If 127.0.0.1 is your source IP on a forged packet to another host, I do not
think that there is anyway that the attacking host will get a response
back, since the targeted host will then reverse the entries (source becomes
target and vice-versa) to send packets back. It then has to use 127.0.0.1
as the target which is the target host itself. (Anyway, correct me if I am
Given the above, although the attacker will not get any packets back, he
can still use it as a denial of service attack if the attacking host
continuously send packets to the target machine with a source address of
In certain instances, the attacker does not need to see any packets back
nor does he need to see the results of his doing.
> From: Frank O'Dwyer <frank .
> To: firewalls @
> Subject: Spoof 127.0.0.1 AND get a response. Possible?
> Date: Tuesday, February 18, 1997 10:12 PM
> This is a question for IP stack gurus.
> Given that a packet with a source address of 127.0.0.1
> can be forged and delivered (via SLIP or whatever) to the
> target machine, is there any way to get a response packet
> back to the attacker machine? In other words, is it reasonable
> to assume this is _not_ possible (i.e. that routing will either try
> to deliver the response locally or will just toss the response
> packet on the floor). Will the incoming forged packet even get
> delivered, or must IP forwarding be on for this? What about
> on Windows '95 or on NT?
> Or, is there anything that can be done with (say) source
> routing to get the response safely back? Even better,
> has anyone out there got access to a suitable test rig in
> order to empirically verify what _really_ happens? I'm especially
> interested in knowing what NT's and Win95's stack would
> do with a source routed packet like this.
> Please reply directly and I will summarize, or alternatively
> please cc this address (frank .
ie) on your reply.
> Thanks in advance for any help on this one.
> Frank O'Dwyer.