The goal of this research project is to determine to what degree hosts connected to the internet can spoof source addresses in outgoing packets. The problem with spoofing is that it can be used to hide the true origin of malicious packets that are used in denial of service (DoS) or distributed denial of service (DDoS) attacks.
The current wisdom was/is that DDoSers have such an easy time launching their attacks from compromised hosts ("zombies") under their control, that spoofing isn't worth the trouble these days. (And NATs may rewrite the spoofed address into a non-spoofed address.) Unfortunately, there is little public information about the (D)DoS problem, but anecdotal evidence suggests that most DDoS attacks indeed use real addresses, but there is still a class of attacks that uses spoofed addresses.
Note that the trouble with spoofing is not just that the source remains hidden, but also that it's impossible to filter out the packets based on source address. Some people argue that the number of sources is so large that this doesn't matter, but I'm not convinced by this argument.
Anyway, it's interesting to see that many networks don't allow outgoing packets with spoofed sources, but there is also a large class of networks that allows them. And it's not entirely a binary thing: some networks filter, but not with 100% success.
It's interesting to note that as of Service Pack 2 Windows XP no longer allows programs to send spoofed packets. (But taking part in the Spoofer project is still encouraged for WinXPSP2 users because it shows important data points.)Permalink - posted 2005-05-06
The first thing I did after installing Tiger was check out the new IPv6 features. That didn't take long... It doesn't look like there is more IPv6 functionality in Tiger than in Panther, except for one thing:
Unlike earlier versions (including the recent 1.3 release) Safari 2.0 now uses IPv6 by default (when available, of course).
This is very nice: no more mucking about with the debug menu. It also means that you get to use session keepalive with IPv6: rather than open a new TCP session for each HTTP request, Safari will try to keep sessions open and reuse them for subsequent requests. This can be very helpful if you don't have a high bandwidth, low delay link because you don't have to suffer the TCP setup and slow start delays for every single image on a page.
Looking at this stuff in tcpdump I can't help but notice that HTTP is a very wasteful protocol. A GET can easily be 700 bytes, and many web designers use images that are only 100 bytes...
I also noticed that Safari now says Accept-Language: en, while I have English, Dutch and German (ok, slight case of hybris for that last one) set up as my languages in the system preferences. This is a shame, because my carefully crafted language detection at http://www.muada.com/ now no longer knows I speak Dutch so it shows me the English version of the page.
However, the switch to Tiger wasn't entirely problem-free in the IPv6 department: the new Mail has a pretty serious bug: SMTP won't work over IPv6 anymore. To add insult to injury, Mail won't all back on IPv4 for SMTP, so if your SMTP server has an AAAA record in the DNS and you have IPv6 connectivity, you won't be able to send mail. The workaround is to configure a DNS name for the SMTP server that doesn't have an AAAA record, or the SMTP server's IPv4 address. See bug 4113850 in Apple's bug reporter (you must have a developer account to log in) for more details.Permalink - posted 2005-05-16