From owner-freebsd-questions Thu Feb 27 05:25:12 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id FAA25670 for questions-outgoing; Thu, 27 Feb 1997 05:25:12 -0800 (PST) Received: from obiwan.aceonline.com.au (obiwan.aceonline.com.au [203.103.90.67]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id FAA25661 for ; Thu, 27 Feb 1997 05:25:07 -0800 (PST) Received: from localhost (adrian@localhost) by obiwan.aceonline.com.au (8.8.5/8.8.5) with SMTP id HAA07687; Thu, 11 Jan 1996 07:56:08 +0800 (WST) Date: Thu, 11 Jan 1996 07:56:07 +0800 (WST) From: Adrian Chadd To: Chad Scott cc: freebsd-questions@freebsd.org Subject: RE: Spoofed IPs In-Reply-To: <01BC2449.A09FC8D0@enterprise.hippie.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Normal IP spoofing. I understand the ident stuff :) > > This is ircd2.8.2+CSr25... I've experimented with porting the Undernet random ping thing, but that code doesn't translate very well, and I always end up coring. > > Any ideas? > > Ok. People might be playing with source-routed packets (lots of IP spoof attacks on stuff like rsh, rlogin, etc, that rely on an IP for authentication of a machine), from what I remember that could be a way to do it. Do a sysctl net.inet.ip.sourceroute , it should equal 0 (from memory FreeBSD defaults to that, and all my 2.1.x and 2.2 machines do). Another way that I've done before is sending the machine a spoofed DNS packet just after the connection is requested, sending incorrect reverse-dns data to the machine running the ircd. Is the machine that isn't suceptable running a nameserver? Also - try asking the guys who wrote the undernet server source and anti-IP spoofing protection, they might have a thing or two to say :) Anyone else have any ideas? Adrian.