Note that I’m NOT looking for links on how to do this, nor am I advocating or looking for advice on how to perform illegal activities. I’m just looking for some answers.
Ok, so say I have reason to believe someone was trying to impersonate me and somehow emulated my IP so it would be logged in a server of some sort. I understand this is known as “IP masking”, but how possible is it? Is it something someone can do with an easy download, or do you need to be a l337 h4x0r, or is it mostly a myth, easier said than done?
Secondly, what are the technical limitations on such an action? I’ve heard you have to be in the same city as the IP you’re trying to fake, but is it possible to trick a server into logging an IP (and the ISP it’s attached to, for that matter) across the globe instead of your own? Let’s assume the server itself is impenetrable, so this would all have to be done by the end-user. No hacking into the computer to change the logs.
IP masking is typically done by simply using a proxy server. Let’s say you are computer A, the computer you are trying to access is computer B, and there’s another computer out there acting as a proxy server called C. Instead of A contacting B directly, A contacts C, and C contacts B. B only sees messages from C, so A’s IP address is hidden from B.
This by itself is not illegal. However, the main reason people do this is to hide themselves because they are doing something that they shouldn’t (and possibly something that is illegal or at least damaging). For this reason, many servers, including the straight dope, will ban you for simply using a proxy in this manner. And, because this is forbidden here, I’m not going to tell you how to set it up.
I don’t see how someone could fake out your IP address, unless they managed to hack into your computer and were relaying packets through it.
Note that there are legal uses for proxy servers. We have one at work. All of our computers have to access the proxy server to get to the internet. The proxy server is used to restrict access to certain sites, and helps to prevent outside computers from accessing computers inside our network. From the internet, the only computer directly visible is our proxy server.
I think that’s about as much as I can answer without having a mod come in and shut down this thread. If you want more details I suggest contacting a mod and asking them exactly what the limits are for this discussion.
I’d like to dispute the notion that most people who’s IP is hidden are doing something wrong. An enormous number of computers are connected to the Internet via a NAT box (like the proxy server you yourself use) which translates private LAN IPs to routable Internet IPs. This is a fact of network architecture and has a number of design and security benefits, and it has nothing whatsoever to do with concealing wrong behavior in most cases.
In addition, most of us live in a free society. The US Constitution protects the people’s right to free speech, and the courts have maintained that anonymous speech is an important right in an open society. People have the right and often the need to be able to speak anonymously, and our society protects that right. That makes it very important that we fight the impression that the very act of concealing your identity (or your IP) is evidence of wrongdoing. The fact that bad people hide their IP doesn’t mean that all people who hide their IP are bad.
Individual sites like SDMB have every right to restrict users who hide their IP. This forum has rules which require every user to be accountable for their actions here, and not masking your IP is part of that accountability. As a private site, there’s no reason SDMB can’t make this requirement. However, there are a lot of people who use anonymous proxy servers to post political or social criticism on open forums which don’t have this rule (e.g. Usenet) and the freedom to do that is an important part of a free society.
Sorry to go off on a philosophical rant in a routine technical thread, but it’s important that we fight the misconception that anonymous == evil.
Heh, when I hear “IP masking” I think of either netmasks (a number that says which parts of your IP address identify the network you belong to, and which identify your computer) or the feature on some IRC servers that keeps your IP address hidden from other users.
But it sounds like you’re talking about hiding a computer’s IP address from any service on the internet. Besides proxies, the other way that’s done is with “spoofing” - putting a fake return address on your packets.
Imagine you had a l337 h4x0r telephone that let you change the caller ID number sent to whoever you called. You could call someone and they’d think you were calling from a different number. Of course, if they tried to call you back with *69, they’d end up calling whoever really owned that number, not you. If everyone you called insisted on calling you back before they started talking, your trick phone would become useless.
That’s the downfall of spoofing: You can send packets with a fake return address, but you can’t receive any packets that are intended for that address. If a service wants to block spoofers, all it has to do is send some random number to each client, and require them to repeat the number back before doing business.
Sure, if you have access to a proxy across the globe, you can just use that.
Spoofing is easily defeated… your ISP will probably notice you sending packets that seem to originate outside their network, and block them automatically. That may be what you heard about - if the IP address you’re spoofing is on the same network, it might slip past the filters.
Others have alluded to it, but I’ll answer your questions directly: it’s highly unlikely that someone is accessing some server and appearing as though they are coming from your IP address.
They could pretend to be you by knowing your password, or breaking into the system and altering things to look like you, but it’s technically very difficult to look like you’re at someone else’s IP address for any protocol that requires packets to be sent and received in both directions. (read: pretty much every protocol, including basic web-surfing via HTTP).
I used the words “highly unlikely” and “very difficult” above because there is no 100% certainty in these things. But for all practical purposes, you could plug in the word “impossible” where I used those phrases.
Also, ditto to what Mr2001 said about what most people in the field would assume “IP masking” means.
Also, ditto to what micco said about proxy servers and civil liberties.
