Packet Spoofing

Obviously, humans can be fooled.  But humans can rely on experience and intuition to judge situations individually.  Machines, in contrast, have no intuition and a limited ability to build upon experience.  Most of the time they are guided by rules.  And rules are black and white.  So if a bad guy can turn the black into white, he can fool a machine.

Remember that the TCP header has data such as source and destination IP address. 

For those of us who are content to sit back and let Internet Explorer or Outlook handle the details, fields such as source port and destination port are populated by the application.  But a technically savvy maladjusted user can alter these values to make them appear to be something else.  So to build upon an example from above, your connectivity needs may be so simple that your firewall’s access control list consists of two (simplified) entries:

1. Permit 100.101.102.103 25
2. Deny all.

A packet bound for your email server (which has an IP address of 100.101.102.103) but over port 23—which is Telnet, a remote login protocol—would be denied.  In fact anything sent to this IP address over any port other than 23 would be denied, as a failure to match rule number 1 then invokes rule number 2.  But if a cracker sends you Telnet commands with an altered header which lists port 25 as the destination, that packet will get through.

Another form of packet spoofing is to alter the packet header so that the target’s IP address is used as the source address.  The firewall thinks that the packet came from within the network, and therefore sees no reason to deny it. 

Next time: Packet Fragmentation