{"id":5566,"date":"2016-08-18T09:08:46","date_gmt":"2016-08-18T14:08:46","guid":{"rendered":"http:\/\/appcrawler.com\/wordpress\/?p=5566"},"modified":"2016-08-18T09:08:46","modified_gmt":"2016-08-18T14:08:46","slug":"spoofed-ip-network-behaviour","status":"publish","type":"post","link":"http:\/\/appcrawler.com\/wordpress\/2016\/08\/18\/spoofed-ip-network-behaviour\/","title":{"rendered":"Spoofed IP network behaviour"},"content":{"rendered":"

In this case, we spoof the IP of our client to 192.168.1.101.<\/p>\n

When we do this, and send only a SYN packet to the server, we see the SYN on the client…<\/p>\n

\r\n[root@cmhlcarchapp02 ~]# python spoof.py 1\r\n09:37:52.469226 IP 192.168.1.101.49999 > cmhlparchodb01.mydomain.com.ncube-lm: Flags [S], seq 454:472, win 53270, length 18\r\n[root@cmhlcarchapp02 ~]#\r\n<\/pre>\n
…and the receipt of the SYN on the server, a SYN and an ACK back to the client, and a reset from the client.<\/p>\n
\r\n[root@cmhlparchodb01 trace]# tcpdump -i ens192 host 192.168.1.101\r\ntcpdump: verbose output suppressed, use -v or -vv for full protocol decode\r\nlistening on ens192, link-type EN10MB (Ethernet), capture size 65535 bytes\r\n09:37:53.047017 IP 192.168.1.101.49999 > cmhlparchodb01.mydomain.com.ncube-lm: Flags [S], seq 454:472, win 53270, length 18\r\n09:37:53.047057 IP cmhlparchodb01.mydomain.com.ncube-lm > 192.168.1.101.49999: Flags [S.], seq 1774105243, ack 455, win 29200, options [mss 1460], length 0\r\n09:37:53.048101 IP 192.168.1.101.49999 > cmhlparchodb01.mydomain.com.ncube-lm: Flags [R.], seq 1, ack 1, win 29200, length 0\r\n<\/pre>\n
Wait a minute, the client doesn’t exist!!  Where did the server get the reset from?  In this case, it was our firewall…<\/p>\n
\r\nCLMBOH0001-FWL011\/pri\/act# sh capt archcapt\r\n\r\n2 packets captured\r\n\r\n   1: 13:36:25.098673       172.26.210.52.1521 > 192.168.1.101.49999: S 399788921:399788921(0) ack 455 win 29200  \r\n   2: 13:36:25.098780       192.168.1.101.49999 > 172.26.210.52.1521: R 455:455(0) ack 399788922 win 29200 \r\n2 packets shown\r\nCLMBOH0001-FWL011\/pri\/act# \r\n<\/pre>\n
The firewall sent the RST packet to the server when it couldn’t find the client to which the SYN\/ACK should be sent.  It also forwarded the spoofed client IP to the server, as shown above for both the server packet capture and the firewall capture.<\/p>\n","protected":false},"excerpt":{"rendered":"
In this case, we spoof the IP of our client to 192.168.1.101. When we do this, and send only a SYN packet to the server, we see the SYN on the client… [root@cmhlcarchapp02 ~]# python spoof.py 1 09:37:52.469226 IP 192.168.1.101.49999…<\/p>\n
Read more →<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[56,66],"tags":[],"_links":{"self":[{"href":"http:\/\/appcrawler.com\/wordpress\/wp-json\/wp\/v2\/posts\/5566"}],"collection":[{"href":"http:\/\/appcrawler.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/appcrawler.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/appcrawler.com\/wordpress\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/appcrawler.com\/wordpress\/wp-json\/wp\/v2\/comments?post=5566"}],"version-history":[{"count":2,"href":"http:\/\/appcrawler.com\/wordpress\/wp-json\/wp\/v2\/posts\/5566\/revisions"}],"predecessor-version":[{"id":5569,"href":"http:\/\/appcrawler.com\/wordpress\/wp-json\/wp\/v2\/posts\/5566\/revisions\/5569"}],"wp:attachment":[{"href":"http:\/\/appcrawler.com\/wordpress\/wp-json\/wp\/v2\/media?parent=5566"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/appcrawler.com\/wordpress\/wp-json\/wp\/v2\/categories?post=5566"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/appcrawler.com\/wordpress\/wp-json\/wp\/v2\/tags?post=5566"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}