Public Ethernet Connections

[Chuck Bearden]

On Fri, 29 May 1998, Linda Woods Hyman wrote:

> >>Please, what is dhcp?
> >
> >
> >Instead of using having one permanent IP address per machine/port, you have
> >a DHCP server that dispenses an IP address out of a pool of addresses to
> >each machine that hooks into the network.
> >
> 
> Is this the same as "spoofing?"

I suppose one could take advantage of DHCP and a network connection to
cover one's tracks, but strictly speaking, this is not spoofing in its
usual definition in network security.  To abuse DHCP in this fashion,
you actually have to be on the same network as the DHCP server.  Spoofing 
is making your host appear to be a different host than it is or on a 
different network than it is, either to cover tracks or impersonate a 
trusted host.

Spoofing would typically occur when somebody uses a modified TCP/IP
implementation to forge packet headers to make it seem like the
packets are coming from other than the actual source address.

For instance, you might learn that a particular host you want control
over accepts rlogin connections from wimp at patsy.foo.com.  You do two
things: you use some form of denial of service to crash or silence
patsy.foo.com, and you rlogin from your own host as user "wimp", forging 
packet headers to look like you are patsy.foo.com, with source routing 
to ensure the packets from the target host get back to you, so that you
have an interactive connection.  Voila: you have a beachhead from
which to try to gain superuser privileges.  As an alternative to
forging packet headers, you could subvert DNS to resolve patsy.foo.com
to <your IP address here>.  

If all you are interested in is denial of service, then you can simple
forge packet headers and forego the source routing, since you don't
care where replies go to (or that may even be a second prong of denial
of service!).

Chuck Bearden
Network Services Librarian
Houston Public Library
Houston, TX  77002
713/247-2264 (voice)
713/247-1182 (fax)
cbearden at hpl.lib.tx.us