Many types of attacks can be
spoofed.
This isn't always very useful to the hacker, since he/she
will never receive the replies to spoofed requests. However,
it can be exploited in interesting ways.
In particular, IP address spoofing can be used to attack intrusion
detection systems. Our product contains two
features that one could attack using spoofing: auto-blocking
and backtracing. We have designed the product to be mostly
immune to this type of spoofing.
The auto-blocking feature will adjust firewall settings
when it detects serious attacks. Therefore, if a hacker wanted
to kick you off a server, the hacker could simply spoof attacks
at your computer from the server. The auto-blocking feature would
(in theory) then block all further access to the server in question.
In order to guard against this, the product only triggers auto-blocking
on attacks that are difficult/impossible to spoof. For a list
of intrusions that trigger auto-blocking, please look in the
file "issuelist.csv" in column 4. Note that you can edit this file
yourself in order to cause auto-blocking to occur on attacks
that you are concerned about. For more info on auto-blocking,
please see article q000035.
The backtracing feature attempts to retrieve some basic information
about the attacker. Some backtracing mechanisms scan the
attacker directly. In theory, this means that a hacker
could trigger our product (via spoofing) to scan an innocent person.
For this reason, the consumer product contains fewer backtracing
capabilities than the corporate product.
The backtracing features remaining in the consumer product can
themselves be spoofed. This means it isn't significantly different
whether a hacker spoofs an attack trigger backtrace, or spoofs a backtrace
against the intended victim in the first place.
In other words, MARK could spoof ALICE's IP address and send a BackOrifice
packet at BOB. BOB will then respond with DNS lookups and NetBIOS node status
queries back at ALICE. The first ALICE hears of all this is when she
gets scanned by BOB. However, MARK could spoof BOB's IP address in the first
place and send packets at ALICE. If done right, ALICE cannot tell the
difference.
In any event, many customers prefer to turn off backtracing as to not
reveal the existence of the intrusion detection system in the first place.
If spoofing is of great concern to you, then you should likewise consider
disabling it in the configuration.
