UPDATE Sep/2010: Dear Filipe (see comments below) had proven to me that spoofing over the internet is indeed possible, read all about it on the continuation post: My attempts with IP Spoofing – Revisited. Now back to the original story:
When customers install our product, they often forget to setup firewall rules to accept incoming connections from public IM (instant messaging) providers. Without the firewall rules in place the product does not function properly, of course, and the customer rushes to open a support trouble ticket. Troubleshooting to pinpoint the problem to a missing firewall rule isn't trivial. When we try to validate whether the customer defined the required firewall rule, we need the external entity (that we have no control on) to open a connection to the customer's IP, but the external entity will only do so following the successful completion of a handshake sequence that must be initiated by the customer (consider for example: XMPP Dial-Back mechanism), since this handshake by itself is prone to failures, you can see how reproducing the problem is a combursum process.
I started looking for a simple, independent, and reliable, troubleshooting procedure that would be able to give a clear-cut answer to whether or not the customer defined the firewall correctly.
Here's what I've concocted:
- Assume that the customer IP is 188.8.131.52 and they were suppose to configure their firewall to allow incoming connections from 184.108.40.206.
- I'll send a single TCP SYN packet (the 1st of the standard three messages TCP handshake) from my computer (say it's IP is 220.127.116.11), but I'll spoof the IP datagram's source address field to be 18.104.22.168 instead of what normally should have been my actual machine address (22.214.171.124).
- I'll ask the customer to run a network sniffer on the IM Gateway machine. Waiting for the single packet to arrive at the destination socket.
- If the sniffer had recorded the incoming IP message, then it means that the firewall is setup correctly and the problem is else where.
But, If the sniffer didn't record any incoming SYN packet, then we shell blame the firewall guys.
Pretty simple, eh? Now, in order to spoof the TCP SYN packet I needed a something that could generate and send raw IP packets, since you can't just fiddle with the source IP address if you choose to ride on the good'ol TCP/IP stack. I found this IP spoofing perl script on the net, and it does the job.
[caption id="attachment_103" align="alignnone" width="300" caption="Visualization of the various routes through a portion of the Internet. Took it from Wikipedia."][/caption]
I did my first test on the office LAN, I sent a message from machine (IP 126.96.36.199) to to machine 188.8.131.52 claiming the message source was 184.108.40.206, it worked! Machine 220.127.116.11 registered an incoming packet from 18.104.22.168.
It seems that the office router went along with the scam, perhaps it thought that the machine switched IP it IP, or the DHCP server went crazy, or that it's ARP cache is just stall.
In the next test I tried sending the packet over the Internet, I tried sending a packet to my home computer from the office, with a source IP of some foreign entity, to my dismay, it never got to my home computer. Other IP variations didn't work either.
My guess is that some router along the way noticed that it's getting a packet with a source IP address that the part of the network it is looking can't can't possibly generate (imagine CIDR based ACLs), and that caused it to immediately drop the packet. This failure caused me to give up on the whole spoofing troubleshooting procedure idea.
Some thoughs about what I've seen:
- Evidently, It's quite trivial to spoofe IP addresses on a LAN.
- Spoofing IP addresses over the Internet doesn't seem to be trivial.
- A side note: If the customer has a reverese proxy, or any form of entity that delegates TCP handshakes, deployed before the actual IM Gateway machine, then the procedure is not applicable, as the first TCP SYN message will never reach the IM Gateway machine.
- I would assume that the closer you inject the packet into the Internet backbone blood stream, the better the chances of not getting a rejection of the spoofed packet. The backbone routers communicate with many difference parts of the network, and might not have rational of where certain packates should be coming from or not.
IP Packets tend to travel in different routes, making it harder to judge what IP CIDR is ligit from each fellow router.
- I'm guessing that the biggest problem for spoofing is the first or the second router (the ISP's), since the ISP knows exactly what is your assinged address. Thereby knowning that the packet is spoofed.
- If any one knows a better method of spoofing source IP, please step forward and share your secret :)