22

For homework, I coded a TCP packet with raw sockets. So I was also able to change the source IP address to whatever I wanted. So why can't someone just make a program, which sends millions of these packets (DDoS) with a different source IP address? Wouldn't he/she be "secure" and no one could trace him/her?

Further questions:

  1. Couldn't you just implement this in this DDoS program called LOIC? So there wouldn't be anyone busted using it.
  2. What do the routers log about me (sender)? Could the police trace me with these logs?
Peter Mortensen
  • 895
  • 5
  • 10
Joey
  • 605
  • 8
  • 17
  • how did you change the source ip address ? – Hacketo Dec 05 '14 at 12:46
  • 7
    @Hacketo Raw sockets allow you to send raw data out of an interface. You need to build the IP header by hand, and maybe compute a checksum but it's not hard. – RoraΖ Dec 05 '14 at 12:50
  • 2
    In Python I just used this line: source_address = socket.inet_aton(source_ip) And the variable source_ip can be changed to everything you want – Joey Dec 05 '14 at 12:51
  • 1
    Kevin you would also have to spoof your MAC address as it's a unique identifier for your NIC. – RoraΖ Dec 05 '14 at 12:58
  • 12
    @raz, The MAC address is layer 2, not layer 3, and doesn't get passed beyond the first hop. So no, there's no need to spoof it unless the computer you were DoS'ing was directly connected to your NIC. – Chris Murray Dec 05 '14 at 13:04
  • The MAC address of your edge device may need to match the source address for your ISP to accept it though. If they only provide you one address and you are sending out others, it could be dropped. – SecsAndCyber Dec 05 '14 at 13:17

3 Answers3

31

You are correct that this is possible. There are problems with the plan though:

  • The network you are leaving can filter to drop outgoing packets that do not have a source IP from within their network.
  • DDoS (Distributed Denial of Service) is based around idea that many boxes target a single one, overloading the target's ability to handle the data. Your single consumer hardware is unable to produce the output alone to overload a target.
  • Source IP address spoofing is used in some denial of service attacks, such as sending small requests for large amounts of data to many servers where the servers will reply to the spoofed target. See Reflected/spoofed attack on Wikipedia or last year's NTP Amplification Attack from the US CERT.
  • Usually TCP doesn't benefit from address spoofing due to the three-way handshake. It is more useful with TCP to perform session hijacking.
Peter Mortensen
  • 895
  • 5
  • 10
SecsAndCyber
  • 616
  • 5
  • 4
  • 5
    More exact: in TC you can not establish a TCP connection - because the recipient will send back a handshake to the fake IP. So, this only work with UDB on a network run by an incompetent admin (not using source filtering - quite a lot around). – TomTom Dec 05 '14 at 13:48
  • 5
    A TCP SYN packet with spoofed source IP usually won't help you complete a handshake. But the server might allocate memory when receiving the SYN packet, and keep that allocated while waiting for the rest of the packets. That way this could use up all memory on the server. That attack has been known for decades, so by now any serious OS should have countermeasures against it. – kasperd Dec 05 '14 at 14:06
  • Thank you SecsAndCyber! But imagine I have a very big botnet and my network does not filter any outing packets. So I could take some not so powerful websites and private computers offline, as long as I want and the police can nothing do against me? I cannot imagine that this is possible. There has to be a way, they can trace me?! – Joey Dec 05 '14 at 15:26
  • 3
    @Kevin Computers in a botnet are usually not in the same network. They are just hijacked computers all over the world (i.e on multiple networks). But I guess you could collect computers to your botnet and discard all computers that is on a network that filters outgoing packets based on source ip. – simon Dec 05 '14 at 15:31
  • 5
    @Kevin It still doesn't makes any sense. If you are using a botnet to DDoS you wouldn't care if they can trace the traffic since it would trace back to your hijacked computers (not to your own computer, unless you include it in your botnet...). http://en.wikipedia.org/wiki/Botnet – simon Dec 05 '14 at 15:35
  • @gurka You are right. What I was thinking at first was a single computer with a powerful internet connection (100mbit/s), which is able to take some other private computers (<100mbit/s) offline. And with this "source ip spoofing-trick" you would be untraceable. But traceable or untraceable that is the question :P – Joey Dec 05 '14 at 17:19
  • 1
    @Kevin The police can in theory trace you. But because the IP headers of the packets you send out don't point back to you, they must identify these packets and their arriving interface, at each router working back from the recipient towards you, while the attack is still running or using audit logs saved during the attack, and this requires the cooperation of the owners of each of those routers, so it's not easy or cheap. – qris Dec 06 '14 at 13:07
  • Blind TCP session hijacking doesn't work since patches from 98-99. – Smit Johnth Dec 07 '14 at 02:55
11

The source IP address tells the client who to respond to, but it isn't the only way to tell where the traffic came from. You still have to communicate with a router at your ISP and they are going to talk to another router and possibly log the traffic. They may also flat out refuse to handle a packet with a forged sender from within their network.

Just because you alter the IP address doesn't mean there isn't a record of that packet traveling across the network and doesn't mean that the connection couldn't be traced back to you.

It is also worth noting that without a valid source IP address, you can't actually make a connection on something like TCP because you can't complete the handshake.

AJ Henderson
  • 42,081
  • 5
  • 65
  • 112
  • But the packet will travel through a lot of routers, not just sender to receiver. So every router would need to log the traffic. But are you sure they do this? This must be a very big logfile then, because of all the connections. Can you or someone else give me more information about these router logs? What do they exactly log? And how long? – Joey Dec 05 '14 at 16:51
  • 6
    @Kevin - it isn't that large of a number of routers normally. It may travel through 10 to 15, but generally, at least 1/3 of those are on the ISP's network and another 1/3 or so on the recipient's ISP's network. The ones in between tend to be backbone networks, but they still care about entry and exit points on their network for traffic for billing and peering negotiations. They may or may not log every packet, but if they start noticing a weird pattern, they are likely to make note of it. – AJ Henderson Dec 05 '14 at 17:11
0

Like most answers relating to questions of this type, it depends. IP spoofing can make it very difficult to trace you, but it is not a guarantee someone won't be able to. It really depends where on the network the person who might want to trace you is. For example, if you did this from your ISP account or your company network and the administrators of networks notice and want to trace you, it is very likely they will, especially if they notice and start investigating while your still operational to do so. On the other hand, if you did this and used this technique to do something like a Dos/DDoS attack on a remote site, a lot would depend on the site. If it was a major government, military etc site in the same country, then it is likely they would have the resources and authority to get logs and other information and track you down. On the other hand, if it is a company without significant resources or in a different country, then it could be much more difficult to access the necessary information or obtain the amount of resources necessary to perform an investigation.

Normally, when someone wants to obscure their location, it will be necessary to use a number of techniques to make tracing difficult. For example, you might first compromise a remote system and use that system to initiate your activity rather than simply run it from your own machine. In general, the 'safe' approach is to always assume anything you do can be tracked and if you want to avoid this, you need to make the effort/expense of doing so too high compared to the value of identifying who/where you are.

Tim X
  • 3,292
  • 15
  • 13