Previously, we discussed what IP address spoofing is. In fact, in almost all cyber attacks, the attacker spoofs the source IP address so that it becomes very difficult to catch the attackers. But how do the attackers do that? How can they change the IP address of outgoing IP packets? And is there anything we can do to prevent spoofed IP packets?
Let’s understand that in more detail.
As we all know, a firewall (What is a firewall? ) inspects all incoming and outgoing IP packets and accepts or rejects them based on some predefined rules. I think many of us know how to configure the iptables firewall on Linux (How to configure the iptables firewall on Linux?) In fact, using Linux iptables, we can easily change the source IP of our outgoing packets. Iptables gives us this option because it is very useful for network testing, diagnostics, and security penetration testing.
We need to execute the following command for that purpose :
# sudo iptables -t nat -A POSTROUTING -p icmp -j SNAT --to-source 192.168.1.121
This rule says that for packets using ICMP protocol, the source IP address will be changed to 192.168.1.121. This rule will be applied to outgoing packets after they have completed the routing procedures in the machine and are about to be sent outside.
Now, before executing the command, you can see all the IP addresses present in your local network using the command ‘arp-scan’.
# sudo arp-scan -interface=eth1 --localnet Interface: eth1, datalink type: EN10MB (Ethernet) Starting arp-scan 1.8.1 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/) 192.168.1.1 48:8f:b3:63:20:a5 (Unknown) 192.168.1.120 07:63:97:c8:f1:c5 (Unknown) 192.168.1.133 00:1f:3a:bc:7b:58 Pr_Bc 192.168.1.138 cf:4b:63:7f:04:84 (Unknown) 192.168.1.117 cd:c5:eb:68:22:4b (Unknown) 5 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.8.1: 256 hosts scanned in 1.289 seconds (198.60 hosts/sec). 5 responded
So, the IP address 192.168.1.121 does not exist here.
Now, you can type the following:
0 Comments