Firewalls: Re: Spoof 127.0.0.1 AND get a response. Possible?

Firewalls
(February 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Spoof 127.0.0.1 AND get a response. Possible?
From:	"MotivationAsia Philippines" <motivate @ mnl . sequel . net>
Date:	Wed, 19 Feb 1997 17:12:15 +0800
To:	"Frank O'Dwyer" <frank . odwyer @ sse . ie>, <firewalls @ greatcircle . com>

If 127.0.0.1 is your source IP on a forged packet to another host, I do not
think that there is anyway that the attacking host will get a response
back, since the targeted host will then reverse the entries (source becomes
target and vice-versa) to send packets back. It then has to use 127.0.0.1
as the target which is the target host itself. (Anyway, correct me if I am
wrong)

Given the above, although the attacker will not get any packets back, he
can still use it as a denial of service attack if the attacking host
continuously send packets to the target machine with a source address of
127.0.0.1.

In certain instances, the attacker does not need to see any packets back
nor does he need to see the results of his doing.



John Salvo

----------
> From: Frank O'Dwyer <frank .
 odwyer @
 sse .
 ie>
> To: firewalls @
 greatcircle .
 com
> Subject: Spoof 127.0.0.1 AND get a response.  Possible?
> Date: Tuesday, February 18, 1997 10:12 PM
> 
> 
> This is a question for IP stack gurus. 
> 
> Given that a packet with a source address of 127.0.0.1
> can be forged and delivered (via SLIP or whatever) to the 
> target machine, is there any way to get a response packet 
> back to the attacker machine?  In other words, is it reasonable
> to assume this is _not_ possible (i.e. that routing will either try
> to deliver the response locally or will just toss the response 
> packet on the floor). Will the incoming forged packet even get 
> delivered, or must IP forwarding be on for this? What about
> on Windows '95 or on NT?
> 
> Or, is there anything that can be done with (say) source
> routing to get the response safely back?  Even better,
> has anyone out there got access to a suitable test rig in 
> order to empirically verify what _really_ happens? I'm especially 
> interested in knowing what NT's and Win95's stack would 
> do with a source routed packet like this.  
> 
> Please reply directly and I will summarize, or alternatively
> please cc this address (frank .
 odwyer @
 sse .
 ie) on your reply.
> 
> Thanks in advance for any help on this one.
> 
> Cheers,
> Frank O'Dwyer.
>

Indexed By Date	Previous:	SANS Newtork Security Digest From: "SANS'96 Conference Office" <sans @ clark . net>
Indexed By Date	Next:	Re: ACE/SecurID and the Big Agenda From: Jyri Kaljundi <jk @ stallion . ee>
Indexed By Thread	Previous:	Re: Spoof 127.0.0.1 AND get a response. Possible? From: Ron DuFresne <dufresne @ parka . winternet . com>
Indexed By Thread	Next:	*any SQLNet proxies out there ?** From: Adrian Costea <adrianc @ tor . numetrix . com>