the spammer (A) sending to the relay (C) that is > then sending the traffic to the server (B). > > There is no traffic originating from the relay (C) going to the server > (B). Thus there is nothing to be caught by the relay's ISP ISP filter. > You could even use this technique on ISPs that block outbound traffic > to TCP port 25. (Like many cable / DSL providers.) > > Also notice how the server (B) never knows the spammer's (A) real IP. > > This is very similar in concept to a Joe Job, but at the TCP layer, not > the SMTP application layer. > > ---- > > The point of this is that it is possible, and occurring in the wild, to > spoof TCP source IP addresses. - So, don't blindly trust the source IP > address used for TCP connections. - It is possible (if not practical) > to spoof them and have a successfully transmission. There is no difference to this than asymetric routing. The address you are presented with is part of the communication path. > -- > Grant. . . . > unix || die -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
