In message <54B34A12.4000704@tnetconsulting.net>, Grant Taylor writes:
On 01/11/2015 07:42 PM, Mark Andrews wrote:
Just because you can only identify one of the two remotes doesn't mean that you can't report the addresses. It is involved in the communication stream.
It is very difficult to make a case that the host with the spoofed IP address is attacking you when it is not even sending any traffic to you.
It is accepting the reply traffic and forwarding it to the originator. It is directly involved.
The ISP will very likely not see ANY traffic originating from spoofed IP destined to your server.
They will see the reply traffic and will see the acks increasing etc.
So what you do know is effectively useless.
Actually it is coming from where you think it is coming from, just not directly.
No, not quite.
1 - Spammer (A) sends packets to server (B) spoofing the source address of the relay (C). (A spoofed as) C -> B 2 - Server (B) replies to relay (C) B -> C 3 - Relay (C) sends packets to spammer (A). C -> A
Notice how the relay (C) is never sending packets -to- the server (B). The traffic is NOT coming from the relay (C).
This is not a case of the spammer (A) sending to the relay (C) that is then sending the traffic to the server (B).
There is no traffic originating from the relay (C) going to the server (B). Thus there is nothing to be caught by the relay's ISP ISP filter. You could even use this technique on ISPs that block outbound traffic to TCP port 25. (Like many cable / DSL providers.)
Also notice how the server (B) never knows the spammer's (A) real IP.
This is very similar in concept to a Joe Job, but at the TCP layer, not the SMTP application layer.
----
The point of this is that it is possible, and occurring in the wild, to spoof TCP source IP addresses. - So, don't blindly trust the source IP address used for TCP connections. - It is possible (if not practical) to spoof them and have a successfully transmission.
There is no difference to this than asymetric routing. The address you are presented with is part of the communication path.
-- Grant. . . . unix || die -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org