It’s true that you can’t use a spoofed IP address to read a web page. However, it’d be possible to post on a message board using a spoofed IP address, since you don’t need to wait for a reply from the web server before sending the post request.
I’m afraid posting won’t work either. TCP has a three way handshake just to establish a connection. With IP spoofing, the acknowledgement (ACK) packet’s won’t make it back. IP address spoofing has been used for denial of service attacks, since the remote server must allocate resources anticipating the connection which will/can not be established.
I suppose that spoofing of the nature you propose might work for protocols that run over a datagram transport like UDP, but I don’t know of any that don’t involve ACKs at the higher protocol level or other control logic that would render this impossible in practice.
Well, I don’t know much about the internals of TCP, but is it really necessary for the spoofer to receive those acknowledgements? Can’t he just pause a few MS and assume the connection request was acknowledged? We can assume he’s sending raw packets, going around his OS’s TCP stack, and only wants to open a connection and send a string.
Many IRC servers have spoof protection that works just as I described - when you connect, the server sends your client a random number, and you can’t do anything until your client echos the number back. Since IRC only works over TCP, I can’t imagine what else that feature would be intended for.
I’m afraid this is incorrect for all practical purposes. HTTP is a TCP protocol. TCP is connection-oriented. I won’t dig into all the details of how TCP works, but in summary: TCP guarantees delivery of all data. This means that packets must be sent, received and processed in both directions. Just to send a single byte via TCP requires several packets, going in both directions. To send a message of any length, like say this post (or any post), TCP breaks it up and sends it across multiple IP packets, and there are acknowlements associated with them.
Technically, there are ways that this can be faked in some instances. But this is beyond the scope of what most hackers are capable of.
Not to be picky, but the concepts of “connections” and “strings” are TCP concepts. They don’t make sense at the Network (IP) layer.
A connection is well, a connection, where two hosts are connected. Which is what TCP does, it provides a connection between two hosts, through which you can send messages (or strings).
At the IP layer, there’s no connection. One host blasts a packet to another. Does it get there? Is it dropped? Is it mangled? Is it out of order? IP doesn’t know, and doesn’t care. That’s TCP’s job.
I have two married friends who’s last name is Polson (changed to protect the innocents). They have two children, who are now in their late teens. Child one is named Thomas Conrad, and Child two is named Ian.
That’s right; my friends intentionally named their children TCP and IP. And this was long before the Internet was a household thing.
As long as one “real hacker” has written the code to do it, script kiddies can do it too.
TCP spoofing may be complicated, but it certainly exists - the spoof protection on IRC was designed to stop a problem that was actually occurring. Searching Usenet for “tcp predict spoof ip” brings up some interesting information: Apparently you can easily predict the TCP sequence numbers on some systems, and older versions of Linux had a flaw that would allow you to open a spoofed connection to a Linux server without knowing the sequence number at all.
Certainly. What I meant was the attacker could convince the server that he was opening a TCP connection (from a fake address) and sending a string, when in fact he was sending individual raw packets, bypassing his OS’s TCP stack.
In any case… this probably isn’t anything for the OP to worry about. Spoofing is difficult to begin with, ISPs have caught on, operating systems have been strengthened, and anyone with that much time and knowledge has better things to do with it than forge posts on a message board.
Can someone answer Shalmanese’s question, if it wouldn’t break board rules? I suppose my assumption would be that the proxy would be asking for data from the SDMB just the same as anyone else. How can the SDMB know where the proxy sends the data afterward?
It can’t know where the data is going. It can’t tell the request is coming from a proxy, unless the proxy goes out of its way to let the web server know (e.g. by changing the User-Agent string).
However, the board admins can check a site to see if it’s running a proxy on one of the standard ports, and ban sites that are running proxies. The board software could even check it automatically, which is what many IRC servers do.
True. But IRC spoofing is in the application layer, and TCP spoofing is in the transport layer. They’re very different as far as how they’re done, what they accomplish, and how they’re prevented.
I’m very familiar with the details of IP spoofing and TCP spoofing (different beasts by the way); it’s what I’ve done for a living for a long time. As to your specific point about older systems being hackable because of their predictable sequences, this is true, but not really relevant to today’s world, as there aren’t a lot of systems out there that are susceptible to it. Even expoiting this flaw won’t in itself be enough to do what the OP is worried about. There are other things to get around.
IP spoofing is a different beast. Typically, it’s used to send evil packets to a device from outside a network that seem to come from inside the network. Most firewalls today block this sort of traffic by default. Also, this won’t accomplish what the OP is worried about.
So basically what I’m getting is that it would be technically nearly impossible to reliably/easily fake a server into logging certain actions under another person’s specific IP address, but it’s entirely possible to use a proxy server to have it log another, dummy IP address?
Project Omega, that is correct. Shalmanese, you’re using the term “spoof” incorrectly. “Spoof” means to pretend you’re some specific other person or entity. You don’t spoof to hide your identity; you spoof to assume someone else’s identity.