ISP Spoof Tester (draft)

.... under construction ....

Introduction
Many denial of service attacks on the Internet originate from networks whose routers permit packets with spoofed source addresses to originate from within the "local" subnets. You can test your Internet Service Provider's filtering policy by running one of the client programs from the table below.

The client program communicates with a designated server program that provides the client program with a source address to use in generating a series of six packets. If the server program detects any of the packets, your client program will encourage you to contact your ISP to have the proper router filters installed to block spoofed packets.

The client program uses RAW sockets to send a UDP, ICMP, and TCP packet to the server followed by the same three packets with RecordRoute enabled. The server provides other identifying data that the client includes in the probe packets (including the client's real IP address). The transport layer checksums are incorrect in the probe packets so the server will not send back any packets to the spoofed source address. In the reference implentation, the server provides a session ID that the client places in the IP ID field. The client's real IP address as seen by the server's TCP connection with the client is placed in the TCP Sequence Number field. The TCP Acknowledgement number is 0xCCCCCCCC and the TCP window is 0xEEEE. Only the IP protocol number field is changed to send the other protocols.

Client program
From the following table download the client program for your OS. Included the download is a README file describing how to install and run the program on your platform. For the UNIX clients, you will need root access to run and install the client. For NT, you will need system administrator privileges to install the network driver.
OS client download MD5 checksum
Linux 2 glibc linux-spfclnt.tgz 119fac3a3660d6186f821949c1a58064
FreeBSD freebsd-spfclnt.tgz 119fac3a3660d6186f821949c1a58064
SunOS 4 sunos-spfclnt.tgz 119fac3a3660d6186f821949c1a58064
Solaris solaris-spfclnt.tgz 119fac3a3660d6186f821949c1a58064
SGI sgi-spfclnt.tgz 119fac3a3660d6186f821949c1a58064
AIX aix-spfclnt.tgz 119fac3a3660d6186f821949c1a58064
WIN95/98 win-spfclnt.exe 119fac3a3660d6186f821949c1a58064
NT SP4 nt-spfclnt.exe 119fac3a3660d6186f821949c1a58064
Server
When running your client, use one of the server/port-number from the following

tryme.what.gov 23871
notreally.why.com 21381

The server can also record information on spoofable subnets.

One might be able to bypass the Windows hacks required to emit spoofed packets by providing bootable Linux floppies. trinux illustrates how such floppies can be generated. Also, see ICSA's NetLitmus spoof tester.

For more info on back tracking spoofed packets

Last Modified Sunday, 10-Jun-2001 19:39:31 EDT thd@ornl.gov (touches: 21103 )
back to Tom Dunigan's page or the ORNL home page