The current state of IP spoofing

Monday, February 06, 2006

The current state of IP spoofing

A week ago, I came across a great and distributed initiative to map the distribution of spoofable clients and networks - the ANA Spoofer Project, whose modest sample of 1100 clients, 500 networks and 450 ASes can still be used to make informed judgements on the overall state of IP Spoofing. I once posted some thoughts on "How to secure the Internet" where I was basically trying to emphasize on the fact that securing critical infrastructure by evaluating how hardened to attacks it really is, can be greatly improved as a concept. What if that infrastructure is secured, but the majority of Internet communications remain in plain-text, and are easily spoofable, which I find as one of the biggest current weaknesses. If you can spoof there's no accountability, and you can even get DDoSed by gary7.nsa.gov, isn't it? (in the original Star Trek series, Gary Seven was the covert operative who returned from the future to fix sabotage to the United States' first manned rocket to the moon moments before lift off).

On the other hand, according to Gartner IPSec will be dead by 2008, but I feel this is where its peak and maturity would actually be reached. IPv4 will evolve to IPv6, therefore IPSec will hopefully be an inseparable of the Internet.

So what's the bottom line so far?

- 366 million spoofable IP addresses out of 1.78 billion
- 43,430 spoofable netblocks
- 4700 spoofable ASes out of 18450
- NAT's and XP SP2's make their impact

The higher the population the scarier the numbers for sure! I have always believed in distributed computing and the power of the collective intelligence of thousands of people out there. Be it integrating powerful features whose results are freely available to the public through OEM agreements or whatsoever, I feel in the future more vendors will start taking advantage of their customers' base for

How you can contribute? Pick up your client, start spoofing, but make sure your actions don't raise someone's eyebrows, even though you simply wanted to contribute, that's just a couple of packets to a university's server that's looking forward to receiving them this time :)

Dshield.org - the Distributed Intrusion Detection System is a very handy and useful OSINT tool that is obviously being used by the NSA as well (check out the Internet Storm Center's post on this, and the photo itself) UPDATE : Cryptome also featured fancy pictures from the NSA's Threat Operations Wizardy.

What is your opinion on the current state of IP Spoofing on the web and the fact how handy this insecurity comes to DDoS attacks? What should be done from your point of view to tackle the problem on a large scale?

You can also consider going through many other distributed concepts :

The original DES Cracker Project
DJohn - Distributed John
Bob the Butcher distributed password cracker
Seti at Home
ForNet : A Distributed Forensics Network
Pandora - Distributed Multirole Monitoring System
FLoP - distributed Snort sensor
DNSA - DNS auditing tool
Despoof - anti packet spoofing

As well as read more info on IP Spoofing, Distributed concepts and related tools :

IP Spoofing - An Introduction
Distributed Tracing of Intruders
Distributed Phishing Attacks
MAC Distributed Security
IPv6 Distributed Security(draft)
Distributed Firewalls
Web Spoofing
The threats of distributed cracking

Technorati tags:

security, information security, spoofing, IPSec, IPv6, distributed

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com